Support Questions

Find answers, ask questions, and share your expertise

Ranger policy malfunction in kafka

avatar
Contributor

In kafka, I tried to execute consume/publish command with disabled all policies of Ranger, it did not deny both consume/publish behavior. Did I miss any configuration setting of kafka or misunderstanding something else?

1 ACCEPTED SOLUTION

avatar
Contributor

Here are some steps of enable ranger for kafka and works fine with HDP2.3.4 and Ranger 0.5.0:

1.) Enable kerberos server for cluster.

2.) In Ambari server, go to Kafka`s Configs > Advanced ranger-kafka-plugin-properties , click "Enable Ranger for Kafka".

3.) Go to Configs > Custom kafka-broker , change value of "authorizer.class.name" to "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer".

4.) Save changes and restart kafka component.

5.) Go to Ranger admin UI, then disable all policies of kafka.

6.) It should be deny Publish/Consume actions now.

View solution in original post

40 REPLIES 40

avatar
Contributor

I will check for it, too

avatar
Master Mentor
@Benson Shih

did you turn off the global allow policy for Kafka?

avatar
Contributor

What is it mean? Could you give me an example thanks.

avatar
Contributor

@Artem Ervits yes I turned off the global policy for Kafka, but it did not work.

avatar
Contributor

Is it correct that the kafka and ranger must be in the kerberized cluster environment?

avatar
Master Mentor

avatar
Master Mentor

@Benson Shih Just created an article based on this https://community.hortonworks.com/articles/12699/ranger-and-kafka-integration-faq.html

Very useful to resolve this issue.

avatar
Contributor

Hi @Neeraj Sabharwal,

I still can not deny Publish and Consume actions,my policy setting as below:

1660-未命名.png

my environment is not a kerberized cluster and also I did not observe any records in Access of Audit,any suggestion?

thanks.

avatar
Contributor

BTW, the following steps are how I enabled ranger for kafka and executed Publish/Consume actions:

1. In kafka Configs > Advanced ranger-kafka-aduit > enable "Audit to DB" and changed value of "xasecure.audit.destination.hdfs.dir" to "hdfs://140.92.XX.XX:8020/ranger/audit"

2. Configs > Advanced ranger-kafka-plugin-properties > enable "Enable Ranger for KAFKA"

3. save changes and restart KAFKA

4. go to Ranger admin UI and I saw the repository of kafka has been created automatically

avatar
Contributor

Executing consume/publish steps:

Step1: connect to kafka-broker server

step2: changer user $ su kafka

step3: go to bin folder $ cd /usr/hdp/2.3.0.0-2557/kafka/bin

step4: create a topic $ ./kafka-topics.sh --create --zookeeper {hostname}:2181 --replication-factor 1 --partitions 1 --topic test

step5: execute publish message $ ./kafka-console-producer.sh --broker-list {hostname}:6667--topic test

This is a test message //it should be denied right?

step6: execute consume message $ ./kafka-console-consumer.sh --zookeeper {hostname}:2181 --topic test --from-beginning

//it also should be denied?