Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger policy malfunction in kafka

Solved Go to solution
Highlighted

Re: Ranger policy malfunction in kafka

@Benson Shih I really appreciate you sharing the details.

In the Ranger policy, Did you set the IP?

Can I authorize access to Kafka over a non-secure channel via Ranger?

Yes. you can control access by ip-address.

Highlighted

Re: Ranger policy malfunction in kafka

@Benson Shih See this

This Kafka feature is available in HDP releases 2.3.4 (Dal-M20) or later.

Highlighted

Re: Ranger policy malfunction in kafka

Explorer

very thanks for @Neeraj Sabharwal `s response in advance,

1. I have a little confused about how to setting the ip address ranger, am I suppose to specify namenode host ip?

2. What about earlier version of HDP like 2.3.0?

Highlighted

Re: Ranger policy malfunction in kafka

@Benson Shih You would allow the traffic from those IP.

HDP 2.3.4 ...No HDP2.3.0 or HDP 2.3.2

Highlighted

Re: Ranger policy malfunction in kafka

Explorer

I used HDP2.3.4 with ip address ranger:

1692-qwe.png

after set up the policy,then I went to 140.92.27.89 command line to change user to kafka, executing Publish and Consume actions,but it still did not deny..,

Re: Ranger policy malfunction in kafka

Contributor

@Benson Shih, what does the Audit say? It should have the policyId which gave permission.

Highlighted

Re: Ranger policy malfunction in kafka

Explorer

Hi @bdurai,

I did not observe any information about kafka in Audit(Access); However, after I add a property "authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer" in Custom kafka-broker and executed Publish action,Audit Access could appeared information as below(why it did not show "publish" Access Type):

1694-audit-access.png

In addition, it get some error when I executed Publish action:

1695-error-message.png

Highlighted

Re: Ranger policy malfunction in kafka

@Benson Shih It's failing on authorization.

Highlighted

Re: Ranger policy malfunction in kafka

Explorer

Hi @Neeraj Sabharwal, it`s right that failing on authorization, but it is suppose to be authorized by Ranger right? it`s so weird that Ranger cannot control the Publish or Consume actions.

Highlighted

Re: Ranger policy malfunction in kafka

@Benson Shih Yes..it suppose to be ..Could you do me a favor ? Please disable the kafka policy and try to see if you can run the job.

Don't have an account?
Coming from Hortonworks? Activate your account here