@Benson Shih I really appreciate you sharing the details.
In the Ranger policy, Did you set the IP?
Yes. you can control access by ip-address.
very thanks for @Neeraj Sabharwal `s response in advance,
1. I have a little confused about how to setting the ip address ranger, am I suppose to specify namenode host ip?
2. What about earlier version of HDP like 2.3.0?
I used HDP2.3.4 with ip address ranger:
after set up the policy,then I went to 220.127.116.11 command line to change user to kafka, executing Publish and Consume actions,but it still did not deny..,
I did not observe any information about kafka in Audit(Access); However, after I add a property "authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer" in Custom kafka-broker and executed Publish action,Audit Access could appeared information as below(why it did not show "publish" Access Type):
In addition, it get some error when I executed Publish action: