Support Questions

bensonshih · ‎01-14-2016

In kafka, I tried to execute consume/publish command with disabled all policies of Ranger, it did not deny both consume/publish behavior. Did I miss any configuration setting of kafka or misunderstanding something else?

bensonshih · ‎02-15-2016

Here are some steps of enable ranger for kafka and works fine with HDP2.3.4 and Ranger 0.5.0:

1.) Enable kerberos server for cluster.

2.) In Ambari server, go to Kafka`s Configs > Advanced ranger-kafka-plugin-properties , click "Enable Ranger for Kafka".

3.) Go to Configs > Custom kafka-broker , change value of "authorizer.class.name" to "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer".

4.) Save changes and restart kafka component.

5.) Go to Ranger admin UI, then disable all policies of kafka.

6.) It should be deny Publish/Consume actions now.

View solution in original post

nsabharwal · ‎02-01-2016

@Benson Shih See this

This Kafka feature is available in HDP releases 2.3.4 (Dal-M20) or later.

bensonshih · ‎02-01-2016

very thanks for @Neeraj Sabharwal `s response in advance,

1. I have a little confused about how to setting the ip address ranger, am I suppose to specify namenode host ip?

2. What about earlier version of HDP like 2.3.0?

nsabharwal · ‎02-01-2016

@Benson Shih You would allow the traffic from those IP.

HDP 2.3.4 ...No HDP2.3.0 or HDP 2.3.2

bensonshih · ‎02-02-2016

I used HDP2.3.4 with ip address ranger:

after set up the policy,then I went to 140.92.27.89 command line to change user to kafka, executing Publish and Consume actions,but it still did not deny..,

bdurai · ‎02-02-2016

@Benson Shih, what does the Audit say? It should have the policyId which gave permission.

bensonshih · ‎02-02-2016

Hi @bdurai,

I did not observe any information about kafka in Audit(Access); However, after I add a property "authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer" in Custom kafka-broker and executed Publish action,Audit Access could appeared information as below(why it did not show "publish" Access Type):

In addition, it get some error when I executed Publish action:

nsabharwal · ‎02-02-2016

@Benson Shih It's failing on authorization.

bensonshih · ‎02-03-2016

Hi @Neeraj Sabharwal, it`s right that failing on authorization, but it is suppose to be authorized by Ranger right? it`s so weird that Ranger cannot control the Publish or Consume actions.

nsabharwal · ‎02-03-2016

@Benson Shih Yes..it suppose to be ..Could you do me a favor ? Please disable the kafka policy and try to see if you can run the job.

bensonshih · ‎02-03-2016

@Neeraj Sabharwal Sure,it`s still could run the job when I disable kafka policy.

nsabharwal · ‎02-03-2016

@Benson Shih then I guess Ranger policy is working 🙂

aervits · ‎02-02-2016

@Benson Shih is this issue resolved? Can you accept best answer or provide your own solution?

bensonshih · ‎02-03-2016

Hi @Artem Ervits,

It`s still not resolved yet,I`m trying to figure out the solution soon,once I find out the solution I`ll provide solution or accept best answer.

nsabharwal · ‎02-03-2016

@Benson Shih I will be working on the demo. Let's connect...Add me on linkedin plz

bensonshih · ‎02-03-2016

@Neeraj Sabharwa

OK ,thanks.

ashaver · ‎02-10-2016

Hi @Neeraj Sabharwal I would also be very interested in seeing the use case demo for this, thanks!

bensonshih · ‎02-15-2016

Here are some steps of enable ranger for kafka and works fine with HDP2.3.4 and Ranger 0.5.0:

1.) Enable kerberos server for cluster.

2.) In Ambari server, go to Kafka`s Configs > Advanced ranger-kafka-plugin-properties , click "Enable Ranger for Kafka".

3.) Go to Configs > Custom kafka-broker , change value of "authorizer.class.name" to "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer".

4.) Save changes and restart kafka component.

5.) Go to Ranger admin UI, then disable all policies of kafka.

6.) It should be deny Publish/Consume actions now.

nsabharwal · ‎02-15-2016

@Benson Shih This works BUT I was under the impression that you are looking for solution for non kerberos environment.

nsabharwal · ‎02-15-2016

@Benson Shih @bdurai

Benson, Take a look on this

You don't have to have kerberos to control Kafka authorization.

HDP 2.3.4

ashok_morepatil · ‎03-16-2017

I am having similar issue

We have non Kerberiozed Hadoop Kafka environment . I am testing integrating Ranger Kafak to secure the environment.

HDP Version: HDP-2.3.4.0-3485

This is what I did.

-- Enables Kafka plugin in Ranger.

-- Restarted Ranger

-- Create following policies in Ranger ( see the image ) ( Important : Added group Public left policy condition blank )

-- Logged in to server 21 to Produce and consume message's

-- I was able to produce and consume messages from any server .

What we want is to secure our Kafka environment through ranger by ip address. I understand that the identity of client user over a non-secure channel is not possible.

I followed the following article to secure or Kafka environment.

https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-Whydowehavetospecifypubl...

Please let me know what I am missing.

Cloudera Community

Cloudera Community

Support Questions

Ranger policy malfunction in kafka