Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger policy malfunction in kafka

Labels:
avatar
author-rank bensonshih
Contributor

Created ‎01-14-2016 07:22 AM

In kafka, I tried to execute consume/publish command with disabled all policies of Ranger, it did not deny both consume/publish behavior. Did I miss any configuration setting of kafka or misunderstanding something else?

12,735 Views
1 ACCEPTED SOLUTION

avatar
author-rank bensonshih
Contributor

Created ‎02-15-2016 03:54 AM

Here are some steps of enable ranger for kafka and works fine with HDP2.3.4 and Ranger 0.5.0:

1.) Enable kerberos server for cluster.

2.) In Ambari server, go to Kafka`s Configs > Advanced ranger-kafka-plugin-properties , click "Enable Ranger for Kafka".

3.) Go to Configs > Custom kafka-broker , change value of "authorizer.class.name" to "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer".

4.) Save changes and restart kafka component.

5.) Go to Ranger admin UI, then disable all policies of kafka.

6.) It should be deny Publish/Consume actions now.

View solution in original post

11,438 Views
0 Kudos
40 REPLIES 40

avatar
author-rank nsabharwal
Master Mentor

Created on ‎01-14-2016 02:54 PM - edited ‎08-19-2019 05:14 AM

@bdurai @bganesan

I was able to reproduce this. I have only kafka user listed in Kafka policy and root can consume and produce the data "not listed in kafka policy.

1358-screen-shot-2016-01-14-at-95432-am.png

@Benson Shih

5,343 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎01-19-2016 02:32 AM

@Benson Shih check this https://github.com/abajwa-hw/security-workshops/blob/master/Setup-ranger-23.md#setup-kafka-plugin-fo...

5,343 Views
0 Kudos

avatar
author-rank ashaver
Contributor

Created ‎01-27-2016 07:55 PM

Is this issue resolved? I also tried to create a kafka ranger policy to exclude a select user from not creating or deleting topics. But it doesn't get enforced. I see the 200 response in Ranger Audits that Kafka plugin is up.

5,343 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎01-31-2016 04:35 PM

@Anna Shaverdian see this https://community.hortonworks.com/articles/12699/ranger-and-kafka-integration-faq.html

5,343 Views
0 Kudos

avatar
author-rank alal1
Contributor

Created ‎01-14-2016 05:31 PM

Is the Ranger plugin properly installed? For example, do you any evidence of it in Ranger Audit logs, e.g. kafaka server connecting to Ranger to download policies or access log indicating that access was allowed by ranger?

5,343 Views

avatar
author-rank bensonshih
Contributor

Created ‎01-18-2016 01:34 AM

I will check for it

5,343 Views
0 Kudos

avatar
author-rank pbrahmbhatt
Explorer

Created ‎01-14-2016 07:34 PM

Please check your server.properties file and ensure you have authorizer.class.name set to Ranger Authorizer's Fully Qualified class name.

5,343 Views

avatar
author-rank bensonshih
Contributor

Created ‎01-18-2016 01:36 AM

It`s supposes to be "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer" right?

5,343 Views

avatar
author-rank bdurai
Rising Star

Created ‎01-15-2016 01:12 AM

Also look into the Ranger Audits from the Ranger Admin. If Ranger is allowing the request, then it will have policy which gave the permission.

5,343 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements