Created 01-14-2016 07:22 AM
In kafka, I tried to execute consume/publish command with disabled all policies of Ranger, it did not deny both consume/publish behavior. Did I miss any configuration setting of kafka or misunderstanding something else?
Created 02-15-2016 03:54 AM
Here are some steps of enable ranger for kafka and works fine with HDP2.3.4 and Ranger 0.5.0:
1.) Enable kerberos server for cluster.
2.) In Ambari server, go to Kafka`s Configs > Advanced ranger-kafka-plugin-properties , click "Enable Ranger for Kafka".
3.) Go to Configs > Custom kafka-broker , change value of "authorizer.class.name" to "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer".
4.) Save changes and restart kafka component.
5.) Go to Ranger admin UI, then disable all policies of kafka.
6.) It should be deny Publish/Consume actions now.
Created 01-18-2016 01:38 AM
I will check for it, too
Created 01-15-2016 10:45 AM
did you turn off the global allow policy for Kafka?
Created 01-18-2016 01:37 AM
What is it mean? Could you give me an example thanks.
Created 02-01-2016 04:31 PM
@Artem Ervits yes I turned off the global policy for Kafka, but it did not work.
Created 01-31-2016 02:29 PM
Is it correct that the kafka and ranger must be in the kerberized cluster environment?
Created 01-31-2016 04:22 PM
Created 01-31-2016 04:31 PM
@Benson Shih Just created an article based on this https://community.hortonworks.com/articles/12699/ranger-and-kafka-integration-faq.html
Very useful to resolve this issue.
Created on 02-01-2016 09:09 AM - edited 08-19-2019 05:14 AM
I still can not deny Publish and Consume actions,my policy setting as below:
my environment is not a kerberized cluster and also I did not observe any records in Access of Audit,any suggestion?
thanks.
Created 02-01-2016 09:18 AM
BTW, the following steps are how I enabled ranger for kafka and executed Publish/Consume actions:
1. In kafka Configs > Advanced ranger-kafka-aduit > enable "Audit to DB" and changed value of "xasecure.audit.destination.hdfs.dir" to "hdfs://140.92.XX.XX:8020/ranger/audit"
2. Configs > Advanced ranger-kafka-plugin-properties > enable "Enable Ranger for KAFKA"
3. save changes and restart KAFKA
4. go to Ranger admin UI and I saw the repository of kafka has been created automatically
Created 02-01-2016 09:18 AM
Executing consume/publish steps:
Step1: connect to kafka-broker server
step2: changer user $ su kafka
step3: go to bin folder $ cd /usr/hdp/2.3.0.0-2557/kafka/bin
step4: create a topic $ ./kafka-topics.sh --create --zookeeper {hostname}:2181 --replication-factor 1 --partitions 1 --topic test
step5: execute publish message $ ./kafka-console-producer.sh --broker-list {hostname}:6667--topic test
This is a test message //it should be denied right?
step6: execute consume message $ ./kafka-console-consumer.sh --zookeeper {hostname}:2181 --topic test --from-beginning
//it also should be denied?