Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger policy malfunction in kafka

avatar
Contributor

In kafka, I tried to execute consume/publish command with disabled all policies of Ranger, it did not deny both consume/publish behavior. Did I miss any configuration setting of kafka or misunderstanding something else?

1 ACCEPTED SOLUTION

avatar
Contributor

Here are some steps of enable ranger for kafka and works fine with HDP2.3.4 and Ranger 0.5.0:

1.) Enable kerberos server for cluster.

2.) In Ambari server, go to Kafka`s Configs > Advanced ranger-kafka-plugin-properties , click "Enable Ranger for Kafka".

3.) Go to Configs > Custom kafka-broker , change value of "authorizer.class.name" to "org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer".

4.) Save changes and restart kafka component.

5.) Go to Ranger admin UI, then disable all policies of kafka.

6.) It should be deny Publish/Consume actions now.

View solution in original post

40 REPLIES 40

avatar
Master Mentor

@Benson Shih I really appreciate you sharing the details.

In the Ranger policy, Did you set the IP?

Can I authorize access to Kafka over a non-secure channel via Ranger?

Yes. you can control access by ip-address.

avatar
Master Mentor

@Benson Shih See this

This Kafka feature is available in HDP releases 2.3.4 (Dal-M20) or later.

avatar
Contributor

very thanks for @Neeraj Sabharwal `s response in advance,

1. I have a little confused about how to setting the ip address ranger, am I suppose to specify namenode host ip?

2. What about earlier version of HDP like 2.3.0?

avatar
Master Mentor

@Benson Shih You would allow the traffic from those IP.

HDP 2.3.4 ...No HDP2.3.0 or HDP 2.3.2

avatar
Contributor

I used HDP2.3.4 with ip address ranger:

1692-qwe.png

after set up the policy,then I went to 140.92.27.89 command line to change user to kafka, executing Publish and Consume actions,but it still did not deny..,

avatar
Rising Star

@Benson Shih, what does the Audit say? It should have the policyId which gave permission.

avatar
Contributor

Hi @bdurai,

I did not observe any information about kafka in Audit(Access); However, after I add a property "authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer" in Custom kafka-broker and executed Publish action,Audit Access could appeared information as below(why it did not show "publish" Access Type):

1694-audit-access.png

In addition, it get some error when I executed Publish action:

1695-error-message.png

avatar
Master Mentor

@Benson Shih It's failing on authorization.

avatar
Contributor

Hi @Neeraj Sabharwal, it`s right that failing on authorization, but it is suppose to be authorized by Ranger right? it`s so weird that Ranger cannot control the Publish or Consume actions.

avatar
Master Mentor

@Benson Shih Yes..it suppose to be ..Could you do me a favor ? Please disable the kafka policy and try to see if you can run the job.