Original Article Can I authorize access to Kafka over a non-secure channel via Ranger? Yes. you can control access by ip-address. Can I authorize access to Kafka over non-secure channel by user/user-groups? No, one can’t use user/group based access to authorize Kafka access over a non-secure channel. This is because it isn't possible to assert client’s identity over the non-secure channel. Why do we have to specify public user group on all policies items created for authorizing Kafka access over non-secure channel? Kafka can’t assert the identity of client user over a non-secure channel. Thus, Kafka treats all users for such access as an anonymous user (a special user literally named ANONYMOUS ). Ranger's public user group is a means to model all users which, of course, includes this anonymous user ( ANONYMOUS ). What are the specific things to watch out for when setting up authorization for accessing Kafka over non-secure channel? Make sure that all broker-ips have Kafka admin access to all topics, i.e. *. Make sure no publishers or consumers are running on broker nodes that need access control. Since broker ips have open access it isn’t possible to control access on those nodes. Please take time to read the original article. ... View more

Tools in use: HBase shell and Zeppelin User demouser needs access to HBase table called PRICES. User zeppelin needs the same access to run few queries. You can run this demo by using Hortonworks Sandbox ... View more