Hi, is there Kerberos auth supported while talking to Ranger REST Api, like e.g. for Ambari ?!?! or , more generally, what are options to access Ranger REST API with a kerberos ticket.....Knox an option? Any hint for docu/setup instructions appreciated ... View more

Hi, regarding SchemaRegistry UI, how to allow different users access to the UI and, more important, are there different levels of privileges available, like e.g. the different roles in Ambari , to be able to limit what certain users can do/see? ...or is there an integration with Ranger available/planned to distinguish _who_ can do/see _what_ ? ... View more

Hi, after enabling SASL_PLAINTEXT listener on kafka it is no longer possible to use console-consumer/-producer. Whereas using a simple Java snippet to create a producer and adding some messages, it works fine, by using the exact same user/password as used for the console-clients: public class SimpleProducer { public static void main(String[] args) throws Exception{ if(args.length == 0){ System.out.println("Enter topic name"); return; } String topicName = args[0].toString(); Properties props = new Properties(); props.put("bootstrap.servers", "<brokernode>:6666"); props.put("acks", "1"); props.put("retries", 0); props.put("batch.size", 16384); props.put("linger.ms", 1); props.put("buffer.memory", 33554432); props.put("key.serializer", "org.apache.kafka.common.serialization.StringSerializer"); props.put("value.serializer", "org.apache.kafka.common.serialization.StringSerializer"); ////// AUTHENTICATION props.put("security.protocol","SASL_PLAINTEXT"); props.put("sasl.mechanism","PLAIN"); props.put("sasl.jaas.config", "org.apache.kafka.common.security.plain.PlainLoginModule required\n" + "username=\"kafka\"\n" + "password=\"kafkaSecure\";"); ////// END AUTHENTICATION Producer<String, String> producer = new KafkaProducer<String, String>(props); System.out.println("producer created"); for(int i = 0; i < 10; i++) { System.out.println("message"+i); producer.send(new ProducerRecord<String, String>(topicName, Integer.toString(i), Integer.toString(i))); } System.out.println("Messages sent successfully"); producer.close(); } } After starting the e.g. producer and trying to add a message via the console, the following message is shown (endless): [2017-11-14 16:48:23,039] WARN Bootstrap broker <brokernode>:6666 disconnected (org.apache.kafka.clients.NetworkClient) [2017-11-14 16:48:23,091] WARN Bootstrap broker <brokernode>:6666 disconnected (org.apache.kafka.clients.NetworkClient) [2017-11-14 16:48:23,143] WARN Bootstrap broker <brokernode>:6666 disconnected (org.apache.kafka.clients.NetworkClient) [2017-11-14 16:48:23,195] WARN Bootstrap broker <brokernode>:6666 disconnected (org.apache.kafka.clients.NetworkClient) Kafka config looks like: listeners=PLAINTEXT://<brokernode>:6667,SASL_PLAINTEXT://<brokernode>:6666 sasl.enabled.mechanisms=PLAIN sasl.mechanism.inter.broker.protocol=PLAIN security.inter.broker.protocol=SASL_PLAINTEXT The console-producer gets started via: export KAFKA_OPTS="-Djava.security.auth.login.config=/etc/kafka/conf/user_kafka_jaas.conf" ; /usr/hdf/current/kafka-broker/bin/kafka-console-producer.sh --broker-list <brokernode>:6666 --topic gk-test --producer.config /etc/kafka/conf/producer.properties where the property files look like: /etc/kafka/conf/user_kafka_jaas.conf KafkaClient { org.apache.kafka.common.security.plain.PlainLoginModule required username="kafka" password="kafkaSecure"; }; /etc/kafka/conf/producer.properties security.protocol=SASL_PLAINTEXT sasl.mechanism=PLAIN Any hint on what is going wrong with console-producer and console-consumer to not being able to produce/consume from topic ? ...but the Java snippet works... Thanks ... View more

Hi, how can I enable Kafka SASL_PLAINTEXT auth, without enabling Kerberos in general ?!?! Right now I added the additional "listener" entry and populated the "advanced kafka_jaas_conf" as well as "advanced kafka_client_jaas_conf". After that the KafkaBrokers won't start up, because of error: FATAL [Kafka Server 1001], Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer) org.apache.kafka.common.KafkaException: java.lang.IllegalArgumentException: Could not find a 'KafkaServer' entry in the JAAS configuration. System property 'java.security.auth.login.config' is not set What else needs to be done to provide the required properties to Broker startup as well as to distribute the .jaas files ? Also it looks like the .jaas files are not being deployed to the kafka nodes, they are not under /usr/hdp/current/kafka-broker/config. Is this functionality missing because of Kerberos is disabled ?!?! I am sure after enabling Kerberos the defined .jaas entries in Ambari will be deployed to the nodes, hence there must be some "hidden" functionality missing in non-Kerberos mode.... Any help appreciated, thanks in advance... ... View more

Hello, I setup HDF 3 including Ranger and Kerberos...everything's green in Ambari so far. Ranger plugins for Kafka and NiFi have been enabled and in RangerUI I can see the default policy for Kafka has been created and some audit entries are there, see below The problem now is, that I can list and describe Kafka topics with my user account, although it is not allowed by Ranger ACL , and I do not even see any entry in Audit log for the accesses under my own user account. It looks like Ranger ACLs doesn't get applied to Kafka at all, no idea why ?!?! I create a dedicated policy for Topic 'foo', just granting my user 'consume' access => In a terminal I can still 'describe' that topic, and in ranger audit there is NO entry for that access => Any ideas why access is still allowed and why there is no audit being recorded ?!?! PS: in RangerUI the Kafka policy is shown as updated.....it updates right after being updated ... View more

Hello, while investigating into setting up HDF via Blueprint I am facing two issues after service deployment ( incl. Ranger ) a) the Ranger AdminWebUI does not show any default policy neither for NiFi nor for Kafka. Both plugins are enabled, but Ranger admin looks like b) Ranger AdminUI also does not show any plugin under "Audit" tab Which properties in the blueprint needs to be set to finalize the blueprint-automated-setup incl. enabled Ranger plugins for NiFi and Kafka ?!?! Thanks in advance... ... View more

Hi, I wanted to setup Ranger-on-NiFi in the HDF 3.0 sandbox, according to https://community.hortonworks.com/articles/58769/hdf-20-enable-ranger-authorization-for-hdf-compone.html But after adding Ranger , enabling NiFi plugin and restarting required services, this plugin doesn't appear in the Ranger-UI. Its "audit"=>"Plugin" overview is just empty. The default policy for NiFi has been created though. Any ideas what was going wrong ? ... View more