Use case: We want to control the kafka broker, producer and consumer policies using Ranger without having kerberos. "What is a recommended way to set-up policies when trying to control access to Kafka over a non-secure channel?"
I have defined 3 policies as shown below:
Broker, Publisher and Consumer is controlled at IP level. With one click you can revoke the access from the consumer.
I am trying to do exactly the same thing, ie using ranger with a non kerberized Kafka. Unfortunately I have following error :
[root@mykafka kafka]# tail -f kafka.out
[2016-06-15 15:45:34,002] WARN got exception trying to get groups for user ANONYMOUS: id: ANONYMOUS: no such user (org.apache.hadoop.security.ShellBasedUnixGroupsMapping)
[2016-06-15 15:45:34,002] WARN No groups available for user ANONYMOUS (org.apache.hadoop.security.UserGroupInformation)
The public group should be mapped to an ANONYMOUS user.
Did you do something special to declare it manually within ranger ? Can you share the list of declared users within ranger ?
Thx in advance. Regards
It seems that I have to use the new publisher and consumer API, and not the old one.
Now it works but I still have warnings in kafka.out... With 6 lines of warning every second, I will quickly have a problem.
I'm experiencing the same issue as "easyoups". Do you have work around?
I had the same Exception.
I solved the problem by creating the User ANONYMOUS on the kafka broker nodes.
Hi Neeraj,Can you tell me your ranger and kafka version ?Thank you
- i'm having issues in getting this to work,
attaching the link with the problem summary.
could you help resolve this issue ? Thnx.
Hi, does it mean that ranger kafka plugin can not define policy among users, and only among hosts?