Hortonworks.com
  • Explore
    • All Tags
    • All Questions
    • All Articles
    • All Ideas
    • All Repos
    • All SKB
    • All Users
    • All Badges
    • Leaderboard
  • Create
    • Ask a question
    • Create Article
    • Post Idea
    • Add Repo
  • Tracks
    • All Tracks
    • Community Help
    • Cloud & Operations
    • CyberSecurity
    • Data Ingestion & Streaming
    • Data Processing
    • Data Science & Advanced Analytics
    • Design & Architecture
    • Governance & Lifecycle
    • Hadoop Core
    • Sandbox & Learning
    • Security
    • Solutions
  • Login
HCC Hortonworks Community Connection
  • Home /
  • Security /
  • Home /
  • Security /
  • Secure HDP 2.3 with Apache Ranger /
avatar image

Ranger and Kafka integration - FAQ   
  • Apache Ranger and HBase
  • How to limit the size of ranger log and number of log files to retain?

  • Export to PDF
Article by Neeraj Sabharwal · Jan 31, 2016 at 04:30 PM
2

Short Description:

This is reference to the Apache doc related to Kafka and Ranger plugin.

Article

Original Article

Can I authorize access to Kafka over a non-secure channel via Ranger?

Yes. you can control access by ip-address.

Can I authorize access to Kafka over non-secure channel by user/user-groups?

No, one can’t use user/group based access to authorize Kafka access over a non-secure channel. This is because it isn't possible to assert client’s identity over the non-secure channel.

Why do we have to specify public user group on all policies items created for authorizing Kafka access over non-secure channel?

  • Kafka can’t assert the identity of client user over a non-secure channel. Thus, Kafka treats all users for such access as an anonymous user (a special user literally named ANONYMOUS).
  • Ranger's public user group is a means to model all users which, of course, includes this anonymous user (ANONYMOUS).

What are the specific things to watch out for when setting up authorization for accessing Kafka over non-secure channel?

  • Make sure that all broker-ips have Kafka admin access to all topics, i.e. *.
  • Make sure no publishers or consumers are running on broker nodes that need access control. Since broker ips have open access it isn’t possible to control access on those nodes.

Please take time to read the original article.

thub.nodes.view.add-new-comment
KafkaKnoxRangerauthorizationfaqhdp-2.3.0
Add comment · Show 1
10 |6000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Up to 5 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.

avatar image Ashok Patil · Mar 16, 2017 at 06:28 PM 0
Share

Neeraj - I followed the original article and having some issue. I noticed that once I add the group "Public" in ranger policies without adding ip address in policy condition user are able to publish and consumer from any host.

This is what i did.

HDP Version: HDP-2.3.4.0-3485

-- Enables Kafka plugin in Ranger.

-- Restarted Ranger

-- Create following policies in Ranger ( see the image ) ( Important : Added group Public left policy condition blank )

-- Logged in to server 21 to Produce and consume message's

-- I was able to produce and consume messages from any server .

What we want is to secure our Kafka environment through ranger by ip address. I understand that the identity of client user over a non-secure channel is not possible.

I followed the following article to secure or Kafka environment.

https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-WhydowehavetospecifypublicusergrouponallpoliciesitemscreatedforauthorizingKafkaaccessovernon-securechannel

Please let me know what I am missing.

kafka-rangerissue.png (45.3 kB)

Article

Contributors

avatar image

avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image
avatar image avatar image avatar image avatar image avatar image

Navigation

Secure HDP 2.3 with Apache Ranger
  • How to limit the size of ranger log and number of log files to retain?
  • Apache Ranger and HBase
  • Ranger and Kafka integration - FAQ

Related Articles

Openldap Setup

Use CA Signed certs to enable two-way SSL between ambari-server and ambari-agent

Apache Ranger Graduates to a Top Level Project! - Part 2: Feature Overview and Innovations

Hadoop Security Concepts

Ambari Infra Solr (Ambari 2.x) setup recommendations with Ranger

Setting up a secure cluster with Ranger enabled using Ambari-blueprint

Apache Ranger Graduates to a Top Level Project! - Part 1: The Journey & Accolades

Walkthrough: Creating Encryption Zone in HDFS and Testing with Hive (using Ranger and Ranger KMS)

Configure SSL between Ranger and Rager HDFS plugin with CA Signed certs

Apache Ranger and Kafka - No kerberos

This website uses cookies for analytics, personalisation and advertising. To learn more or change your cookie settings, please read our Cookie Policy. By continuing to browse, you agree to our use of cookies.

HCC Guidelines | HCC FAQs | HCC Privacy Policy | Privacy Policy | Terms of Service

© 2011-2019 Hortonworks Inc. All Rights Reserved.

Hadoop, Falcon, Atlas, Sqoop, Flume, Kafka, Pig, Hive, HBase, Accumulo, Storm, Solr, Spark, Ranger, Knox, Ambari, ZooKeeper, Oozie and the Hadoop elephant logo are trademarks of the Apache Software Foundation.

  • Anonymous
  • Login
  • Create
  • Ask a question
  • Create Article
  • Post Idea
  • Add Repo
  • Create SupportKB
  • Tracks
  • Community Help
  • Cloud & Operations
  • CyberSecurity
  • Data Ingestion & Streaming
  • Data Processing
  • Data Science & Advanced Analytics
  • Design & Architecture
  • Governance & Lifecycle
  • Hadoop Core
  • Sandbox & Learning
  • Security
  • Solutions
  • Explore
  • All Tags
  • All Questions
  • All Articles
  • All Ideas
  • All Repos
  • All SKB
  • All Users
  • Leaderboard
  • All Badges