Yes. you can control access by ip-address.
No, one can’t use user/group based access to authorize Kafka access over a non-secure channel. This is because it isn't possible to assert client’s identity over the non-secure channel.
public
user group on all policies items created for authorizing Kafka access over non-secure channel?ANONYMOUS
).public
user group is a means to model all users which, of course, includes this anonymous user (ANONYMOUS
).Kafka admin
access to all topics, i.e. *. Please take time to read the original article.
Neeraj - I followed the original article and having some issue. I noticed that once I add the group "Public" in ranger policies without adding ip address in policy condition user are able to publish and consumer from any host.
This is what i did.
HDP Version: HDP-2.3.4.0-3485
-- Enables Kafka plugin in Ranger.
-- Restarted Ranger
-- Create following policies in Ranger ( see the image ) ( Important : Added group Public left policy condition blank )
-- Logged in to server 21 to Produce and consume message's
-- I was able to produce and consume messages from any server .
What we want is to secure our Kafka environment through ranger by ip address. I understand that the identity of client user over a non-secure channel is not possible.
I followed the following article to secure or Kafka environment.
Please let me know what I am missing.
Use CA Signed certs to enable two-way SSL between ambari-server and ambari-agent
Apache Ranger Graduates to a Top Level Project! - Part 2: Feature Overview and Innovations
Ambari Infra Solr (Ambari 2.x) setup recommendations with Ranger
Setting up a secure cluster with Ranger enabled using Ambari-blueprint
Apache Ranger Graduates to a Top Level Project! - Part 1: The Journey & Accolades
Walkthrough: Creating Encryption Zone in HDFS and Testing with Hive (using Ranger and Ranger KMS)
Configure SSL between Ranger and Rager HDFS plugin with CA Signed certs
This website uses cookies for analytics, personalisation and advertising. To learn more or change your cookie settings, please read our Cookie Policy. By continuing to browse, you agree to our use of cookies.
HCC Guidelines | HCC FAQs | HCC Privacy Policy | Privacy Policy | Terms of Service
© 2011-2019 Hortonworks Inc. All Rights Reserved.
Hadoop, Falcon, Atlas, Sqoop, Flume, Kafka, Pig, Hive, HBase, Accumulo, Storm, Solr, Spark, Ranger, Knox, Ambari, ZooKeeper, Oozie and the Hadoop elephant logo are trademarks of the Apache Software Foundation.