时间:2021-07-01 10:21:17 帮助过:19人阅读
Ensure publishers have appropriate access.
Identify ip address of all nodes where publishers would run along with their respective topics.
Create policy where resources are the respective topic names and grant Publish access type to public user group. Specify ip-address of machines where those publishers would run as the ip-range policy condition on the policy item.
Specify topic name(s) as policy resource. Note that you can specify multiple topics or even regular expressions in topic names.
Ensure consumers have appropriate access. Same process as publishers except change access type to Consume instead or Produce.
public user group on all policies items created for authorizing Kafka access over non-secure channel?Kafka can’t assert the identity of client user over a non-secure channel. Thus, Kafka treats all users for such access as an anonymous user (a special user literally named ANONYMOUS).
Ranger‘s public user group is a means to model all users which, of course, includes this anonymous user (ANONYMOUS).
Kafka admin access to all topics, i.e. *.Make sure no publishers or consumers are running on broker nodes that need access control. Since broker ips have open access it isn’t possible to control access on those nodes.
bin/kafka-console-consumer.sh script that is a part of the Kafka distribution! The consumer hangs and gives the error message “No brokers found in ZK.” What gives?/etc/kafka/conf/kafka_client_jaas.conf does not have specification for serviceName="zookeeper". This is typically the Client section.Ensure that you are not specifying --security-protocol PLAINTEXTSASL argument to the consumer. Either specify --security-protocol PLAINTEXT or leave --security-protocol unspecified since its default value is PLAINTEXT.
/etc/kafka/conf/kafka_client_jaas.conf file! What should I do to consume kafka messages over an non-authenticated channel?kinit with a valid password/ticket.That token will get used to authenticate you to zookeeper. After that you should be able to consume messages from kafka over non-authenticated channel. Connection to Kafka brokers correctly happens over non-authenticated channel and should get authorized as user ANONYMOUS.
/etc/kafka/conf/kafka_client_jaas.conf file?Presence of Client block in /etc/kafka/conf/kafka_client_jaas.conf for service zookeeper causes the console consumer connect to zookeeper in secure mode. To do so it needs a ticket -- which won’t exist in simple auth mode, so it fails.
This section describes the issues one might encounter while trying to authorize topic creation in Kafka using Ranger.
Yes, but only if the topic is being auto-created by consumers or producers.
For producers, create a policy item under this policy which grants both Produce and Configure permissions to the relevant user/user-groups.
For consumers, create a policy item under this policy which grants both Consume and Configure permissions to the relevant user/user-groups.
public to the policy item or specify and ip-address base custom condition.Topic creation is currently a cluster level privilege. Thus it requires access privileges over all topics in a cluster, i.e. *.
finance, e.g. finance_1, finance_2, etc. to users that are part of Finance user group. But I don’t want them to be able to auto create topics that start with other strings, say, marketing_123. Can I model this sort of an authorization in Ranger Kafka plugin?Make sure that you specify the following two argument to the console consumer.
--new-consumer--boot-strap <broker-name(s)>: Any single broker host/port would do.bin/kafka-tpics.sh script that is a part of the Kafka distribution. Can I authorize topic creation via that mechanism?No.
Not yet.
Please refer to KAFKA-1809 which implemented the multiple listeners Design.
ranger kafka - Authorizing Kafka access over non-authenticated channel via Ranger
标签:link sort ret faq image directly sign data perm