在创建或删除Kafka主题时,通过Ranger策略无法授权,出现NoAuthException错误。原因是非特权用户直接与Zookeeper交互,绕过了Ranger插件的授权。解决方案是在安全环境中使用kafka-acls.sh脚本来允许或拒绝用户对主题的访问。
PROBLEM DESCRIPTION
When creating or deleting topics in Kafka, they cannot be authorized through the Ranger policies. The following errors are displayed while creating the topics:
[ADM_xxxx@xxxx-oc-had102 ~]$ /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --zookeeper xxxx-oc-had101.example.local:2181, xxxx-oc-had201.example.local:2181,xxxx-oc-had102.example.local:2181 --create --topic test --partition 2 --replication-factor 1 Error while executing topic command : org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test [2016-09-13 16:15:47,561] ERROR org.I0Itec.zkclient.exception.ZkException: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test . . Caused by: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test
ROOT CAUSE
Kafka with Ranger is only recommended in secure clusters. The above errors are displayed while creating or deleting topic from an ordinary user. This is because only the process owner of Kafka service such as root, can write to Zookeeper znodes (/configs/topics). Ranger policies do not get enforced when a non privileged user creates a topic. This is because kafka-topics.sh script talks directly to Zookeeper to create the topic. It will add entries into the Zookeeper nodes and the watchers on the broker side will monitor and create topics accordingly. Due to the script talking to Zookeeper directly, the authorization cannot be done through the ranger plugin.
RESOLUTION
For the users to create topics, run a script called kafka-acls.sh which will allow or deny users on topics and provide other options.
Note
This is applicable only in secure environment only. The more details on this see the Authorizing Access when Kerberos is Enabled documentation.
About:
This article created by Hortonworks Support (Article: 000005366) on 2017-06-27 05:17
OS: Linux
Type: Configuration, Cluster_Administration
Version: HDP
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
