Help Center> MapReduce Service> Component Operation Guide (Normal)> Using Ranger (MRS 3.x)> Adding a Ranger Access Permission Policy for Kafka
Updated on 2023-11-03 GMT+08:00

Adding a Ranger Access Permission Policy for Kafka

Scenario

Ranger administrators can use Ranger to configure the read, write, and management permissions of the Kafka topic and the management permission of the cluster for the Kafka user. This section describes how to add the production permission of the test topic for the test user.

Prerequisites

  • The Ranger service has been installed and is running properly.
  • You have created users, user groups, or roles for which you want to configure permissions.

Procedure

  1. Log in to the Ranger web UI as the Ranger administrator rangeradmin. For details, see Logging In to the Ranger Web UI.
  2. On the home page, click the component plug-in name in the KAFKA area, for example, Kafka.
  3. Click Add New Policy to add a Kafka permission control policy.
  4. Configure the following parameters based on the service demands.

    Table 1 Kafka permission parameters

    Parameter

    Description

    Policy Type

    Access type.

    Policy Conditions

    IP address filtering policy, which can be customized. You can enter one or more IP addresses or IP address segments. The IP address can contain the wildcard character (*), for example, 192.168.1.10,192.168.1.20, or 192.168.1.*.

    Policy Name

    Policy name, which can be customized and must be unique in the service.

    Policy Label

    A label specified for the current policy. You can search for reports and filter policies based on labels.

    topic

    Name of the topic applicable to the current policy. You can enter multiple values. The value can contain wildcards, such as test, test*, and *.

    The Include policy applies to the current input object, and the Exclude policy applies to objects other than the current input object.

    Description

    Policy description.

    Audit Logging

    Whether to audit the policy.

    Allow Conditions

    Permission and exception conditions allowed by a policy. The priority of an exception condition is higher than that of a normal condition.

    In the Select Role, Select Group, and Select User columns, select the role, user group, or user to which you want to assign permissions.

    Click Add Conditions, add the IP address range to which the policy applies, and click Add Permissions to add corresponding permissions.

    • Publish: production permission
    • Consume: consumption permission
    • Describe: query permission
    • Create: topic creation permission
    • Delete: topic deletion permission
    • Describe Configs: configuration query permission
    • Alter: permission to change the number of partitions of a topic.
    • Alter Configs: configuration modification permission
    • Select/Deselect All: Select or deselect all.

    To add multiple permission control rules, click .

    If users or user groups in the current condition need to manage this policy, select Delegate Admin. These users will become the agent administrators. The agent administrators can update and delete this policy and create sub-policies based on the original policy.

    Deny Conditions

    Policy rejection condition, which is used to configure the permissions and exceptions to be denied in the policy. The configuration method is the same as that of Allow Conditions. The priority of the rejection condition is higher than that of the allowed conditions configured in Allow Conditions.

    For example, to add the production permission for the test topic of user testuser, configure the following information:

    Figure 1 Kafka permission parameters
    Table 2 Setting permissions

    Scenario

    Role Authorization

    Setting the Kafka administrator permissions

    1. On the home page, click the component plug-in name in the KAFKA area, for example, Kafka.
    2. Select the policy whose Policy Name is all - topic and click to edit the policy.
    3. In the Allow Conditions area, select a user from the Select User drop-down list.
    4. Click Add Permissions and select Select/Deselect All.

    Setting the permission for a user to create a topic

    1. Specify a topic name in topic.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Create.
    NOTE:

    Currently, the Kafka kernel supports the --zookeeper and --bootstrap-server methods to create topics. The --zookeeper method will be deleted from the community in later versions. Therefore, you are advised to use the --bootstrap-server method to create topics.

    Note: Currently, Kafka supports only the authentication of topic creation in --bootstrap-server mode and does not support that in --zookeeper mode.

    Setting the permission for a user to delete a topic

    1. Specify a topic name in topic.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Delete.
    NOTE:

    Currently, the Kafka kernel supports the --zookeeper and --bootstrap-server methods to delete topics. The --zookeeper method will be deleted from the community in later versions. Therefore, you are advised to use the --bootstrap-server method to delete topics.

    Note: Currently, Kafka supports only the authentication of topic deletion in --bootstrap-server mode and does not support that in --zookeeper mode.

    Setting the permission for a user to query a topic

    1. Specify a topic name in topic.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Describe and Describe Configs.
    NOTE:

    Currently, the Kafka kernel supports the --zookeeper and --bootstrap-server methods to query topics. The --zookeeper method will be deleted from the community in later versions. Therefore, you are advised to use the --bootstrap-server method to query topics.

    Note: Currently, Kafka supports only the authentication of topic query in --bootstrap-server mode and does not support that in --zookeeper mode.

    Setting the production permission of a user on a topic

    1. Specify a topic name in topic.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Publish.

    Setting the consumption permission of a user on a topic

    1. Specify a topic name in topic.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Consume.
    NOTE:

    During topic consumption, offset management is involved. Therefore, the Consume permission of ConsumerGroup must be enabled at the same time. For details, see Setting a User's Permission to Submit ConsumerGroup Offsets.

    Setting the permission for a user to expand a topic (by adding partitions)

    1. Specify a topic name in topic.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Alter.

    Setting the permission for a user to modify the topic configuration

    Currently, the Kafka kernel does not support to modify topic parameters based on --bootstrap-server. Therefore, Ranger does not support authentication for this behavior.

    Setting all the management permissions of a user on a cluster

    1. Enter a cluster name and select the cluster on the right side of cluster.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Kafka Admin.

    Setting the permission for a user to create a cluster

    1. On the home page, click the component plug-in name in the KAFKA area, for example, Kafka.
    2. Select the policy whose Policy Name is all - cluster and click to edit the policy.
    3. Enter a cluster name and select the cluster on the right side of cluster.
    4. In the Allow Conditions area, select a user from the Select User drop-down list.
    5. Click Add Permissions and select Create.
    NOTE:

    The authentication of the Create operation of a cluster involves the following two scenarios:

    1. After the auto.create.topics.enable parameter is enabled in the cluster, the client sends data to a topic that has not been created in the service. In this case, the system checks whether the user has the Create permission of the cluster.
    2. If a user creates a large number of topics and is granted the Cluster Create permission, the user can create any topic in the cluster.

    Setting the permission for a user to modify the cluster configuration

    1. Enter a cluster name and select the cluster on the right side of cluster.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Alter Configs.
    NOTE:

    The configuration modification permission allows you to modify the Broker and Broker Logger configurations.

    After the configuration modification permission is granted to a user, the user can query configuration details even if the user does not have the query permission. (The configuration modification permission includes the configuration query permission.)

    Setting the permission for a user to query the cluster configuration

    1. Enter a cluster name and select the cluster on the right side of cluster.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Describe and Describe Configs.
    NOTE:

    You can only query Broker and Broker Logger information in the cluster, excluding topics.

    Setting the Idempotent Write permission in a cluster for a user

    1. Enter a cluster name and select the cluster on the right side of cluster.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Idempotent Write.
    NOTE:

    This permission authenticates the Idempotent Produce behavior of the user's client.

    Setting the permission to migrate partitions in a cluster for a user

    1. Enter a cluster name and select the cluster on the right side of cluster.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Alter.
    NOTE:

    The Alter permission of a cluster can be used to control permissions in the following scenarios:

    1. In the Partition Reassign scenario, migrate the storage directory of replicas.
    2. Elect a leader replica in each partition of the cluster.
    3. Add or delete ACLs.

    Operations in scenarios 1 and 2 are between a controller and broker and between brokers in the cluster. When a cluster is created, this permission is granted to the built-in Kafka user by default. It is meaningless for a common user to be granted with this permission.

    Scenario 3 involves the ACL management. ACLs are designed for authentication. Currently, Kafka authentication is hosted to Ranger. Therefore, this scenario is not involved (the configuration does not take effect).

    Setting the Cluster Action permission in a cluster for a user

    1. Enter a cluster name and select the cluster on the right side of cluster.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Cluster Action.
    NOTE:

    This permission controls the synchronization between the leader and follower replicas in the cluster and the communication between nodes. It has been granted to the built-in Kakfa user during cluster creation. It is meaningless for a common user to grant this permission.

    Setting the TransactionalId permission for a user

    1. On the home page, click the component plug-in name in the KAFKA area, for example, Kafka.
    2. Select the policy whose Policy Name is all - transactionalid and click to edit the policy.
    1. Set transactionalid to a transaction ID.
    2. In the Allow Conditions area, select a user from the Select User drop-down list.
    3. Click Add Permissions and select Publish and Describe.
    NOTE:

    The Publish permission is used to authenticate client requests for which the transaction feature is enabled, for example, starting and ending a transaction, submitting an offset, and generating transactional data.

    The Describe permission is used to authenticate the requests from the client and coordinator that have enabled the transaction feature.

    If the transaction feature is enabled, you are advised to grant both the Publish and Describe permissions to users.

    Setting the DelegationToken permission for a user

    1. On the home page, click the component plug-in name in the KAFKA area, for example, Kafka.
    2. Select the policy whose Policy Name is all - delegationtoken and click to edit the policy.
    3. Set delegationtoken to a delegation token.
    4. In the Allow Conditions area, select a user from the Select User drop-down list.
    5. Click Add Permissions and select Describe.
    NOTE:

    Currently, Ranger only controls the query permission of DelegationToken, but does not control its create, renew, and expire permissions.

    Setting the permission for a user to query ConsumerGroup Offsets

    1. On the home page, click the component plug-in name in the KAFKA area, for example, Kafka.
    2. Select the policy whose Policy Name is all - consumergroup and click to edit the policy.
    3. In consumergroup, configure the consumer group to be managed.
    4. In the Allow Conditions area, select a user from the Select User drop-down list.
    5. Click Add Permissions and select Describe.

    Set the user's submission permission on ConsumerGroup Offsets.

    1. On the home page, click the component plug-in name in the KAFKA area, for example, Kafka.
    2. Select the policy whose Policy Name is all - consumergroup and click to edit the policy.
    3. In consumergroup, configure the consumer group to be managed.
    4. In the Allow Conditions area, select a user from the Select User drop-down list.
    5. Click Add Permissions and select Consume.
    NOTE:

    After a user is granted with the Consume permission of ConsumerGroup, the user is also granted with the Describe permission.

    Setting the permission for a user to delete ConsumerGroup Offsets

    1. On the home page, click the component plug-in name in the KAFKA area, for example, Kafka.
    2. Select the policy whose Policy Name is all - consumergroup and click to edit the policy.
    3. In consumergroup, configure the consumer group to be managed.
    4. In the Allow Conditions area, select a user from the Select User drop-down list.
    5. Click Add Permissions and select Delete.
    NOTE:

    When a user is granted with the Delete permission of ConsumerGroup, the user is also granted with the Describe permission.

  5. (Optional) Add the validity period of the policy. Click Add Validity period in the upper right corner of the page, set Start Time and End Time, and select Time Zone. Click Save. To add multiple policy validity periods, click . To delete a policy validity period, click .
  6. Click Add to view the basic information about the policy in the policy list. After the policy takes effect, check whether the related permissions are normal.

    To disable a policy, click to edit the policy and set the policy to Disabled.

    If a policy is no longer used, click to delete it.