As a cluster administrator, you can combine Kerberos authentication and Ranger
authorization to secure the Streams Messaging Manager (SMM) web user interface
(UI).
If you deploy SMM without security, the login page is not enabled on the SMM UI by
default. When you enable Kerberos authentication, SMM uses SPNEGO to authenticate
users and allows them to view or create topics within Kafka by administering Ranger
Kafka Policies. For information on enabling browsers to use SPNEGO, see How to
Configure Browsers for Kerberos Authentication.
After you secure SMM, anyone within the organization can login to SMM. However, if
they do not have the correct policy configuration in Ranger, then they may not have
the necessary privileges to perform their required tasks through SMM.
Configure Kafka in Ranger
For more information, see Configure a
resource-based service: Kafka.
Enable Kerberos authentication for Kafka
For more information, see
Enable Kerberos authentication.
Add and configure SMM
For more information, see CDP Data Center
Installation Guide.
Go to Cloudera Manager > SMM, and click Configuration.
Enable Ranger for SMM.
Go to the Ranger service UI and configure the Kafka policies.
Click cm_kafka in the Ranger service UI.
The List of Policies page appears.
Click Add New Policy.
The Policy Details page appears.
Add a policy name and select cluster from the
dropdown.
Type * in the field beside cluster, and select the
* from the values that appear.
Go to the Allow Condition section and select the
user.
Add permissions by clicking the + under Add
Permissions.
Select Create and Describe
permissions.
Click Add.
Verifying the Setup
After you secure SMM, you can verify the security setup.
Go to Cloudera Manager > SMM.
The login page for SMM appears.
Login to the SMM UI using your regular credentials.
After you log
in, you see the user logout dropdown at the top right corner of
your screen. It shows the domain associated with the user.
Click Streams Messaging Manager Web UI.
To add a topic, go to Topics.
Click Add New.
Add a topic name, select partitions, and cleanup policy.
Click Save.
You see the following message
in the top right corner of the webpage.