Configure the resource-based Ranger service used for authorization
Learn how to configure the resource-based Ranger service used by Kafka for authorization.
You can configure which resource-based service in Ranger is used by Kafka for
authorization. This is controlled by the Ranger service name for this Kafka
cluster property which can be set in Cloudera Manager. The property can be
configured in two ways:
- Set a user defined string
- The property accepts a user defined string. Alphanumeric characters as well as
underscores are allowed, for example,
kafka_1. In this case, Kafka checks if a resource-based service in Ranger matching the defined string exists. If it does, Kafka will use that resource-based service. If it does not, Kafka automatically creates and uses a new resource-based service. The name of the newly created resource-based service will be the name that was defined in the property. - Set
{{GENERATED_RANGER_SERVICE_NAME}} - The property accepts
{{GENERATED_RANGER_SERVICE_NAME}}as a valid value. When this specific placeholder value is set, Cloudera Manager generates a name for a new resource-based service. The generated name is based on the Kafka service name and the cluster name. Kafka then checks whether a resource-based service with the generated name exists in Ranger. If it does, Kafka will use that resource-based service. If it does not, Kafka automatically creates and uses a new resource-based service. The name of the newly created resource-based service will be the generated name.
In both scenarios, the creation of the role-based service happens once the Kafka service is restarted.
The property by default is set to cm_kafka. However, for clusters
provisioned with the Streams Messaging cluster definitions in CDP Data Hub, the default is
{{GENERATED_RANGER_SERVICE_NAME}}.
Configuring this property can prove useful when you have multiple Kafka clusters that use the same Ranger service for authorization, but you want to define unique Ranger policies for each Kafka cluster.
