Cloudera Docs

Enable authorization in Kafka with Ranger

Learn how to enable Ranger authorization for Kafka.

The following instructions can be used to enable and configure Ranger authorization for Kafka where the Ranger service is either deployed on the same cluster as the Kafka service or if the Ranger service is deployed in a Data Context cluster.

  • Ranger authorization requires that at least one of the following authentication mechanisms is enabled in Kafka:
    • Kerberos
    • Two-way TLS/SSL
    • LDAP
    • PAM
  • It is also possible to have a Kafka service depend on a Ranger service which is deployed on a remote, non Data Context cluster. This is achieved by configuring the following advanced configuration snippets instead of the configuration steps described below:
    • Kafka Broker Advanced Configuration Snippet (Safety Valve) for ranger-kafka-security.xml
      Name: ranger.plugin.kafka.policy.rest.url 
Value: http://[****FQDN OF RANGER ADMIN HOST***]:6080/
    • Kafka Broker Advanced Configuration Snippet (Safety Valve) for ranger-kafka-audit.xml
      Name: xasecure.audit.destination.solr.zookeepers
Value: [***FQDN OF ZOOKEEPER HOST***]:2181/solr-infra
  1. In Cloudera Manager select the Kafka service.
  2. Select Configuration and find the RANGER Service property.
  3. Check the checkbox next to the name of the Ranger service that you want this Kafka service to depend on.
  4. Click Save Changes.
  5. Restart the Kafka service.
Ranger authorization for Kafka is enabled. The Kafka service depends on the selected Ranger service for authorization.
Configure resource-based services and policies for Kafka. Additionally, configure which resource-based service should be used for authorization.