Ranger Kafka Plugin

Describes how the Ranger Kafka plugin enforces authorization.

Ranger Kafka plugin is enabled in master.

Ranger Kafka Plugin Enforcement Example

Prerequisite
  1. Create external user 'externaluser3'

Access Enforcement steps

  1. Let's try to create a topic and send some data using ‘externaluser3’, he will be denied as he doesn't have permission to create it.

  2. Lets create a policy in ranger-kafka for the user

    • Resource : [Topic=topictest01]
    • allow policy item : [user='externaluser3', permission=publish, consume, describe, create]
  3. Let's try to create a topic and send some data using ‘externaluser3’, he will be allowed as he gets permission to access it.

  4. You can check the logs related to these actions, using Ranger Admin Web UI > Access > Audit tab.
Table 1. Kafka Commands to Ranger Permission Mapping
Permission Action
Resource = topic
Publish, Describe, Create To produce topic and publish
Describe, Create To describe topic
Describe sending message to topic
Publish To publish topic
Consume To read data (consume)
Describe To list topic
Configure To alter config of topic
Delete To delete topic
Describe Config To describe config of topic
Alter Config To alter config
Resource = consumergroup
Describe To describe topic
Consume To consume topic
Resource = cluster
Create To create topic
Describe To describe topic
Idempotent Write To write idempotently
Resource = transactionid
Describe, Publish To publish and describe