ERROR:"org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test" when creating or deleting Kafka operations authorized through the Ranger policies
PROBLEM DESCRIPTION
When creating or deleting topics in Kafka, they cannot be authorized through the Ranger policies. The following errors are displayed while creating the topics:
[ADM_xxxx@xxxx-oc-had102 ~]$ /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --zookeeper xxxx-oc-had101.example.local:2181, xxxx-oc-had201.example.local:2181,xxxx-oc-had102.example.local:2181 --create --topic test --partition 2 --replication-factor 1 Error while executing topic command : org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test [2016-09-13 16:15:47,561] ERROR org.I0Itec.zkclient.exception.ZkException: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test . . Caused by: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test
ROOT CAUSE
Kafka with Ranger is only recommended in secure clusters. The above errors are displayed while creating or deleting topic from an ordinary user. This is because only the process owner of Kafka service such as root, can write to Zookeeper znodes (/configs/topics). Ranger policies do not get enforced when a non privileged user creates a topic. This is because kafka-topics.sh script talks directly to Zookeeper to create the topic. It will add entries into the Zookeeper nodes and the watchers on the broker side will monitor and create topics accordingly. Due to the script talking to Zookeeper directly, the authorization cannot be done through the ranger plugin.
RESOLUTION
For the users to create topics, run a script called kafka-acls.sh which will allow or deny users on topics and provide other options.
Note
This is applicable only in secure environment only. The more details on this see the Authorizing Access when Kerberos is Enabled documentation.
About:
This article created by Hortonworks Support (Article: 000005366) on 2017-06-27 05:17
OS: Linux
Type: Configuration, Cluster_Administration
Version: HDP
相关文章
- kafka学习之-雅虎开源管理工具Kafka Manager
- Apache Kafka - How to Load Test with JMeter
- 使用命令进行Apache Kafka操作
- Kafka排队:Apache Kafka作为消息传递系统
- 为什么Apache Kafka如此受欢迎
- 使用日志服务LogHub替换Kafka
- 整合Kafka+Flink 实例(第二部分 设计思路)
- Kafka + Flink 出现异常 java.lang.NoClassDefFoundError: org/apache/flink/streaming/util/serialization/DeserializationSchema
- kafka 第一次小整理(草稿篇)————演变[二]
- Kafka JAVA客户端代码示例--高级应用
- 运维基础之OpenResty(Nginx+Lua)+Kafka
- 专访阿里云高级技术专家吴威:Kafka、Spark和Flink类支持流式计算的软件会越来越流行
- 【云原生 | Kubernetes 系列】---Kafka 集群安装配置手册
- kafka详解三:开发Kafka应用
- 全网最详细地理解Kafka中的Topic和Partition以及关于kafka的消息分发、服务端如何消费指定分区、kafka的分区分配策略(range策略和RoundRobin策略)
- 【云原生】详解 Zookeeper + Kafka on K8S 环境部署
- Apache Samza流处理框架介绍——kafka+LevelDB的Key/Value数据库来存储历史消息+?
- docker启动服务---------------kafka+zookeeper
- Kafka和Flink双剑合璧,Confluent收购Immerok引起业内广泛讨论
- Kafka 请求处理
- Kafka 多线程消费者
- 解开Kafka神秘的面纱(一):kafka架构与应用场景
- kafka历史数据清理策略以及配置
- Apache Kafka 特性
- Apache Kafka 集群架构