Starting from EMR-3.12.0 version, E-MapReduce Kafka allows you to configure permissions with Ranger.
The previous section introduced how to create a cluster with Ranger service in E-MapReduce and some preparation work. This section describes the step-by-step process for integrating Ranger into Kafka.
- On Cluster Management page, click Manage after the cluster you want to operate in the Operation column.
- Click RANGER in the service list to enter the Ranger Management page.
- Click Operation at the upper right corner of the page and select Enable Kafka PLUGIN.
Enter record information in the prompt box, and then click OK.
You can check the progress by clicking View Operation History at the upper right corner of the page.
After the preceding task is completed, it is necessary to restart the broker to make it take effect. To restart Kafka broker, take the following steps:
- In the Ranger management page, click the inverted triangle icon behind RANGER in the upper left corner to switch to
- Click Operation at the upper right corner of the page and select RESTART Broker.
- You can check the progress by clicking View Operation History at the upper right corner of the page.
For information about how to go to Ranger WebUI, see Ranger Introdcution.
Add the Kafka service on Ranger WebUI:
Configure Kafka service:ZooKeeper Connect String: The “kafka-1.0.1” section depends on your actual Kafka version.
The preceding section has integrated Ranger into Kafka, which allows you to set relevant permissions.
In a standard cluster, Ranger generates the
all - topicrule by default after the Kafka service is added. This rule means no restriction on permissions (that is, allow all users to perform all actions). In this case, Ranger cannot identify permissions through the user.
Use user test as an example to add the Publish permission:
User/Group will be automatically synchronized from the cluster, which takes about a minute. You can add to the cluster in advance.
After you add a policy by following the preceding steps, the permissions are granted to user
test user can perform the write operation on the topic of
The policy takes effect 1 minute later after it is added.