Enable Kafka in Ranger to configure permissions - E-MapReduce

Enable Apache Ranger authorization for Kafka on your E-MapReduce (EMR) Dataflow cluster to control topic-level access by user or role. Once enabled, Ranger manages Kafka authorization through policies you configure in the Ranger web UI.

Limitations

Applies to EMR clusters running a minor version later than EMR V3.45.0.

Note

Kafka on EMR V5.X.X clusters does not support Ranger authentication. This procedure does not apply to those clusters.

Prerequisites

Before you begin, ensure that you have:

A Dataflow cluster with the Kafka, Ranger, and Ranger-plugin services installed. See Create a Dataflow Kafka cluster.
The Simple Authentication and Security Layer (SASL) feature enabled on the cluster. See Log on to a Kafka cluster by using SASL.

Important

When SASL is used for identity authentication, configure logon permissions for the kafka user. EMR Ranger automatically grants all permissions on the default service to the kafka user. Make sure that the kafka user has all required permissions.

To create a custom administrator account, add a configuration item with key super.users on the server.properties tab for the Kafka service. See Manage configuration items.

Enable Kafka authorization in Ranger

Step 1: Go to the Services tab

Log on to the EMR console. In the left-side navigation pane, click EMR on ECS.
On the EMR on ECS page, find the cluster and click Services in the Actions column.

Step 2: Turn on Kafka authorization

On the Services tab, click Status in the Ranger-plugin section.
In the Service Overview section, turn on enableKafka.
In the confirmation message, click OK.

Step 3: Restart Kafka

On the Services tab, click the icon and select Kafka.
In the upper-right corner, choose More > RESTART.
In the dialog box, set the Execution Reason parameter and click OK.
In the Confirm message, click OK.

Step 4: Verify the Kafka service in Ranger

Access the Ranger web UI. See Access the web UIs of open source components.
Click emr-kafka.
When Kafka authorization is enabled, Ranger automatically creates a Kafka service named emr-kafka.
Configure policies based on your requirements. The following figure shows the default policy configuration.
Important
The kafka user is the default administrator for Dataflow Kafka. Make sure that the kafka user has all required permissions to ensure that Dataflow Kafka can run as expected.

References

If the cluster is missing required services, add them before proceeding. See Add services.
If the cluster runs EMR V3.45.0 or an earlier minor version, manually integrate Kafka with Ranger instead. See Manually integrate the Ranger Kafka plug-in.