zoukankan      html  css  js  c++  java
  • ERROR:"org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test" when creating or deleting Kafka operations authorized through the Ranger policies

    PROBLEM DESCRIPTION

    When creating or deleting topics in Kafka, they cannot be authorized through the Ranger policies. The following errors are displayed while creating the topics: 

    [ADM_xxxx@xxxx-oc-had102 ~]$ /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --zookeeper xxxx-oc-had101.example.local:2181,
    xxxx-oc-had201.example.local:2181,xxxx-oc-had102.example.local:2181  --create --topic test --partition 2 --replication-factor 1
    Error while executing topic command : org.apache.zookeeper.KeeperException$NoAuthException: 
    KeeperErrorCode = NoAuth for /config/topics/test
    [2016-09-13 16:15:47,561] ERROR org.I0Itec.zkclient.exception.ZkException:
    org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test
    .
    .
    Caused by: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test

    ROOT CAUSE

    Kafka with Ranger is only recommended in secure clusters. The above errors are displayed while creating or deleting topic from an ordinary user. This is because only the process owner of Kafka service such as root, can write to Zookeeper znodes (/configs/topics). Ranger policies do not get enforced when a non privileged user creates a topic. This is because kafka-topics.sh script talks directly to Zookeeper to create the topic. It will add entries into the Zookeeper nodes and the watchers on the broker side will monitor and create topics accordingly. Due to the script talking to Zookeeper directly, the authorization cannot be done through the ranger plugin.

    RESOLUTION

    For the users to create topics, run a script called kafka-acls.sh which will allow or deny users on topics and provide other options.

    Note

    This is applicable only in secure environment only. The more details on this see the Authorizing Access when Kerberos is Enabled documentation.



    About:
    This article created by Hortonworks Support (Article: 000005366) on 2017-06-27 05:17
    OS: Linux
    Type: Configuration, Cluster_Administration
    Version: HDP
    Support ID: 000005366
  • 相关阅读:
    工具-pycharm-Git管理代码到GitHub
    工具-jenkins配置项目
    工具-jenkins重启服务
    工具-jenkins安装
    pycharm-管理GitHub
    博客园样式DIY
    接口测试-获取邮件授权码口令
    iOS 反射 学习 和 运用
    iOS 优化界面流畅度的探讨
    iOS 事件响应者链的学习(也有叫 UI连锁链)
  • 原文地址:https://www.cnblogs.com/felixzh/p/10489099.html
Copyright © 2011-2022 走看看