zoukankan      html  css  js  c++  java
  • ERROR:"org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test" when creating or deleting Kafka operations authorized through the Ranger policies

    PROBLEM DESCRIPTION

    When creating or deleting topics in Kafka, they cannot be authorized through the Ranger policies. The following errors are displayed while creating the topics: 

    [ADM_xxxx@xxxx-oc-had102 ~]$ /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --zookeeper xxxx-oc-had101.example.local:2181,
    xxxx-oc-had201.example.local:2181,xxxx-oc-had102.example.local:2181  --create --topic test --partition 2 --replication-factor 1
    Error while executing topic command : org.apache.zookeeper.KeeperException$NoAuthException: 
    KeeperErrorCode = NoAuth for /config/topics/test
    [2016-09-13 16:15:47,561] ERROR org.I0Itec.zkclient.exception.ZkException:
    org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test
    .
    .
    Caused by: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test

    ROOT CAUSE

    Kafka with Ranger is only recommended in secure clusters. The above errors are displayed while creating or deleting topic from an ordinary user. This is because only the process owner of Kafka service such as root, can write to Zookeeper znodes (/configs/topics). Ranger policies do not get enforced when a non privileged user creates a topic. This is because kafka-topics.sh script talks directly to Zookeeper to create the topic. It will add entries into the Zookeeper nodes and the watchers on the broker side will monitor and create topics accordingly. Due to the script talking to Zookeeper directly, the authorization cannot be done through the ranger plugin.

    RESOLUTION

    For the users to create topics, run a script called kafka-acls.sh which will allow or deny users on topics and provide other options.

    Note

    This is applicable only in secure environment only. The more details on this see the Authorizing Access when Kerberos is Enabled documentation.



    About:
    This article created by Hortonworks Support (Article: 000005366) on 2017-06-27 05:17
    OS: Linux
    Type: Configuration, Cluster_Administration
    Version: HDP
    Support ID: 000005366
  • 相关阅读:
    测试用例设计之正交实验法
    Jmeter 添加性能监控器
    jmeter常用的性能测试监听器
    常用的性能测试策略
    nmon定位性能问题之数据库问题定位
    性能测试基础知识
    Electorn(桌面应用)自动化测试之Java+selenium实战例子
    Mybatis查询为空,但是数据库中有结果集!
    Spring中使用Mybatis逆向工程(IDEA版)
    Spring配置Quartz的三种方式
  • 原文地址:https://www.cnblogs.com/felixzh/p/10489099.html
Copyright © 2011-2022 走看看