zoukankan      html  css  js  c++  java
  • ERROR:"org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test" when creating or deleting Kafka operations authorized through the Ranger policies

    PROBLEM DESCRIPTION

    When creating or deleting topics in Kafka, they cannot be authorized through the Ranger policies. The following errors are displayed while creating the topics: 

    [ADM_xxxx@xxxx-oc-had102 ~]$ /usr/hdp/current/kafka-broker/bin/kafka-topics.sh --zookeeper xxxx-oc-had101.example.local:2181,
    xxxx-oc-had201.example.local:2181,xxxx-oc-had102.example.local:2181  --create --topic test --partition 2 --replication-factor 1
    Error while executing topic command : org.apache.zookeeper.KeeperException$NoAuthException: 
    KeeperErrorCode = NoAuth for /config/topics/test
    [2016-09-13 16:15:47,561] ERROR org.I0Itec.zkclient.exception.ZkException:
    org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test
    .
    .
    Caused by: org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /config/topics/test

    ROOT CAUSE

    Kafka with Ranger is only recommended in secure clusters. The above errors are displayed while creating or deleting topic from an ordinary user. This is because only the process owner of Kafka service such as root, can write to Zookeeper znodes (/configs/topics). Ranger policies do not get enforced when a non privileged user creates a topic. This is because kafka-topics.sh script talks directly to Zookeeper to create the topic. It will add entries into the Zookeeper nodes and the watchers on the broker side will monitor and create topics accordingly. Due to the script talking to Zookeeper directly, the authorization cannot be done through the ranger plugin.

    RESOLUTION

    For the users to create topics, run a script called kafka-acls.sh which will allow or deny users on topics and provide other options.

    Note

    This is applicable only in secure environment only. The more details on this see the Authorizing Access when Kerberos is Enabled documentation.



    About:
    This article created by Hortonworks Support (Article: 000005366) on 2017-06-27 05:17
    OS: Linux
    Type: Configuration, Cluster_Administration
    Version: HDP
    Support ID: 000005366
  • 相关阅读:
    ES6学习--函数剩余参数 (rest参数)
    ES6学习 --函数参数默认值与解构赋值默认值
    ES6学习--Array.from()方法
    02ython基础知识(一)
    01 Python初探
    c#利用IronPython调用python的过程种种问题
    Android 对话框(Dialogs)
    不可不知的安卓屏幕知识
    C#中的Split用法以及详解
    关于XML文档操作类
  • 原文地址:https://www.cnblogs.com/felixzh/p/10489099.html
Copyright © 2011-2022 走看看