AFAIK, Kafka requires Kerberos to authenticate producers and consumers. If Kafka is not kerberized, ANONYMOUS will be the username seen by Kafka server – see the following from https://docs.confluent.io/current/kafka/authorization.html:
In the event that SSL is enabled but client authentication is not configured, clients will connect anonymously via the SSL port and will appear to the server with the user name ANONYMOUS. Such a configuration provides encryption and server authentication, but clients will connect anonymously. The other case in which the server will see the ANONYMOUS user is if the PLAINTEXT security protocol is being used. By giving read/write permission to the ANONYMOUS user, you are allowing anyone to access the brokers without authentication. As such, you typically do not want to give access to ANONYMOUS users unless the intention is to give everyone the permission. Hope this helps. Madhan From: Bernardo Andrade Bessa de Lima <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Monday, October 22, 2018 at 12:48 PM To: "[email protected]" <[email protected]> Subject: Atlas and Kafka: Authorization Failed Greetings! I am trying to make Atlas work on our experimental Cloudera Cluster and need some help. Our cluster does not have Hbase nor Solr, so I’ve built Atlas with those embedded services. We have a functional Kafka instance, so I’m trying to leverage the existing service instead of going with embedded Kafka. Since this is the experimental cluster, the authentication is based on the Linux local users and groups. When Atlas starts running, I get this in the logs: WARN - [NotificationHookConsumer thread-0:] Error while fetching metadata with correlation id 114 : {ATLAS_HOOK=TOPIC_AUTHORIZATION_FAILED} WARN - [NotificationHookConsumer thread-0:] Exception in NotificationHookConsumer org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to access group: atlas Kafka log in the cluster gives me this: unable to return groups for user ANONYMOUS PartialGroupNameException The user name 'ANONYMOUS' is not found. id: ANONYMOUS: no such user id: ANONYMOUS: no such user Why Atlas is trying to authenticate as ANONYMOUS? I thought it would pass the process owner of the service. I understand that I must configure JAAS to authenticate with Kafka. I tried this in atlas-application.properties: atlas.jaas.KafkaClient.loginModuleName = com.sun.security.auth.module.UnixSystem atlas.jaas.KafkaClient.option.username = atlas Is this supported? Is it Kerberos the only way to authenticate using JAAS? My regards, Bernardo
