It did help indeed. Thank you!
I forgot to mention that we also have Apache Sentry installed.
I’ve turned it off for Atlas and included ANONYMOUS in the Kafka superuser list
since it is a test environment.
My regards,
Bernardo
De: Madhan Neethiraj [mailto:[email protected]]
Enviada em: segunda-feira, 22 de outubro de 2018 17:04
Para: [email protected]
Assunto: Re: Atlas and Kafka: Authorization Failed
AFAIK, Kafka requires Kerberos to authenticate producers and consumers. If
Kafka is not kerberized, ANONYMOUS will be the username seen by Kafka server –
see the following from
https://docs.confluent.io/current/kafka/authorization.html:
In the event that SSL is enabled but client authentication is not configured,
clients will connect anonymously via the SSL port and will appear to the server
with the user name ANONYMOUS. Such a configuration provides encryption and
server authentication, but clients will connect anonymously. The other case in
which the server will see the ANONYMOUS user is if the PLAINTEXT security
protocol is being used. By giving read/write permission to the ANONYMOUS user,
you are allowing anyone to access the brokers without authentication. As such,
you typically do not want to give access to ANONYMOUS users unless the
intention is to give everyone the permission.
Hope this helps.
Madhan
From: Bernardo Andrade Bessa de Lima
<[email protected]<mailto:[email protected]>>
Reply-To: "[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Date: Monday, October 22, 2018 at 12:48 PM
To: "[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: Atlas and Kafka: Authorization Failed
Greetings!
I am trying to make Atlas work on our experimental Cloudera
Cluster and need some help.
Our cluster does not have Hbase nor Solr, so I’ve built Atlas
with those embedded services.
We have a functional Kafka instance, so I’m trying to leverage the existing
service instead of going with embedded Kafka.
Since this is the experimental cluster, the authentication is
based on the Linux local users and groups.
When Atlas starts running, I get this in the logs:
WARN - [NotificationHookConsumer thread-0:] Error while fetching metadata with
correlation id 114 : {ATLAS_HOOK=TOPIC_AUTHORIZATION_FAILED}
WARN - [NotificationHookConsumer thread-0:] Exception in
NotificationHookConsumer
org.apache.kafka.common.errors.GroupAuthorizationException: Not authorized to
access group: atlas
Kafka log in the cluster gives me this:
unable to return groups for user ANONYMOUS
PartialGroupNameException The user name 'ANONYMOUS' is not found. id:
ANONYMOUS: no such user
id: ANONYMOUS: no such user
Why Atlas is trying to authenticate as ANONYMOUS? I thought it would pass the
process owner of the service.
I understand that I must configure JAAS to authenticate with Kafka. I tried
this in atlas-application.properties:
atlas.jaas.KafkaClient.loginModuleName = com.sun.security.auth.module.UnixSystem
atlas.jaas.KafkaClient.option.username = atlas
Is this supported? Is it Kerberos the only way to authenticate using JAAS?
My regards,
Bernardo
