RANGER-5373: update Kafka container for Kerberos authentication - apache#6

mneethiraj · mneethiraj · commit 1eaf645c89a6 · 2025-10-20T21:55:41.000-07:00
diff --git a/dev-support/ranger-docker/Dockerfile.ranger-kafka b/dev-support/ranger-docker/Dockerfile.ranger-kafka
@@ -29,6 +29,8 @@ COPY ./downloads/kafka_2.12-${KAFKA_VERSION}.tgz               /home/ranger/dist
 COPY ./scripts/ranger-kafka-setup.sh                     /home/ranger/scripts/
 COPY ./scripts/ranger-kafka.sh                           /home/ranger/scripts/
 COPY ./scripts/ranger-kafka-plugin-install.properties    /home/ranger/scripts/
+COPY ./scripts/kafka-server-jaas.conf                    /home/ranger/scripts/
+COPY ./scripts/core-site.xml                             /home/ranger/scripts/
 
 RUN tar xvfz /home/ranger/dist/kafka_2.12-${KAFKA_VERSION}.tgz --directory=/opt/ && \
     ln -s /opt/kafka_2.12-${KAFKA_VERSION} /opt/kafka && \
diff --git a/dev-support/ranger-docker/scripts/create-ranger-services.py b/dev-support/ranger-docker/scripts/create-ranger-services.py
@@ -38,6 +38,16 @@ def service_not_exists(service):
                                    'zookeeper.connect': 'ranger-zk.rangernw:2181',
                                    'policy.download.auth.users': 'kafka',
                                    'tag.download.auth.users': 'kafka',
+                                   'setup.additional.default.policies': 'true',
+                                   'default-policy.1.name': 'topic: ATLAS_ENTITIES',
+                                   'default-policy.1.resource.topic': 'ATLAS_ENTITIES',
+                                   'default-policy.1.policyItem.1.users': 'rangertagsync',
+                                   'default-policy.1.policyItem.1.accessTypes': 'create,consume',
+                                   'default-policy.2.name': 'consumergroup: ranger_entities_consumer',
+                                   'default-policy.2.resource.consumergroup': 'ranger_entities_consumer',
+                                   'default-policy.2.policyItem.1.users': 'rangertagsync',
+                                   'default-policy.2.policyItem.1.accessTypes': 'consume,describe',
+                                   'ranger.plugin.audit.filters': "[{'accessResult': 'DENIED', 'isAudited': true},{'resources':{'topic':{'values':['ATLAS_ENTITIES']}},'users':['rangertagsync'],'actions':['create','consume','describe'],'isAudited':false},{'resources':{'consumergroup':{'values':['ranger_entities_consumer']}},'users':['rangertagsync'],'actions':['consume'],'isAudited':false}]",
                                    'userstore.download.auth.users': 'kafka',
                                    'ranger.plugin.kafka.policy.refresh.synchronous':'true'}})
 
diff --git a/dev-support/ranger-docker/scripts/kafka-server-jaas.conf b/dev-support/ranger-docker/scripts/kafka-server-jaas.conf
@@ -0,0 +1,6 @@
+KafkaServer {
+  com.sun.security.auth.module.Krb5LoginModule required
+  useKeyTab=true
+  keyTab="/opt/kafka/keytabs/kafka.keytab"
+  principal="kafka/ranger-kafka.rangernw@EXAMPLE.COM";
+};
diff --git a/dev-support/ranger-docker/scripts/ranger-kafka-plugin-install.properties b/dev-support/ranger-docker/scripts/ranger-kafka-plugin-install.properties
@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-POLICY_MGR_URL=http://ranger:6080
+POLICY_MGR_URL=http://ranger.rangernw:6080
 REPOSITORY_NAME=dev_kafka
 COMPONENT_INSTALL_DIR_NAME=/opt/kafka
 
@@ -26,7 +26,7 @@ UPDATE_XAPOLICIES_ON_GRANT_REVOKE=true
 XAAUDIT.SOLR.IS_ENABLED=true
 XAAUDIT.SOLR.MAX_QUEUE_SIZE=1
 XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000
-XAAUDIT.SOLR.SOLR_URL=http://ranger-solr:8983/solr/ranger_audits
+XAAUDIT.SOLR.SOLR_URL=http://ranger-solr.rangernw:8983/solr/ranger_audits
 
 # Following properties are needed to get past installation script! Please don't remove
 XAAUDIT.HDFS.IS_ENABLED=false
@@ -43,7 +43,7 @@ XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS=600
 XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT=10
 
 XAAUDIT.SOLR.ENABLE=true
-XAAUDIT.SOLR.URL=http://ranger-solr:8983/solr/ranger_audits
+XAAUDIT.SOLR.URL=http://ranger-solr.rangernw:8983/solr/ranger_audits
 XAAUDIT.SOLR.USER=NONE
 XAAUDIT.SOLR.PASSWORD=NONE
 XAAUDIT.SOLR.ZOOKEEPER=NONE
@@ -58,7 +58,7 @@ XAAUDIT.ELASTICSEARCH.PORT=NONE
 XAAUDIT.ELASTICSEARCH.PROTOCOL=NONE
 
 XAAUDIT.HDFS.ENABLE=true
-XAAUDIT.HDFS.HDFS_DIR=hdfs://ranger-hadoop:9000/ranger/audit
+XAAUDIT.HDFS.HDFS_DIR=hdfs://ranger-hadoop.rangernw:9000/ranger/audit
 XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/kafka/audit/hdfs/spool
 
 XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
diff --git a/dev-support/ranger-docker/scripts/ranger-kafka-setup.sh b/dev-support/ranger-docker/scripts/ranger-kafka-setup.sh
@@ -16,18 +16,48 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+KEYTABS_DIR=/opt/kafka/keytabs
+
+if [ "${KERBEROS_ENABLED}" == "true" ]
+then
+  /etc/keytabs/create_keytab.sh kafka ${KEYTABS_DIR} kafka:hadoop
+fi
+
 cat <<EOF > /etc/ssh/ssh_config
 Host *
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null
 EOF
 
+cp ${RANGER_SCRIPTS}/core-site.xml          ${KAFKA_HOME}/config/
+cp ${RANGER_SCRIPTS}/kafka-server-jaas.conf ${KAFKA_HOME}/config/
+
 chown -R kafka:hadoop /opt/kafka/
 
 cd ${RANGER_HOME}/ranger-kafka-plugin
 ./enable-kafka-plugin.sh
 
 sed -i 's/localhost:2181/ranger-zk.rangernw:2181/' ${KAFKA_HOME}/config/server.properties
 
-echo >> ${KAFKA_HOME}/config/server.properties
-echo "authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer" >> ${KAFKA_HOME}/config/server.properties
+cat <<EOF >> ${KAFKA_HOME}/config/server.properties
+# Enable SASL/GSSAPI mechanism
+sasl.enabled.mechanisms=GSSAPI
+sasl.mechanism.inter.broker.protocol=GSSAPI
+security.inter.broker.protocol=SASL_PLAINTEXT
+
+# Listener configuration
+listeners=SASL_PLAINTEXT://:9092
+advertised.listeners=SASL_PLAINTEXT://ranger-kafka.rangernw:9092
+
+# JAAS configuration for Kerberos
+listener.name.sasl_plaintext.gssapi.sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required \
+useKeyTab=true \
+storeKey=true \
+keyTab="/opt/kafka/keytabs/kafka.keytab" \
+principal="kafka/ranger-kafka.rangernw@EXAMPLE.COM";
+
+# Kerberos service name
+sasl.kerberos.service.name=kafka
+
+authorizer.class.name=org.apache.ranger.authorization.kafka.authorizer.RangerKafkaAuthorizer
+EOF
diff --git a/dev-support/ranger-docker/scripts/ranger-kafka.sh b/dev-support/ranger-docker/scripts/ranger-kafka.sh
@@ -16,8 +16,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-KEYTABS_DIR=/opt/kafka/keytabs
-
 if [ "${OS_NAME}" = "UBUNTU" ]; then
   service ssh start
 fi
@@ -36,11 +34,6 @@ then
   # pdsh is unavailable with microdnf in rhel based image.
   echo "ssh" > /etc/pdsh/rcmd_default
 
-  if [ "${KERBEROS_ENABLED}" == "true" ]
-  then
-    /etc/keytabs/create_keytab.sh kafka ${KEYTABS_DIR} kafka:hadoop
-  fi
-
   if "${RANGER_SCRIPTS}"/ranger-kafka-setup.sh;
   then
     touch "${KAFKA_HOME}"/.setupDone
@@ -49,4 +42,4 @@ then
   fi
 fi
 
-su -c "cd ${KAFKA_HOME} && CLASSPATH=${KAFKA_HOME}/config ./bin/kafka-server-start.sh config/server.properties" kafka
+su -c "cd ${KAFKA_HOME} && CLASSPATH=${KAFKA_HOME}/config KAFKA_OPTS='-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/opt/kafka/config/kafka-server-jaas.conf' ./bin/kafka-server-start.sh config/server.properties" kafka
diff --git a/dev-support/ranger-docker/scripts/ranger-tagsync-install.properties b/dev-support/ranger-docker/scripts/ranger-tagsync-install.properties
@@ -25,18 +25,16 @@ TAG_DEST_RANGER_ENDPOINT = http://ranger:6080
 # SSL config file name for HTTPS messages to tag destination - Ranger
 TAG_DEST_RANGER_SSL_CONFIG_FILENAME =
 
-TAG_SOURCE_ATLAS_ENABLED = false
+TAG_SOURCE_ATLAS_ENABLED = true
 
 # Endpoint specifications needed by Atlas
-TAG_SOURCE_ATLAS_KAFKA_BOOTSTRAP_SERVERS = ranger-kafka.rangernw:6667
+TAG_SOURCE_ATLAS_KAFKA_BOOTSTRAP_SERVERS = ranger-kafka.rangernw:9092
 TAG_SOURCE_ATLAS_KAFKA_ZOOKEEPER_CONNECT = ranger-zk.rangernw:2181
 TAG_SOURCE_ATLAS_KAFKA_ENTITIES_GROUP_ID = ranger_entities_consumer
-
 TAG_SOURCE_ATLAS_KAFKA_SERVICE_NAME = kafka
-TAG_SOURCE_ATLAS_KAFKA_SECURITY_PROTOCOL = PLAINTEXTSASL
-
-TAG_SOURCE_ATLAS_KERBEROS_PRINCIPAL =
-TAG_SOURCE_ATLAS_KERBEROS_KEYTAB =
+TAG_SOURCE_ATLAS_KAFKA_SECURITY_PROTOCOL = SASL_PLAINTEXT
+TAG_SOURCE_ATLAS_KERBEROS_PRINCIPAL = rangertagsync/ranger-tagsync.rangernw@EXAMPLE.COM
+TAG_SOURCE_ATLAS_KERBEROS_KEYTAB = /opt/ranger/tagsync/keytabs/rangertagsync.keytab
 
 TAG_SOURCE_ATLASREST_ENABLED = false
 
diff --git a/distro/src/main/assembly/tagsync.xml b/distro/src/main/assembly/tagsync.xml
@@ -98,6 +98,7 @@
 							<include>org.apache.curator:curator-client:jar:${curator.version}</include>
 							<include>org.apache.zookeeper:zookeeper:jar:${zookeeper.version}</include>
 							<include>org.apache.zookeeper:zookeeper-jute:jar:${zookeeper.version}</include>
+							<include>com.google.guava:guava</include>
                                                         <include>org.apache.hadoop.thirdparty:hadoop-shaded-guava:jar:${hadoop-shaded-guava.version}</include>
 						</includes>
 					</dependencySet>
