User Impersonation
Describes how to disable, enable, and use impersonation with Kafka REST.
User impersonation enables Kafka REST jobs to be submitted as a particular user. Without impersonation, Kafka REST submits jobs as the user that started Kafka REST server.
On an HPE Ezmeral Data Fabric cluster, the impersonated user is typically the mapr
user
or the user specified in the MAPR_USER environment variable. By default, impersonation is disabled for unsecured
clusters and enabled for secure clusters.
Enabling User Impersonation
/opt/mapr/kafka-rest/kafka-rest-<version>/config/kafka-rest.properties
:authentication.enable=true
impersonation.enable=true
Disabling User Impersonation
/opt/mapr/kafka-rest/kafka-rest-<version>/config/kafka-rest.properties
file, disable PAM authentication and the impersonation.enable
property.- To disable PAM authentication, set
authentication.enable=false
. - To disable user impersonation, set
impersonation.enable=false
.
Example: Verify that a list of topics is owned by an impersonated user
This example demonstrates how to get a list of topics from a particular stream and then
verifies that the list of topics is owned by a particular user. Depending on whether or not
impersonation is enabled (the default), you may need to use a different
curl
command.
$ sudo maprcli stream info -json -path /stream
{
"timestamp":1598950735841,
"timeofday":"2020-09-01 08:58:55.841 GMT+0000 AM",
"status":"OK",
"total":1,
"data":[
{
"path":"/stream",
"physicalsize":57344,
"logicalsize":32768,
"numtopics":1,
"defaultpartitions":1,
"ttl":604800,
"compression":"lz4",
"autocreate":true,
"produceperm":"u:root",
"consumeperm":"u:root",
"topicperm":"u:root",
"copyperm":"u:root",
"adminperm":"u:root",
"kafkatopic":false,
"ischangelog":false,
"defaulttimestamptype":"CreateTime",
"compact":false,
"mincompactionlag":0,
"deleteretention":86400000,
"throttlefactor":0,
"pidexpirysecs":604800
}
]
}
If impersonation is enabled (the default), use the following query, where the query is submitted as the root user.
curl -u root -X GET https://`hostname`:8082/topics/%2Fstream%3Atopic1 --cacert /opt/mapr/conf/ssl_truststore.pem
Enter host password for user 'root':
{"name":"/stream:topic1","configs":null,"partitions":
[{"partition":0,"leader":0,"replicas":[{"broker":0,"leader":true,"in_sync":true},
{"broker":0,"leader":false,"in_sync":true}]}]}
If impersonation is disabled, use the following query, where the query is submitted as the
mapr
user.
curl -X GET https://`hostname`:8082/topics/%2Fstream%3Atopic1 --cacert /opt/mapr/conf/ssl_truststore.pem
{"error_code":40401,"message":"Topic not found."}