User Impersonation

Describes how to disable, enable, and use impersonation with Kafka REST.

User impersonation enables Kafka REST jobs to be submitted as a particular user. Without impersonation, Kafka REST submits jobs as the user that started Kafka REST server.

On an HPE Ezmeral Data Fabric cluster, the impersonated user is typically the mapr user or the user specified in the MAPR_USER environment variable. By default, impersonation is disabled for unsecured clusters and enabled for secure clusters.

Enabling User Impersonation

To enable user impersonation, set the following properties in /opt/mapr/kafka-rest/kafka-rest-<version>/config/kafka-rest.properties:
  • authentication.enable=true
  • impersonation.enable=true

Disabling User Impersonation

In the /opt/mapr/kafka-rest/kafka-rest-<version>/config/kafka-rest.properties file, disable PAM authentication and the impersonation.enable property.
  1. To disable PAM authentication, set authentication.enable=false.
  2. To disable user impersonation, set impersonation.enable=false.

Example: Verify that a list of topics is owned by an impersonated user

This example demonstrates how to get a list of topics from a particular stream and then verifies that the list of topics is owned by a particular user. Depending on whether or not impersonation is enabled (the default), you may need to use a different curl command.

$ sudo maprcli stream info -json  -path /stream
{
	"timestamp":1598950735841,
	"timeofday":"2020-09-01 08:58:55.841 GMT+0000 AM",
	"status":"OK",
	"total":1,
	"data":[
		{
			"path":"/stream",
			"physicalsize":57344,
			"logicalsize":32768,
			"numtopics":1,
			"defaultpartitions":1,
			"ttl":604800,
			"compression":"lz4",
			"autocreate":true,
			"produceperm":"u:root",
			"consumeperm":"u:root",
			"topicperm":"u:root",
			"copyperm":"u:root",
			"adminperm":"u:root",
			"kafkatopic":false,
			"ischangelog":false,
			"defaulttimestamptype":"CreateTime",
			"compact":false,
			"mincompactionlag":0,
			"deleteretention":86400000,
			"throttlefactor":0,
			"pidexpirysecs":604800
		}
	]
}

If impersonation is enabled (the default), use the following query, where the query is submitted as the root user.

curl -u root  -X GET https://`hostname`:8082/topics/%2Fstream%3Atopic1 --cacert /opt/mapr/conf/ssl_truststore.pem
Enter host password for user 'root':
{"name":"/stream:topic1","configs":null,"partitions":
  [{"partition":0,"leader":0,"replicas":[{"broker":0,"leader":true,"in_sync":true},
    {"broker":0,"leader":false,"in_sync":true}]}]}

If impersonation is disabled, use the following query, where the query is submitted as the mapr user.

curl -X GET https://`hostname`:8082/topics/%2Fstream%3Atopic1 --cacert /opt/mapr/conf/ssl_truststore.pem
{"error_code":40401,"message":"Topic not found."}