You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Dhaval Shah <dh...@gmail.com> on 2019/12/04 05:46:55 UTC
Re: Review Request 71798: RANGER-2650 : Public group should not be
given access to all kafka resources in default ranger policies
> On Nov. 22, 2019, 1:31 a.m., Ramesh Mani wrote:
> > plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java
> > Line 105 (original)
> > <https://reviews.apache.org/r/71798/diff/2/?file=2174730#file2174730line105>
> >
> > I feel that when kerberos is enabled we should delete the exiting policy and add what is needed.
> >
> > Did you check in non kerberos cluster without this public policy, the default policy which are created in good enough to bring up the kafka and execute all operations?
Reason of adding public user group on all policies items created for authorizing Kafka access over non-secure channel are as follows:
=> Kafka can’t assert the identity of client user over a non-secure channel. Thus, Kafka treats all users for such access as an anonymous user (a special user literally named ANONYMOUS).
=> Ranger's public user group is a means to model all users which, of course, includes this anonymous user (ANONYMOUS).
[https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-WhydowehavetospecifypublicusergrouponallpoliciesitemscreatedforauthorizingKafkaaccessovernon-securechannel?
Hence, I am discarding this RR.
- Dhaval
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/71798/#review218751
-----------------------------------------------------------
On Nov. 21, 2019, 11:04 a.m., Dhaval Shah wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/71798/
> -----------------------------------------------------------
>
> (Updated Nov. 21, 2019, 11:04 a.m.)
>
>
> Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay Kulkarni, Mehul Parikh, Nikhil P, Pradeep Agrawal, and Velmurugan Periasamy.
>
>
> Bugs: RANGER-2650
> https://issues.apache.org/jira/browse/RANGER-2650
>
>
> Repository: ranger
>
>
> Description
> -------
>
> If authentication type is simple, we do add public group to default policy item. Any user setting up Ranger in simple mode and after that enabling Kerberos on that cluster will have this extra policy providing public group all permissions on Kafka.
>
> We shouldn't be adding public group to default policies neither in simple mode nor in kerberos.
>
>
> Diffs
> -----
>
> plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java cf5da97
>
>
> Diff: https://reviews.apache.org/r/71798/diff/2/
>
>
> Testing
> -------
>
> Public group is not added to default policies in simple mode.
>
>
> Thanks,
>
> Dhaval Shah
>
>