You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Selvamohan Neethiraj (JIRA)" <ji...@apache.org> on 2016/07/11 15:47:11 UTC
[jira] [Updated] (RANGER-783) Default policy created during service
creation for a Kafka service should better support non-secure kafka cluster
[ https://issues.apache.org/jira/browse/RANGER-783?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Selvamohan Neethiraj updated RANGER-783:
----------------------------------------
Fix Version/s: (was: 0.6.0)
0.7.0
> Default policy created during service creation for a Kafka service should better support non-secure kafka cluster
> -----------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-783
> URL: https://issues.apache.org/jira/browse/RANGER-783
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 0.5.0
> Reporter: Alok Lal
> Assignee: Alok Lal
> Fix For: 0.7.0
>
>
> Whenever a new Kafka service is added a default policy is also added granting the Kafka service user all privileges on all topics. This is done to ensure that inter-broker communication (which is also seen and authorized by the authorizer) can work properly. This approach works well for secure kafka clusters authorized by Ranger.
> Kafka authorization, however, is now supported for both secure and non-secure deployments! Since user name received by the kafka authorizer in non-secure mode is the string {{ANONYMOUS}} even for inter-broker traffic, default policy should refer to {{public}} user group instead of referring to username (usually "kafka") provided in the service configuration.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)