You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Alok Lal (JIRA)" <ji...@apache.org> on 2015/12/15 21:53:46 UTC

[jira] [Created] (RANGER-783) Default policy created during service creation for a Kafka service should better support non-secure kafka cluster

Alok Lal created RANGER-783:
-------------------------------

             Summary: Default policy created during service creation for a Kafka service should better support non-secure kafka cluster
                 Key: RANGER-783
                 URL: https://issues.apache.org/jira/browse/RANGER-783
             Project: Ranger
          Issue Type: Bug
          Components: plugins
    Affects Versions: 0.5.0
            Reporter: Alok Lal
            Assignee: Alok Lal
             Fix For: 0.5.1, 0.6.0


Whenever a new Kafka service is added a default policy is also added granting the Kafka service user all privileges on all topics.  This is done to ensure that inter-broker communication (which is also seen and authorized by the authorizer) can work properly.  This approach works well for secure kafka clusters authorized by Ranger.

Kafka authorization, however, is now supported for both secure and non-secure deployments!  Since user name received by the kafka authorizer in non-secure mode is the string {{ANONYMOUS}} even for inter-broker traffic, default policy should refer to {{public}} user group instead of referring to username  (usually "kafka") provided in the service configuration.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)