You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Dhaval B. SHAH (Jira)" <ji...@apache.org> on 2019/12/04 05:44:00 UTC

[jira] [Commented] (RANGER-2650) Public group should not be given access to all kafka resources in default ranger policies

    [ https://issues.apache.org/jira/browse/RANGER-2650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16987553#comment-16987553 ] 

Dhaval B. SHAH commented on RANGER-2650:
----------------------------------------

Reason of adding _*{{public}}*_ user group on all policies items created for authorizing Kafka access over non-secure channel are as follows:
 * Kafka can’t assert the identity of client user over a non-secure channel.  Thus, Kafka treats all users for such access as an anonymous user (a special user literally named {{ANONYMOUS}}).

 * Ranger's {{public}} user group is a means to model all users which, of course, includes this anonymous user ({{ANONYMOUS}}).

[[https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-WhydowehavetospecifypublicusergrouponallpoliciesitemscreatedforauthorizingKafkaaccessovernon-securechannel?|http://example.com]/]

 

We need to add the documentation of removing the public group from default policies of kafka after upgrading the cluster from simple to kerberoze.

Thanks. 

> Public group should not be given access to all kafka resources in default ranger policies
> -----------------------------------------------------------------------------------------
>
>                 Key: RANGER-2650
>                 URL: https://issues.apache.org/jira/browse/RANGER-2650
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Dhaval B. SHAH
>            Assignee: Dhaval B. SHAH
>            Priority: Major
>             Fix For: 2.1.0
>
>
> If authentication type is simple, we do add public group to default policy item.  Any user setting up Ranger in simple mode and after that enabling Kerberos on that cluster will have this extra policy providing public group all permissions on Kafka. 
> We shouldn't be adding public group to default policies neither in simple mode nor in kerberos.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)