You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Alok Lal (JIRA)" <ji...@apache.org> on 2015/12/16 01:39:46 UTC
[jira] [Commented] (RANGER-783) Default policy created during
service creation for a Kafka service should better support non-secure kafka
cluster
[ https://issues.apache.org/jira/browse/RANGER-783?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15059210#comment-15059210 ]
Alok Lal commented on RANGER-783:
---------------------------------
[Review created|https://reviews.apache.org/r/41409/]
> Default policy created during service creation for a Kafka service should better support non-secure kafka cluster
> -----------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-783
> URL: https://issues.apache.org/jira/browse/RANGER-783
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 0.5.0
> Reporter: Alok Lal
> Assignee: Alok Lal
> Fix For: 0.5.1, 0.6.0
>
>
> Whenever a new Kafka service is added a default policy is also added granting the Kafka service user all privileges on all topics. This is done to ensure that inter-broker communication (which is also seen and authorized by the authorizer) can work properly. This approach works well for secure kafka clusters authorized by Ranger.
> Kafka authorization, however, is now supported for both secure and non-secure deployments! Since user name received by the kafka authorizer in non-secure mode is the string {{ANONYMOUS}} even for inter-broker traffic, default policy should refer to {{public}} user group instead of referring to username (usually "kafka") provided in the service configuration.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)