You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Hari Sekhon (JIRA)" <ji...@apache.org> on 2019/06/26 15:16:00 UTC
[jira] [Updated] (RANGER-2488) Ranger Kafka list consumer groups
permission
[ https://issues.apache.org/jira/browse/RANGER-2488?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hari Sekhon updated RANGER-2488:
--------------------------------
Description:
In a kerberized environment, Kafka client is unable to list consumer groups to iterate over if the user only has Describe permission on their own topics rather than on all topics.
{code:java}
/usr/hdp/current/kafka-broker/bin/kafka-consumer-groups.sh --list --bootstrap-server <fqdn>{code}
It ends up with a blank output instead of the list of consumer groups.
If you then grant Describe permission to all topics, that command then gives you a list of consumer groups as expected.
I believe Kafka permissions have been improved to be more granular in KAFKA-6058.
Ranger needs to be updated to reflect these more granular Kafka permissions.
Interestingly after revoking all permissions to topics for my user I was still able to list the offsets for a known consumer group.
was:
In a kerberized environment, Kafka client is unable to list consumer groups to iterate over if the user only have describe permission on their own topics rather than on all topics.
{code:java}
/usr/hdp/current/kafka-broker/bin/kafka-consumer-groups.sh --list --bootstrap-server <fqdn>{code}
It ends up with a blank output instead of the list of consumer groups.
If you then grant Describe permission to all topics, that command then gives you a list of consumer groups as expected.
I believe Kafka permissions have been improved to be more granular in KAFKA-6058.
Ranger needs to be updated to reflect these more granular Kafka permissions.
Interestingly after revoking all permissions to topics from my user I was still able to list the offsets for a known consumer group.
> Ranger Kafka list consumer groups permission
> --------------------------------------------
>
> Key: RANGER-2488
> URL: https://issues.apache.org/jira/browse/RANGER-2488
> Project: Ranger
> Issue Type: Bug
> Components: plugins, Ranger
> Affects Versions: 0.7.0
> Environment: HDP 2.6.5 + Kerberos
> Reporter: Hari Sekhon
> Priority: Major
>
> In a kerberized environment, Kafka client is unable to list consumer groups to iterate over if the user only has Describe permission on their own topics rather than on all topics.
> {code:java}
> /usr/hdp/current/kafka-broker/bin/kafka-consumer-groups.sh --list --bootstrap-server <fqdn>{code}
> It ends up with a blank output instead of the list of consumer groups.
> If you then grant Describe permission to all topics, that command then gives you a list of consumer groups as expected.
> I believe Kafka permissions have been improved to be more granular in KAFKA-6058.
> Ranger needs to be updated to reflect these more granular Kafka permissions.
> Interestingly after revoking all permissions to topics for my user I was still able to list the offsets for a known consumer group.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)