Ranger - Kafka - Permission Admin

[Lune Silver <lu...@gmail.com>]

Hello !

I have a question related to the permissions for Kafka with Ranger.

In the following link :
https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide#ApacheRanger0.5-UserGuide-KAFKA.1

We can see a table listing the permissions.

I have two questions :
1. Is it possible to have a mapping between the ranger permissions and the
kafka permissions ?
2. There is no description for kafka admin permission. What does it mean ?
Does it give the same permission than the ones of the kafka superuser
(create topics etc...) ?

Thank you in advance for your answers !

Best regards.

Lune.

Re: Ranger - Kafka - Permission Admin

[Alok Lal <al...@hortonworks.com>]

> Q1 - Do we agree that this permission in kafka plugin is useless as long as we don't have access to zookeeper, because you cannot create kafka topic ?

That will depend on when Kafka passes ClusterAction$.MODULE$ as an operation type to authorize with Ranger since 'Kafka Admin' is the only access type that will allow that type of an access.  More importantly, however, it serves as a self-documenting shorthand to let admins denote "super-users" of a service.  This is the case for all other plugins, too where there is an Admin access type of some sort that encompasses all the rest access types.  It is an important and consistent aspect of how Ranger exposes access types to users.



From: Lune Silver <lu...@gmail.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Monday, February 22, 2016 at 7:49 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Re: Ranger - Kafka - Permission Admin

Hello.

Thank you for your answer.

About this part :
- 'Kafka Admin' implies all other access types.

Q1 - Do we agree that this permission in kafka plugin is useless as long as we don't have access to zookeeper, because you cannot create kafka topic ?

To answer your question about the specific use case. I'm just trying to elaborate a security model to apply on my cluster. So I'm gathering more information about the kafka plugin, as we will use kafka secured by ranger.

Best regards.

Lune.

On Fri, Feb 19, 2016 at 9:14 PM, Alok Lal <al...@hortonworks.com>> wrote:
The issue of topic creation is discussed under the Kafka plugin FAQ <https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-CanIauthorizertopiccreationviaRanger?>.

As to your 1st question.

Firstly the Ranger Access types themselves form a hierarchy of sorts as follows:
- Publish, Consume and Configure access types imply Describe. For example, if you give someone ability to Publish then you don’t need to also give describe as it is implied.
- 'Kafka Admin' implies all other access types.
- Refer to this part of source for details: https://github.com/apache/incubator-ranger/blob/master/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json#L30-L87

As to the mapping of kafka access types to Ranger access types:
- Kafka access types Delete, Create Describe, Read and Write map to corresponding Ranger access types
- Kafka access type Alter maps to Ranger Configure
- Kafka access type ClusterAction maps to Ranger 'Kafka Admin’
- Refer to this part of code for details: <https://github.com/apache/incubator-ranger/blob/master/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java#L300-L317>

@Lune Above information is "good to know" but may not be helpful to solve a specific problem.  Is there a specific problem you are trying to solve?  If you tell us about the specific use case then we could provide a relevant answer.


From:  Lune Silver <lu...@gmail.com>>
Reply-To:  "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date:  Thursday, February 18, 2016 at 10:40 PM
To:  "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject:  Re: Ranger - Kafka - Permission Admin


About the first question, I wanted to know at which permissions in kafka correspond the permissions listed in ranger kafka plugin.
Best regards.
Lune.
Le 19 févr. 2016 02:20, "Arvind S" <ar...@gmail.com>> a écrit :

not sure about your 1st question..
but know for sure that "create topics" is not controlled/ governed by any ranger permission. It has to be done by a superuser.




Cheers !!Arvind





On Thu, Feb 18, 2016 at 8:48 PM, Lune Silver
<lu...@gmail.com>> wrote:

Hello !


I have a question related to the permissions for Kafka with Ranger.


In the following link :
https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide#ApacheRanger0.5-UserGuide-KAFKA.1


We can see a table listing the permissions.


I have two questions :

1. Is it possible to have a mapping between the ranger permissions and the kafka permissions ?

2. There is no description for kafka admin permission. What does it mean ? Does it give the same permission than the ones of the kafka superuser (create topics etc...) ?


Thank you in advance for your answers !


Best regards.


Lune.

Re: Ranger - Kafka - Permission Admin

[Lune Silver <lu...@gmail.com>]

Hello.

Thank you for your answer.

About this part :
- 'Kafka Admin' implies all other access types.

Q1 - Do we agree that this permission in kafka plugin is useless as long as
we don't have access to zookeeper, because you cannot create kafka topic ?

To answer your question about the specific use case. I'm just trying to
elaborate a security model to apply on my cluster. So I'm gathering more
information about the kafka plugin, as we will use kafka secured by ranger.

Best regards.

Lune.

On Fri, Feb 19, 2016 at 9:14 PM, Alok Lal <al...@hortonworks.com> wrote:

> The issue of topic creation is discussed under the Kafka plugin FAQ <
> https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-CanIauthorizertopiccreationviaRanger
> ?>.
>
> As to your 1st question.
>
> Firstly the Ranger Access types themselves form a hierarchy of sorts as
> follows:
> - Publish, Consume and Configure access types imply Describe. For example,
> if you give someone ability to Publish then you don’t need to also give
> describe as it is implied.
> - 'Kafka Admin' implies all other access types.
> - Refer to this part of source for details:
> https://github.com/apache/incubator-ranger/blob/master/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json#L30-L87
>
> As to the mapping of kafka access types to Ranger access types:
> - Kafka access types Delete, Create Describe, Read and Write map to
> corresponding Ranger access types
> - Kafka access type Alter maps to Ranger Configure
> - Kafka access type ClusterAction maps to Ranger 'Kafka Admin’
> - Refer to this part of code for details: <
> https://github.com/apache/incubator-ranger/blob/master/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java#L300-L317
> >
>
> @Lune Above information is "good to know" but may not be helpful to solve
> a specific problem.  Is there a specific problem you are trying to solve?
> If you tell us about the specific use case then we could provide a relevant
> answer.
>
>
> From:  Lune Silver <lu...@gmail.com>
> Reply-To:  "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date:  Thursday, February 18, 2016 at 10:40 PM
> To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject:  Re: Ranger - Kafka - Permission Admin
>
>
> About the first question, I wanted to know at which permissions in kafka
> correspond the permissions listed in ranger kafka plugin.
> Best regards.
> Lune.
> Le 19 févr. 2016 02:20, "Arvind S" <ar...@gmail.com> a écrit :
>
> not sure about your 1st question..
> but know for sure that "create topics" is not controlled/ governed by any
> ranger permission. It has to be done by a superuser.
>
>
>
>
> Cheers !!Arvind
>
>
>
>
>
> On Thu, Feb 18, 2016 at 8:48 PM, Lune Silver
> <lu...@gmail.com> wrote:
>
> Hello !
>
>
> I have a question related to the permissions for Kafka with Ranger.
>
>
> In the following link :
>
> https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide#ApacheRanger0.5-UserGuide-KAFKA.1
>
>
> We can see a table listing the permissions.
>
>
> I have two questions :
>
> 1. Is it possible to have a mapping between the ranger permissions and the
> kafka permissions ?
>
> 2. There is no description for kafka admin permission. What does it mean ?
> Does it give the same permission than the ones of the kafka superuser
> (create topics etc...) ?
>
>
> Thank you in advance for your answers !
>
>
> Best regards.
>
>
> Lune.
>
>
>
>
>
>
>

Re: Ranger - Kafka - Permission Admin

[Alok Lal <al...@hortonworks.com>]

The issue of topic creation is discussed under the Kafka plugin FAQ <https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-CanIauthorizertopiccreationviaRanger?>.

As to your 1st question.

Firstly the Ranger Access types themselves form a hierarchy of sorts as follows:
- Publish, Consume and Configure access types imply Describe. For example, if you give someone ability to Publish then you don’t need to also give describe as it is implied.
- 'Kafka Admin' implies all other access types.
- Refer to this part of source for details: https://github.com/apache/incubator-ranger/blob/master/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json#L30-L87

As to the mapping of kafka access types to Ranger access types:
- Kafka access types Delete, Create Describe, Read and Write map to corresponding Ranger access types
- Kafka access type Alter maps to Ranger Configure
- Kafka access type ClusterAction maps to Ranger 'Kafka Admin’
- Refer to this part of code for details: <https://github.com/apache/incubator-ranger/blob/master/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java#L300-L317>

@Lune Above information is "good to know" but may not be helpful to solve a specific problem.  Is there a specific problem you are trying to solve?  If you tell us about the specific use case then we could provide a relevant answer.


From:  Lune Silver <lu...@gmail.com>
Reply-To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Date:  Thursday, February 18, 2016 at 10:40 PM
To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject:  Re: Ranger - Kafka - Permission Admin


About the first question, I wanted to know at which permissions in kafka correspond the permissions listed in ranger kafka plugin.
Best regards.
Lune.
Le 19 févr. 2016 02:20, "Arvind S" <ar...@gmail.com> a écrit :

not sure about your 1st question.. 
but know for sure that "create topics" is not controlled/ governed by any ranger permission. It has to be done by a superuser. 
 



Cheers !!Arvind





On Thu, Feb 18, 2016 at 8:48 PM, Lune Silver 
<lu...@gmail.com> wrote:

Hello !


I have a question related to the permissions for Kafka with Ranger.


In the following link :
https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide#ApacheRanger0.5-UserGuide-KAFKA.1


We can see a table listing the permissions.


I have two questions :

1. Is it possible to have a mapping between the ranger permissions and the kafka permissions ?

2. There is no description for kafka admin permission. What does it mean ? Does it give the same permission than the ones of the kafka superuser (create topics etc...) ?


Thank you in advance for your answers !


Best regards.


Lune.

Re: Ranger - Kafka - Permission Admin

[Lune Silver <lu...@gmail.com>]

About the first question, I wanted to know at which permissions in kafka
correspond the permissions listed in ranger kafka plugin.

Best regards.

Lune.
Le 19 févr. 2016 02:20, "Arvind S" <ar...@gmail.com> a écrit :

> not sure about your 1st question..
> but know for sure that "create topics" is not controlled/ governed by any
> ranger permission. It has to be done by a superuser.
>
>
> *Cheers !!*
> Arvind
>
> On Thu, Feb 18, 2016 at 8:48 PM, Lune Silver <lu...@gmail.com>
> wrote:
>
>> Hello !
>>
>> I have a question related to the permissions for Kafka with Ranger.
>>
>> In the following link :
>>
>> https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide#ApacheRanger0.5-UserGuide-KAFKA.1
>>
>> We can see a table listing the permissions.
>>
>> I have two questions :
>> 1. Is it possible to have a mapping between the ranger permissions and
>> the kafka permissions ?
>> 2. There is no description for kafka admin permission. What does it mean
>> ? Does it give the same permission than the ones of the kafka superuser
>> (create topics etc...) ?
>>
>> Thank you in advance for your answers !
>>
>> Best regards.
>>
>> Lune.
>>
>
>

Re: Ranger - Kafka - Permission Admin

[Arvind S <ar...@gmail.com>]

not sure about your 1st question..
but know for sure that "create topics" is not controlled/ governed by any
ranger permission. It has to be done by a superuser.


*Cheers !!*
Arvind

On Thu, Feb 18, 2016 at 8:48 PM, Lune Silver <lu...@gmail.com>
wrote:

> Hello !
>
> I have a question related to the permissions for Kafka with Ranger.
>
> In the following link :
>
> https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide#ApacheRanger0.5-UserGuide-KAFKA.1
>
> We can see a table listing the permissions.
>
> I have two questions :
> 1. Is it possible to have a mapping between the ranger permissions and the
> kafka permissions ?
> 2. There is no description for kafka admin permission. What does it mean ?
> Does it give the same permission than the ones of the kafka superuser
> (create topics etc...) ?
>
> Thank you in advance for your answers !
>
> Best regards.
>
> Lune.
>