You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by ma...@roo.ee on 2019/01/22 06:54:08 UTC
No topic information attached in case of create in kafka audit log
Hi
I am not sure is it more Ranger or Kafka plugin issue, but I'll try
here.
I am using Ranger 1.1.0 and Kafka 1.1.1 packaged into HDF 3.2
Using Ranger and browsing kafka audit log I can see in example
action:describe and resource:[some topic name]
But in case action is create, then there is not topic attached.
Even browsing SOLR there is no topics attached.
In example in case of describe:
{
"id":"78622377-0894-4945-8c46-47ff66bf9e1a-8999585",
"access":"describe",
"enforcer":"ranger-acl",
"repo":"devel_kafka",
"reqUser":"app",
"reqData":"Topic1",
"resource":"Topic1",
"cliIP":"10.92.12.22",
"logType":"RangerAudit",
"result":1,
"policy":3,
"repoType":9,
"resType":"topic",
"action":"describe",
"evtTime":"2019-01-07T11:08:03.924Z",
"seq_num":17805502,
"event_count":1,
"event_dur_ms":1,
"cluster":"dataplatform_devel",
"_ttl_":"+90DAYS",
"_expire_at_":"2019-04-07T11:08:06.695Z",
"_version_":1621999523405496320}
In case of create:
{
"id":"e67a9b55-44eb-4882-8f2e-4d443e0be80e-127764",
"access":"create",
"enforcer":"ranger-acl",
"repo":"devel_kafka",
"reqUser":"app",
"reqData":"kafka-cluster",
"cliIP":"172.14.255.2",
"logType":"RangerAudit",
"result":1,
"policy":3,
"repoType":9,
"action":"create",
"evtTime":"2019-01-08T15:17:54.134Z",
"seq_num":253822,
"event_count":2,
"event_dur_ms":351,
"cluster":"dataplatform_devel",
"_ttl_":"+90DAYS",
"_expire_at_":"2019-04-08T15:17:57.294Z",
"_version_":1622105839160524811}
Is it normal?
Br,
Margus
Re: No topic information attached in case of create in kafka audit
log
Posted by Margusja <ma...@roo.ee>.
Thank you for a answer.
Br,
Margus Roo
> On 23 Jan 2019, at 00:41, Ramesh Mani <rm...@hortonworks.com> wrote:
>
> Hi Margus,
>
> In Ranger 1.1.0 with Kafka 1.1.1, Create TOPIC was not authorized as there
> is no hook in Kafka provided for that. It was done via Kafka ACLs.
>
> Kafka 2.0 release has the CREATE TOPIC authorization hooks and Ranger is
> authorizing it in Ranger 2.0 release.
>
> Please refer this
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+In
> terface#KIP-11-AuthorizationInterface-AclManagement(CLI)
>
> Thanks,
> Ramesh
>
> On 1/21/19, 10:54 PM, "margus@roo.ee" <ma...@roo.ee> wrote:
>
>> Hi
>>
>> I am not sure is it more Ranger or Kafka plugin issue, but I'll try
>> here.
>>
>> I am using Ranger 1.1.0 and Kafka 1.1.1 packaged into HDF 3.2
>>
>> Using Ranger and browsing kafka audit log I can see in example
>> action:describe and resource:[some topic name]
>>
>> But in case action is create, then there is not topic attached.
>> Even browsing SOLR there is no topics attached.
>>
>> In example in case of describe:
>> {
>> "id":"78622377-0894-4945-8c46-47ff66bf9e1a-8999585",
>> "access":"describe",
>> "enforcer":"ranger-acl",
>> "repo":"devel_kafka",
>> "reqUser":"app",
>> "reqData":"Topic1",
>> "resource":"Topic1",
>> "cliIP":"10.92.12.22",
>> "logType":"RangerAudit",
>> "result":1,
>> "policy":3,
>> "repoType":9,
>> "resType":"topic",
>> "action":"describe",
>> "evtTime":"2019-01-07T11:08:03.924Z",
>> "seq_num":17805502,
>> "event_count":1,
>> "event_dur_ms":1,
>> "cluster":"dataplatform_devel",
>> "_ttl_":"+90DAYS",
>> "_expire_at_":"2019-04-07T11:08:06.695Z",
>> "_version_":1621999523405496320}
>>
>> In case of create:
>> {
>> "id":"e67a9b55-44eb-4882-8f2e-4d443e0be80e-127764",
>> "access":"create",
>> "enforcer":"ranger-acl",
>> "repo":"devel_kafka",
>> "reqUser":"app",
>> "reqData":"kafka-cluster",
>> "cliIP":"172.14.255.2",
>> "logType":"RangerAudit",
>> "result":1,
>> "policy":3,
>> "repoType":9,
>> "action":"create",
>> "evtTime":"2019-01-08T15:17:54.134Z",
>> "seq_num":253822,
>> "event_count":2,
>> "event_dur_ms":351,
>> "cluster":"dataplatform_devel",
>> "_ttl_":"+90DAYS",
>> "_expire_at_":"2019-04-08T15:17:57.294Z",
>> "_version_":1622105839160524811}
>>
>>
>> Is it normal?
>>
>> Br,
>> Margus
>>
>
Re: No topic information attached in case of create in kafka audit
log
Posted by Ramesh Mani <rm...@hortonworks.com>.
Hi Margus,
In Ranger 1.1.0 with Kafka 1.1.1, Create TOPIC was not authorized as there
is no hook in Kafka provided for that. It was done via Kafka ACLs.
Kafka 2.0 release has the CREATE TOPIC authorization hooks and Ranger is
authorizing it in Ranger 2.0 release.
Please refer this
https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+In
terface#KIP-11-AuthorizationInterface-AclManagement(CLI)
Thanks,
Ramesh
On 1/21/19, 10:54 PM, "margus@roo.ee" <ma...@roo.ee> wrote:
>Hi
>
>I am not sure is it more Ranger or Kafka plugin issue, but I'll try
>here.
>
>I am using Ranger 1.1.0 and Kafka 1.1.1 packaged into HDF 3.2
>
>Using Ranger and browsing kafka audit log I can see in example
>action:describe and resource:[some topic name]
>
>But in case action is create, then there is not topic attached.
>Even browsing SOLR there is no topics attached.
>
>In example in case of describe:
> {
> "id":"78622377-0894-4945-8c46-47ff66bf9e1a-8999585",
> "access":"describe",
> "enforcer":"ranger-acl",
> "repo":"devel_kafka",
> "reqUser":"app",
> "reqData":"Topic1",
> "resource":"Topic1",
> "cliIP":"10.92.12.22",
> "logType":"RangerAudit",
> "result":1,
> "policy":3,
> "repoType":9,
> "resType":"topic",
> "action":"describe",
> "evtTime":"2019-01-07T11:08:03.924Z",
> "seq_num":17805502,
> "event_count":1,
> "event_dur_ms":1,
> "cluster":"dataplatform_devel",
> "_ttl_":"+90DAYS",
> "_expire_at_":"2019-04-07T11:08:06.695Z",
> "_version_":1621999523405496320}
>
>In case of create:
>{
> "id":"e67a9b55-44eb-4882-8f2e-4d443e0be80e-127764",
> "access":"create",
> "enforcer":"ranger-acl",
> "repo":"devel_kafka",
> "reqUser":"app",
> "reqData":"kafka-cluster",
> "cliIP":"172.14.255.2",
> "logType":"RangerAudit",
> "result":1,
> "policy":3,
> "repoType":9,
> "action":"create",
> "evtTime":"2019-01-08T15:17:54.134Z",
> "seq_num":253822,
> "event_count":2,
> "event_dur_ms":351,
> "cluster":"dataplatform_devel",
> "_ttl_":"+90DAYS",
> "_expire_at_":"2019-04-08T15:17:57.294Z",
> "_version_":1622105839160524811}
>
>
>Is it normal?
>
>Br,
>Margus
>