You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Alok Lal <al...@hortonworks.com> on 2015/12/15 22:11:23 UTC

Review Request 41409: Default policy created during creation of a non-secure Kafka service should point to public group instead of the username specified in the configuration.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/41409/
-----------------------------------------------------------

Review request for ranger, Don Bosco Durai and Madhan Neethiraj.


Bugs: RANGER-783
    https://issues.apache.org/jira/browse/RANGER-783


Repository: ranger


Description
-------

Since user name received by the kafka authorizer in non-secure mode is the string ANONYMOUS even for inter-broker traffic, default policy should refer to public user group instead of referring to username (usually "kafka") provided in the service configuration.  Detection of if the service is secure is done by requiring user to specify the same during kafka service creation via the additional mandatory parameter `hadoop.security.authentication`.

Once approved I'll also port this change to 0.5.


Diffs
-----

  agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json 839d780 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 54e61f1 
  security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java db958a5 

Diff: https://reviews.apache.org/r/41409/diff/


Testing
-------

Did the following tests via both the admin ui and REST service APIs.

1. Create an secure kafka service.  Validate that default policy created refers to the username specified in the service configuration.
2. Create an non-secure kafka service.  Validate that default policy created ignores the username specified in the service configuration and instead refers to public user group.


File Attachments
----------------

783.0.patch
  https://reviews.apache.org/media/uploaded/files/2015/12/15/e80983c3-7e5f-4cca-8704-1dc53219c633__783.0.patch


Thanks,

Alok Lal

Re: Review Request 41409: Default policy created during creation of a non-secure Kafka service should point to public group instead of the username specified in the configuration.

Posted by Alok Lal <al...@hortonworks.com>.


> On Dec. 15, 2015, 3:02 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json, line 120
> > <https://reviews.apache.org/r/41409/diff/1/?file=1165156#file1165156line120>
> >
> >     Consider replacing 'hadoop.security.authentication' with "kafka.security.authentication".

I used this because hdfs, hbase and yarn defs refer to this property with same name.  Should we reuse the name?


> On Dec. 15, 2015, 3:02 p.m., Madhan Neethiraj wrote:
> > agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json, line 140
> > <https://reviews.apache.org/r/41409/diff/1/?file=1165156#file1165156line140>
> >
> >     AFAIK, there is no "simple" auth in Kafka. Consider replacing it with "None".

Yes, kafka does not have simple auth -- and simple and no-auth are really different as we know from experience.  hdfs, hbase and yarn all define this enum with simple/kerberos enum values.  Should we reuse the enum def?


> On Dec. 15, 2015, 3:02 p.m., Madhan Neethiraj wrote:
> > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java, line 2033
> > <https://reviews.apache.org/r/41409/diff/1/?file=1165157#file1165157line2033>
> >
> >     Looks like VXUser & VXGroup are not needed in this method; consider replacing them with String type parameters: userName, groupName.

user and group get used in policy item during policy creation.


- Alok


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/41409/#review110574
-----------------------------------------------------------


On Dec. 15, 2015, 1:11 p.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/41409/
> -----------------------------------------------------------
> 
> (Updated Dec. 15, 2015, 1:11 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-783
>     https://issues.apache.org/jira/browse/RANGER-783
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Since user name received by the kafka authorizer in non-secure mode is the string ANONYMOUS even for inter-broker traffic, default policy should refer to public user group instead of referring to username (usually "kafka") provided in the service configuration.  Detection of if the service is secure is done by requiring user to specify the same during kafka service creation via the additional mandatory parameter `hadoop.security.authentication`.
> 
> Once approved I'll also port this change to 0.5.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json 839d780 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 54e61f1 
>   security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java db958a5 
> 
> Diff: https://reviews.apache.org/r/41409/diff/
> 
> 
> Testing
> -------
> 
> Did the following tests via both the admin ui and REST service APIs.
> 
> 1. Create an secure kafka service.  Validate that default policy created refers to the username specified in the service configuration.
> 2. Create an non-secure kafka service.  Validate that default policy created ignores the username specified in the service configuration and instead refers to public user group.
> 
> 
> File Attachments
> ----------------
> 
> 783.0.patch
>   https://reviews.apache.org/media/uploaded/files/2015/12/15/e80983c3-7e5f-4cca-8704-1dc53219c633__783.0.patch
> 
> 
> Thanks,
> 
> Alok Lal
> 
>

Re: Review Request 41409: Default policy created during creation of a non-secure Kafka service should point to public group instead of the username specified in the configuration.

Posted by Madhan Neethiraj <ma...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/41409/#review110574
-----------------------------------------------------------



agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json (line 120)
<https://reviews.apache.org/r/41409/#comment170518>

    Consider replacing 'hadoop.security.authentication' with "kafka.security.authentication".



agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json (line 140)
<https://reviews.apache.org/r/41409/#comment170519>

    AFAIK, there is no "simple" auth in Kafka. Consider replacing it with "None".



security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 1062)
<https://reviews.apache.org/r/41409/#comment170523>

    Instead of having getVxUserAndVxGroup() return Map<String, Object>, consider splitting into 2 methods:
    
    String userName  = getDefaultPolicyUser(service, validConfig);
    String groupName = getDefaultPolicyGroup(service, validConfig);



security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 1203)
<https://reviews.apache.org/r/41409/#comment170521>

    "User" ==> "Group"
    "username" ==> "groupName"



security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 2020)
<https://reviews.apache.org/r/41409/#comment170522>

    Looks like VXUser & VXGroup are not needed in this method; consider replacing them with String type parameters: userName, groupName.



security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 2034)
<https://reviews.apache.org/r/41409/#comment170520>

    For easier reading, consider rewriting this:
    if(vXUser != null || vXGroup != null) {


- Madhan Neethiraj


On Dec. 15, 2015, 9:11 p.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/41409/
> -----------------------------------------------------------
> 
> (Updated Dec. 15, 2015, 9:11 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-783
>     https://issues.apache.org/jira/browse/RANGER-783
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Since user name received by the kafka authorizer in non-secure mode is the string ANONYMOUS even for inter-broker traffic, default policy should refer to public user group instead of referring to username (usually "kafka") provided in the service configuration.  Detection of if the service is secure is done by requiring user to specify the same during kafka service creation via the additional mandatory parameter `hadoop.security.authentication`.
> 
> Once approved I'll also port this change to 0.5.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json 839d780 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 54e61f1 
>   security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java db958a5 
> 
> Diff: https://reviews.apache.org/r/41409/diff/
> 
> 
> Testing
> -------
> 
> Did the following tests via both the admin ui and REST service APIs.
> 
> 1. Create an secure kafka service.  Validate that default policy created refers to the username specified in the service configuration.
> 2. Create an non-secure kafka service.  Validate that default policy created ignores the username specified in the service configuration and instead refers to public user group.
> 
> 
> File Attachments
> ----------------
> 
> 783.0.patch
>   https://reviews.apache.org/media/uploaded/files/2015/12/15/e80983c3-7e5f-4cca-8704-1dc53219c633__783.0.patch
> 
> 
> Thanks,
> 
> Alok Lal
> 
>

Re: Review Request 41409: Default policy created during creation of a non-secure Kafka service should point to public group instead of the username specified in the configuration.

Posted by Don Bosco Durai <bo...@apache.org>.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/41409/#review110564
-----------------------------------------------------------



agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json (line 122)
<https://reviews.apache.org/r/41409/#comment170502>

    The original intention was to avoid adding more fields, but deduct whether to use Kerberos based on if the username as "@" in it. If it has, then use Kerberos


- Don Bosco Durai


On Dec. 15, 2015, 9:11 p.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/41409/
> -----------------------------------------------------------
> 
> (Updated Dec. 15, 2015, 9:11 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-783
>     https://issues.apache.org/jira/browse/RANGER-783
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Since user name received by the kafka authorizer in non-secure mode is the string ANONYMOUS even for inter-broker traffic, default policy should refer to public user group instead of referring to username (usually "kafka") provided in the service configuration.  Detection of if the service is secure is done by requiring user to specify the same during kafka service creation via the additional mandatory parameter `hadoop.security.authentication`.
> 
> Once approved I'll also port this change to 0.5.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json 839d780 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 54e61f1 
>   security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java db958a5 
> 
> Diff: https://reviews.apache.org/r/41409/diff/
> 
> 
> Testing
> -------
> 
> Did the following tests via both the admin ui and REST service APIs.
> 
> 1. Create an secure kafka service.  Validate that default policy created refers to the username specified in the service configuration.
> 2. Create an non-secure kafka service.  Validate that default policy created ignores the username specified in the service configuration and instead refers to public user group.
> 
> 
> File Attachments
> ----------------
> 
> 783.0.patch
>   https://reviews.apache.org/media/uploaded/files/2015/12/15/e80983c3-7e5f-4cca-8704-1dc53219c633__783.0.patch
> 
> 
> Thanks,
> 
> Alok Lal
> 
>