[
https://issues.apache.org/jira/browse/RANGER-2650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16987553#comment-16987553
]
Dhaval B. SHAH commented on RANGER-2650:
----------------------------------------
Reason of adding _*{{public}}*_ user group on all policies items created for
authorizing Kafka access over non-secure channel are as follows:
* Kafka can’t assert the identity of client user over a non-secure channel.
Thus, Kafka treats all users for such access as an anonymous user (a special
user literally named {{ANONYMOUS}}).
* Ranger's {{public}} user group is a means to model all users which, of
course, includes this anonymous user ({{ANONYMOUS}}).
[[https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-WhydowehavetospecifypublicusergrouponallpoliciesitemscreatedforauthorizingKafkaaccessovernon-securechannel?|http://example.com]/]
We need to add the documentation of removing the public group from default
policies of kafka after upgrading the cluster from simple to kerberoze.
Thanks.
> Public group should not be given access to all kafka resources in default
> ranger policies
> -----------------------------------------------------------------------------------------
>
> Key: RANGER-2650
> URL: https://issues.apache.org/jira/browse/RANGER-2650
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Dhaval B. SHAH
> Assignee: Dhaval B. SHAH
> Priority: Major
> Fix For: 2.1.0
>
>
> If authentication type is simple, we do add public group to default policy
> item. Any user setting up Ranger in simple mode and after that enabling
> Kerberos on that cluster will have this extra policy providing public group
> all permissions on Kafka.
> We shouldn't be adding public group to default policies neither in simple
> mode nor in kerberos.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
