> On Nov. 22, 2019, 1:31 a.m., Ramesh Mani wrote: > > plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java > > Line 105 (original) > > <https://reviews.apache.org/r/71798/diff/2/?file=2174730#file2174730line105> > > > > I feel that when kerberos is enabled we should delete the exiting > > policy and add what is needed. > > > > Did you check in non kerberos cluster without this public policy, the > > default policy which are created in good enough to bring up the kafka and > > execute all operations?
Reason of adding public user group on all policies items created for authorizing Kafka access over non-secure channel are as follows: => Kafka can’t assert the identity of client user over a non-secure channel. Thus, Kafka treats all users for such access as an anonymous user (a special user literally named ANONYMOUS). => Ranger's public user group is a means to model all users which, of course, includes this anonymous user (ANONYMOUS). [https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-WhydowehavetospecifypublicusergrouponallpoliciesitemscreatedforauthorizingKafkaaccessovernon-securechannel? Hence, I am discarding this RR. - Dhaval ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71798/#review218751 ----------------------------------------------------------- On Nov. 21, 2019, 11:04 a.m., Dhaval Shah wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71798/ > ----------------------------------------------------------- > > (Updated Nov. 21, 2019, 11:04 a.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Mehul Parikh, Nikhil P, Pradeep Agrawal, and Velmurugan Periasamy. > > > Bugs: RANGER-2650 > https://issues.apache.org/jira/browse/RANGER-2650 > > > Repository: ranger > > > Description > ------- > > If authentication type is simple, we do add public group to default policy > item. Any user setting up Ranger in simple mode and after that enabling > Kerberos on that cluster will have this extra policy providing public group > all permissions on Kafka. > > We shouldn't be adding public group to default policies neither in simple > mode nor in kerberos. > > > Diffs > ----- > > > plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java > cf5da97 > > > Diff: https://reviews.apache.org/r/71798/diff/2/ > > > Testing > ------- > > Public group is not added to default policies in simple mode. > > > Thanks, > > Dhaval Shah > >
