[jira] [Assigned] (RANGER-5069) Kafka plugin should add super users from Kafka super.users config

Tue, 17 Dec 2024 01:11:35 -0800 


     [ 
https://issues.apache.org/jira/browse/RANGER-5069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Daniel Fonai reassigned RANGER-5069:
------------------------------------

    Assignee: Daniel Fonai

> Kafka plugin should add super users from Kafka super.users config
> -----------------------------------------------------------------
>
>                 Key: RANGER-5069
>                 URL: https://issues.apache.org/jira/browse/RANGER-5069
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>            Reporter: Daniel Fonai
>            Assignee: Daniel Fonai
>            Priority: Minor
>
> [Kafka authorization|https://kafka.apache.org/documentation/#security_authz] 
> allows users to define super users via the super.users config property. If 
> the configured authorizer class also supports, these users will have access 
> rights by default.
> Ranger plugin also has the notion of super users 
> ([code|https://github.com/apache/ranger/blob/d8157a69e4363ce87b55808d90a2f0c6d44d1f5c/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L105
>  ]) which is configurable in the Ranger plugin config.
> The Ranger Kafka plugin can be enhanced by adding the capability to read 
> super.users from Kafka config and add these users to Ranger plugin super 
> users.
> An example where this would be useful is to integrate a Strimzi managed Kafka 
> cluster with Ranger. [Strimzi|https://strimzi.io/] is a CNCF project to run 
> Kafka on Kubernetes which builds on the super.users config to provide admin 
> users access to the Kafka cluster.
> In addition, Ranger plugin currently splits up super users by the ',' (comma) 
> character 
> ([code|https://github.com/apache/ranger/blob/d8157a69e4363ce87b55808d90a2f0c6d44d1f5c/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java#L311]),
>  however, it is accepted in Kafka user names (as stated by the Kafka 
> [authorization 
> documentation|https://kafka.apache.org/documentation/#security_authz]). This 
> improvement could also be used as a workaround to add super users containing 
> comma to the Ranger Kafka plugin.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to