Alok Lal created RANGER-783:
-------------------------------
Summary: Default policy created during service creation for a
Kafka service should better support non-secure kafka cluster
Key: RANGER-783
URL: https://issues.apache.org/jira/browse/RANGER-783
Project: Ranger
Issue Type: Bug
Components: plugins
Affects Versions: 0.5.0
Reporter: Alok Lal
Assignee: Alok Lal
Fix For: 0.5.1, 0.6.0
Whenever a new Kafka service is added a default policy is also added granting
the Kafka service user all privileges on all topics. This is done to ensure
that inter-broker communication (which is also seen and authorized by the
authorizer) can work properly. This approach works well for secure kafka
clusters authorized by Ranger.
Kafka authorization, however, is now supported for both secure and non-secure
deployments! Since user name received by the kafka authorizer in non-secure
mode is the string {{ANONYMOUS}} even for inter-broker traffic, default policy
should refer to {{public}} user group instead of referring to username
(usually "kafka") provided in the service configuration.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
