-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/41409/
-----------------------------------------------------------
Review request for ranger, Don Bosco Durai and Madhan Neethiraj.
Bugs: RANGER-783
https://issues.apache.org/jira/browse/RANGER-783
Repository: ranger
Description
-------
Since user name received by the kafka authorizer in non-secure mode is the
string ANONYMOUS even for inter-broker traffic, default policy should refer to
public user group instead of referring to username (usually "kafka") provided
in the service configuration. Detection of if the service is secure is done by
requiring user to specify the same during kafka service creation via the
additional mandatory parameter `hadoop.security.authentication`.
Once approved I'll also port this change to 0.5.
Diffs
-----
agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json
839d780
security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java
54e61f1
security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java
db958a5
Diff: https://reviews.apache.org/r/41409/diff/
Testing
-------
Did the following tests via both the admin ui and REST service APIs.
1. Create an secure kafka service. Validate that default policy created refers
to the username specified in the service configuration.
2. Create an non-secure kafka service. Validate that default policy created
ignores the username specified in the service configuration and instead refers
to public user group.
File Attachments
----------------
783.0.patch
https://reviews.apache.org/media/uploaded/files/2015/12/15/e80983c3-7e5f-4cca-8704-1dc53219c633__783.0.patch
Thanks,
Alok Lal
