Re: Review Request 41409: Default policy created during creation of a non-secure Kafka service should point to public group instead of the username specified in the configuration.

Don Bosco Durai Tue, 15 Dec 2015 13:36:45 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/41409/#review110564
-----------------------------------------------------------




agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json 
(line 122)
<https://reviews.apache.org/r/41409/#comment170502>

    The original intention was to avoid adding more fields, but deduct whether 
to use Kerberos based on if the username as "@" in it. If it has, then use 
Kerberos


- Don Bosco Durai


On Dec. 15, 2015, 9:11 p.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/41409/
> -----------------------------------------------------------
> 
> (Updated Dec. 15, 2015, 9:11 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-783
>     https://issues.apache.org/jira/browse/RANGER-783
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Since user name received by the kafka authorizer in non-secure mode is the 
> string ANONYMOUS even for inter-broker traffic, default policy should refer 
> to public user group instead of referring to username (usually "kafka") 
> provided in the service configuration.  Detection of if the service is secure 
> is done by requiring user to specify the same during kafka service creation 
> via the additional mandatory parameter `hadoop.security.authentication`.
> 
> Once approved I'll also port this change to 0.5.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json 
> 839d780 
>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
> 54e61f1 
>   security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java 
> db958a5 
> 
> Diff: https://reviews.apache.org/r/41409/diff/
> 
> 
> Testing
> -------
> 
> Did the following tests via both the admin ui and REST service APIs.
> 
> 1. Create an secure kafka service.  Validate that default policy created 
> refers to the username specified in the service configuration.
> 2. Create an non-secure kafka service.  Validate that default policy created 
> ignores the username specified in the service configuration and instead 
> refers to public user group.
> 
> 
> File Attachments
> ----------------
> 
> 783.0.patch
>   
> https://reviews.apache.org/media/uploaded/files/2015/12/15/e80983c3-7e5f-4cca-8704-1dc53219c633__783.0.patch
> 
> 
> Thanks,
> 
> Alok Lal
> 
>

Re: Review Request 41409: Default policy created during creation of a non-secure Kafka service should point to public group instead of the username specified in the configuration.

Reply via email to