----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/41409/#review110574 -----------------------------------------------------------
agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json (line 120) <https://reviews.apache.org/r/41409/#comment170518> Consider replacing 'hadoop.security.authentication' with "kafka.security.authentication". agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json (line 140) <https://reviews.apache.org/r/41409/#comment170519> AFAIK, there is no "simple" auth in Kafka. Consider replacing it with "None". security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 1062) <https://reviews.apache.org/r/41409/#comment170523> Instead of having getVxUserAndVxGroup() return Map<String, Object>, consider splitting into 2 methods: String userName = getDefaultPolicyUser(service, validConfig); String groupName = getDefaultPolicyGroup(service, validConfig); security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 1203) <https://reviews.apache.org/r/41409/#comment170521> "User" ==> "Group" "username" ==> "groupName" security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 2020) <https://reviews.apache.org/r/41409/#comment170522> Looks like VXUser & VXGroup are not needed in this method; consider replacing them with String type parameters: userName, groupName. security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 2034) <https://reviews.apache.org/r/41409/#comment170520> For easier reading, consider rewriting this: if(vXUser != null || vXGroup != null) { - Madhan Neethiraj On Dec. 15, 2015, 9:11 p.m., Alok Lal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/41409/ > ----------------------------------------------------------- > > (Updated Dec. 15, 2015, 9:11 p.m.) > > > Review request for ranger, Don Bosco Durai and Madhan Neethiraj. > > > Bugs: RANGER-783 > https://issues.apache.org/jira/browse/RANGER-783 > > > Repository: ranger > > > Description > ------- > > Since user name received by the kafka authorizer in non-secure mode is the > string ANONYMOUS even for inter-broker traffic, default policy should refer > to public user group instead of referring to username (usually "kafka") > provided in the service configuration. Detection of if the service is secure > is done by requiring user to specify the same during kafka service creation > via the additional mandatory parameter `hadoop.security.authentication`. > > Once approved I'll also port this change to 0.5. > > > Diffs > ----- > > agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json > 839d780 > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 54e61f1 > security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java > db958a5 > > Diff: https://reviews.apache.org/r/41409/diff/ > > > Testing > ------- > > Did the following tests via both the admin ui and REST service APIs. > > 1. Create an secure kafka service. Validate that default policy created > refers to the username specified in the service configuration. > 2. Create an non-secure kafka service. Validate that default policy created > ignores the username specified in the service configuration and instead > refers to public user group. > > > File Attachments > ---------------- > > 783.0.patch > > https://reviews.apache.org/media/uploaded/files/2015/12/15/e80983c3-7e5f-4cca-8704-1dc53219c633__783.0.patch > > > Thanks, > > Alok Lal > >
