> On Dec. 15, 2015, 3:02 p.m., Madhan Neethiraj wrote: > > agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json, > > line 120 > > <https://reviews.apache.org/r/41409/diff/1/?file=1165156#file1165156line120> > > > > Consider replacing 'hadoop.security.authentication' with > > "kafka.security.authentication".
I used this because hdfs, hbase and yarn defs refer to this property with same name. Should we reuse the name? > On Dec. 15, 2015, 3:02 p.m., Madhan Neethiraj wrote: > > agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json, > > line 140 > > <https://reviews.apache.org/r/41409/diff/1/?file=1165156#file1165156line140> > > > > AFAIK, there is no "simple" auth in Kafka. Consider replacing it with > > "None". Yes, kafka does not have simple auth -- and simple and no-auth are really different as we know from experience. hdfs, hbase and yarn all define this enum with simple/kerberos enum values. Should we reuse the enum def? > On Dec. 15, 2015, 3:02 p.m., Madhan Neethiraj wrote: > > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java, > > line 2033 > > <https://reviews.apache.org/r/41409/diff/1/?file=1165157#file1165157line2033> > > > > Looks like VXUser & VXGroup are not needed in this method; consider > > replacing them with String type parameters: userName, groupName. user and group get used in policy item during policy creation. - Alok ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/41409/#review110574 ----------------------------------------------------------- On Dec. 15, 2015, 1:11 p.m., Alok Lal wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/41409/ > ----------------------------------------------------------- > > (Updated Dec. 15, 2015, 1:11 p.m.) > > > Review request for ranger, Don Bosco Durai and Madhan Neethiraj. > > > Bugs: RANGER-783 > https://issues.apache.org/jira/browse/RANGER-783 > > > Repository: ranger > > > Description > ------- > > Since user name received by the kafka authorizer in non-secure mode is the > string ANONYMOUS even for inter-broker traffic, default policy should refer > to public user group instead of referring to username (usually "kafka") > provided in the service configuration. Detection of if the service is secure > is done by requiring user to specify the same during kafka service creation > via the additional mandatory parameter `hadoop.security.authentication`. > > Once approved I'll also port this change to 0.5. > > > Diffs > ----- > > agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json > 839d780 > security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java > 54e61f1 > security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java > db958a5 > > Diff: https://reviews.apache.org/r/41409/diff/ > > > Testing > ------- > > Did the following tests via both the admin ui and REST service APIs. > > 1. Create an secure kafka service. Validate that default policy created > refers to the username specified in the service configuration. > 2. Create an non-secure kafka service. Validate that default policy created > ignores the username specified in the service configuration and instead > refers to public user group. > > > File Attachments > ---------------- > > 783.0.patch > > https://reviews.apache.org/media/uploaded/files/2015/12/15/e80983c3-7e5f-4cca-8704-1dc53219c633__783.0.patch > > > Thanks, > > Alok Lal > >
