[
https://issues.apache.org/jira/browse/RANGER-783?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15059229#comment-15059229
]
Alok Lal commented on RANGER-783:
---------------------------------
Stopping work on this JIRA till RANGER-785 because current username value in
service configuration is in meant for lookup. Where as what is needed for
creating default policy is the service user which is distinct from lookup user,
especially in case of Kafka where lookup is done against zookeeper.
> Default policy created during service creation for a Kafka service should
> better support non-secure kafka cluster
> -----------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-783
> URL: https://issues.apache.org/jira/browse/RANGER-783
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 0.5.0
> Reporter: Alok Lal
> Assignee: Alok Lal
> Fix For: 0.5.1, 0.6.0
>
>
> Whenever a new Kafka service is added a default policy is also added granting
> the Kafka service user all privileges on all topics. This is done to ensure
> that inter-broker communication (which is also seen and authorized by the
> authorizer) can work properly. This approach works well for secure kafka
> clusters authorized by Ranger.
> Kafka authorization, however, is now supported for both secure and non-secure
> deployments! Since user name received by the kafka authorizer in non-secure
> mode is the string {{ANONYMOUS}} even for inter-broker traffic, default
> policy should refer to {{public}} user group instead of referring to username
> (usually "kafka") provided in the service configuration.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
