[jira] [Commented] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type
[ https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707430#comment-17707430 ] Ramesh Mani commented on RANGER-4165: - [~mad...@apache.org] Thanks for the clarification and suggestion. I shall check on this. > API to find whether a user/group is authorized to the give operation on any > resource of give type > - > > Key: RANGER-4165 > URL: https://issues.apache.org/jira/browse/RANGER-4165 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Ramesh Mani >Assignee: Ramesh Mani >Priority: Major > > API to find whether a user/group is authorized to the give operation on any > resource of give type. > This is needed to implement a Ranger Kafka authorizer API which checks if the > caller is authorized to perform the given ACL operation on at least one > resource of the given type. > https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type
[ https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707414#comment-17707414 ] Madhan Neethiraj commented on RANGER-4165: -- {quote}This is needed to implement a Ranger Kafka authorizer API which checks if the caller is authorized to perform the given ACL operation on at least one resource of the given type. {quote} [~rmani] - as you called out, there is no way to ask the policy-engine to find if a given user has specific access on _any_ resource of a given type. For example, find if user1 has WRITE access on _any_ TOPIC. This will require special provision to represent *_any_* TOPIC. One option to consider is to use a value like '**' to represent _*any*_ resource, similar to {{{}RangerAbstractResourceMatcher.WILDCARD_ASTERISK{}}}. And have resource matcher implementations updated to handle this special case. > API to find whether a user/group is authorized to the give operation on any > resource of give type > - > > Key: RANGER-4165 > URL: https://issues.apache.org/jira/browse/RANGER-4165 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Affects Versions: 3.0.0 >Reporter: Ramesh Mani >Assignee: Ramesh Mani >Priority: Major > > API to find whether a user/group is authorized to the give operation on any > resource of give type. > This is needed to implement a Ranger Kafka authorizer API which checks if the > caller is authorized to perform the given ACL operation on at least one > resource of the given type. > https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (RANGER-4165) API to find whether a user/group is authorized to the give operation on any resource of give type
[ https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17707395#comment-17707395 ] Ramesh Mani commented on RANGER-4165: - [~mad...@apache.org] [~abhayk] Currently policeEngine apis doesn't have a way to figure of this request. All we can do it run through all the polices and find all the resources of given type and run the authorizer for each of those resources found for the call. This may not be the efficient way to get the result. Is there a better way to find this like having cache for resources in the policies and run through the policy engine? > API to find whether a user/group is authorized to the give operation on any > resource of give type > - > > Key: RANGER-4165 > URL: https://issues.apache.org/jira/browse/RANGER-4165 > Project: Ranger > Issue Type: Improvement > Components: Ranger >Reporter: Ramesh Mani >Assignee: Ramesh Mani >Priority: Major > > API to find whether a user/group is authorized to the give operation on any > resource of give type. > This is needed to implement a Ranger Kafka authorizer API which checks if the > caller is authorized to perform the given ACL operation on at least one > resource of the given type. > https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType) -- This message was sent by Atlassian Jira (v8.20.10#820010)