Review Request 74470: RANGER-3939: Implement acls, createAcls and deleteAcls in Kafka Authorizer

Tue, 06 Jun 2023 11:53:45 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/74470/
-----------------------------------------------------------

Review request for ranger, Abhay Kulkarni and Madhan Neethiraj.


Bugs: RANGER-3939
    https://issues.apache.org/jira/browse/RANGER-3939


Repository: ranger


Description
-------

RANGER-3939: Implement acls, createAcls and deleteAcls in Kafka Authorizer


Diffs
-----

  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuditHandler.java
 57a888e9a 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java
 96a36abe9 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/utils/RangerKafkaCheckAccess.java
 PRE-CREATION 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/utils/RangerKafkaGrantAccess.java
 PRE-CREATION 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/utils/RangerKafkaListAccess.java
 PRE-CREATION 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/utils/RangerKafkaRevokeAccess.java
 PRE-CREATION 
  
plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/utils/RangerKafkaUtils.java
 PRE-CREATION 


Diff: https://reviews.apache.org/r/74470/diff/1/


Testing
-------

TESTING


CREATE /kafktest/kafka-client.conf

security.protocol=SASL_SSL
ssl.truststore.location=truststore.jks
sasl.kerberos.service.name=kafka
sasl.jaas.config=com.sun.security.auth.module.Krb5LoginModule required 
useKeyTab=true storeKey=true useTicketCache=false keyTab="kafka.keytab" 
principal="<kafka-principal>";


List acl:

kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --list --topic connect-configs

kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --list --cluster test_cluster1

afka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --list --cluster


Create acl:


kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --add --allow-principal User:testuser1 --operation 
read --topic finance-topic


kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --add --allow-principal Group:mysql --operation 
read --topic finance-topic

kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --add --allow-principal Group:mysql 
--allow-principal User:testuser1 --operation read --topic finance-topic

kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --add --allow-principal User:testuser1  -operation 
read --topic finance-topic --resource-pattern-type  prefixed

Revoke acl:

 kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --remove --allow-principal Group:mysql -operation 
read --topic finance-topic

  kafka-acls --bootstrap-server ssl-cluster:9093 --command-config  
/kafkatest/kafka-client.conf --remove --allow-principal User:testuser1  
-operation read --topic finance-topic


Not Support for this first cut:
--allow-host and --deny-host
Host name in the api call
This is not support as this requires grant/revoke ranger api to support the 
creation of policy condition for the policy that is getting created
--deny-principal
Grant except and Revoke except
This needs Grant and Revoke Api to support “exception” policy creation.


Thanks,

Ramesh Mani

Reply via email to