Hello. Thank you for your answer.
About this part : - 'Kafka Admin' implies all other access types. Q1 - Do we agree that this permission in kafka plugin is useless as long as we don't have access to zookeeper, because you cannot create kafka topic ? To answer your question about the specific use case. I'm just trying to elaborate a security model to apply on my cluster. So I'm gathering more information about the kafka plugin, as we will use kafka secured by ranger. Best regards. Lune. On Fri, Feb 19, 2016 at 9:14 PM, Alok Lal <a...@hortonworks.com> wrote: > The issue of topic creation is discussed under the Kafka plugin FAQ < > https://cwiki.apache.org/confluence/display/RANGER/Kafka+Plugin#KafkaPlugin-CanIauthorizertopiccreationviaRanger > ?>. > > As to your 1st question. > > Firstly the Ranger Access types themselves form a hierarchy of sorts as > follows: > - Publish, Consume and Configure access types imply Describe. For example, > if you give someone ability to Publish then you don’t need to also give > describe as it is implied. > - 'Kafka Admin' implies all other access types. > - Refer to this part of source for details: > https://github.com/apache/incubator-ranger/blob/master/agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json#L30-L87 > > As to the mapping of kafka access types to Ranger access types: > - Kafka access types Delete, Create Describe, Read and Write map to > corresponding Ranger access types > - Kafka access type Alter maps to Ranger Configure > - Kafka access type ClusterAction maps to Ranger 'Kafka Admin’ > - Refer to this part of code for details: < > https://github.com/apache/incubator-ranger/blob/master/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java#L300-L317 > > > > @Lune Above information is "good to know" but may not be helpful to solve > a specific problem. Is there a specific problem you are trying to solve? > If you tell us about the specific use case then we could provide a relevant > answer. > > > From: Lune Silver <lunescar.ran...@gmail.com> > Reply-To: "user@ranger.incubator.apache.org" < > user@ranger.incubator.apache.org> > Date: Thursday, February 18, 2016 at 10:40 PM > To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> > Subject: Re: Ranger - Kafka - Permission Admin > > > About the first question, I wanted to know at which permissions in kafka > correspond the permissions listed in ranger kafka plugin. > Best regards. > Lune. > Le 19 févr. 2016 02:20, "Arvind S" <arvind18...@gmail.com> a écrit : > > not sure about your 1st question.. > but know for sure that "create topics" is not controlled/ governed by any > ranger permission. It has to be done by a superuser. > > > > > Cheers !!Arvind > > > > > > On Thu, Feb 18, 2016 at 8:48 PM, Lune Silver > <lunescar.ran...@gmail.com> wrote: > > Hello ! > > > I have a question related to the permissions for Kafka with Ranger. > > > In the following link : > > https://cwiki.apache.org/confluence/display/RANGER/Apache+Ranger+0.5+-+User+Guide#ApacheRanger0.5-UserGuide-KAFKA.1 > > > We can see a table listing the permissions. > > > I have two questions : > > 1. Is it possible to have a mapping between the ranger permissions and the > kafka permissions ? > > 2. There is no description for kafka admin permission. What does it mean ? > Does it give the same permission than the ones of the kafka superuser > (create topics etc...) ? > > > Thank you in advance for your answers ! > > > Best regards. > > > Lune. > > > > > > >
