Ambari has a concept of service check, wherein it tries to perform some operation on the component, to check if the service is up or not. For Kafka, it does this by creating a topic named "ambari_kafka_service_check" (afaik, but please check with Ambari) and the user "ambari-qa" is used for this operation.
Now, if Ranger Kafka plugin is enabled AND this user is not given enough permission in Ranger Policy the service check from Ambari will fail. Apart from this i am not aware of any other use case for this policy. On Mon, Jun 20, 2016 at 1:40 PM, Lune Silver <lunescar.ran...@gmail.com> wrote: > Hello ! > > I'm using an HDP 2.3.4.7 with ambari 2.2.1. > > I send you this mail because I would like to know what are the permissions > necessary for the user ambari-qa on kafka when Ranger is enabled ? > > By default, ambari creates a policy in which this user has all the right > on everything (resource=* and rights = everything, even delegate admin). > > I would like to know if you know why ambari-qa needs all these rights ? > > On which topics ambari-qa really needs to have rights ? Do you know which > rights, everything or only describe or only consume ? > > Thank you in advance for your help ! > > BR. > > Lune. > -- Regards, Gautam.
