Ideally, we should only permit minimal permission to ambari-qa for service check. E.g. We should create a topic just for service check and give permission to ambari-qa only to that topic. We should do the same for all the services.
Lune, one workaround for you now is to see which topic or calls ambari make and give permissions for only that topic (or wild card) if needed. Please share your experience. We can influence the Ambari implementation accordingly. Thanks Bosco From: Lune Silver <lunescar.ran...@gmail.com> Reply-To: <user@ranger.incubator.apache.org> Date: Monday, June 20, 2016 at 7:38 AM To: <user@ranger.incubator.apache.org> Subject: Re: Ranger - Kafka Plugin - User ambari-qa Ty ty Gautam for your help. On Mon, Jun 20, 2016 at 2:12 PM, Gautam Borad <gbo...@gmail.com> wrote: Lune, yes seems like its written by the Ambari team. Reference : https://github.com/apache/ambari/blame/trunk/ambari-server/src/main/resources/common-services/KAFKA/0.8.1/package/scripts/service_check.py On Mon, Jun 20, 2016 at 4:47 PM, Lune Silver <lunescar.ran...@gmail.com> wrote: Re Gautam. Thank you for your answer. Do you know if ambari mailing list will have more details about this service check ? Was it they who wrote the servcie check or the ranger ppl ? BR. Lune. On Mon, Jun 20, 2016 at 11:40 AM, Gautam Borad <gbo...@gmail.com> wrote: Ambari has a concept of service check, wherein it tries to perform some operation on the component, to check if the service is up or not. For Kafka, it does this by creating a topic named "ambari_kafka_service_check" (afaik, but please check with Ambari) and the user "ambari-qa" is used for this operation. Now, if Ranger Kafka plugin is enabled AND this user is not given enough permission in Ranger Policy the service check from Ambari will fail. Apart from this i am not aware of any other use case for this policy. On Mon, Jun 20, 2016 at 1:40 PM, Lune Silver <lunescar.ran...@gmail.com> wrote: Hello ! I'm using an HDP 2.3.4.7 with ambari 2.2.1. I send you this mail because I would like to know what are the permissions necessary for the user ambari-qa on kafka when Ranger is enabled ? By default, ambari creates a policy in which this user has all the right on everything (resource=* and rights = everything, even delegate admin). I would like to know if you know why ambari-qa needs all these rights ? On which topics ambari-qa really needs to have rights ? Do you know which rights, everything or only describe or only consume ? Thank you in advance for your help ! BR. Lune. -- Regards, Gautam. -- Regards, Gautam.
