ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Madhan Neethiraj" <mad...@apache.org>
Subject Re: Review Request 41409: Default policy created during creation of a non-secure Kafka service should point to public group instead of the username specified in the configuration.
Date Tue, 15 Dec 2015 23:02:56 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/41409/#review110574
-----------------------------------------------------------



agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json (line 120)
<https://reviews.apache.org/r/41409/#comment170518>

    Consider replacing 'hadoop.security.authentication' with "kafka.security.authentication".



agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json (line 140)
<https://reviews.apache.org/r/41409/#comment170519>

    AFAIK, there is no "simple" auth in Kafka. Consider replacing it with "None".



security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 1062)
<https://reviews.apache.org/r/41409/#comment170523>

    Instead of having getVxUserAndVxGroup() return Map<String, Object>, consider splitting
into 2 methods:
    
    String userName  = getDefaultPolicyUser(service, validConfig);
    String groupName = getDefaultPolicyGroup(service, validConfig);



security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 1203)
<https://reviews.apache.org/r/41409/#comment170521>

    "User" ==> "Group"
    "username" ==> "groupName"



security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 2020)
<https://reviews.apache.org/r/41409/#comment170522>

    Looks like VXUser & VXGroup are not needed in this method; consider replacing them
with String type parameters: userName, groupName.



security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java (line 2034)
<https://reviews.apache.org/r/41409/#comment170520>

    For easier reading, consider rewriting this:
    if(vXUser != null || vXGroup != null) {


- Madhan Neethiraj


On Dec. 15, 2015, 9:11 p.m., Alok Lal wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/41409/
> -----------------------------------------------------------
> 
> (Updated Dec. 15, 2015, 9:11 p.m.)
> 
> 
> Review request for ranger, Don Bosco Durai and Madhan Neethiraj.
> 
> 
> Bugs: RANGER-783
>     https://issues.apache.org/jira/browse/RANGER-783
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> Since user name received by the kafka authorizer in non-secure mode is the string ANONYMOUS
even for inter-broker traffic, default policy should refer to public user group instead of
referring to username (usually "kafka") provided in the service configuration.  Detection
of if the service is secure is done by requiring user to specify the same during kafka service
creation via the additional mandatory parameter `hadoop.security.authentication`.
> 
> Once approved I'll also port this change to 0.5.
> 
> 
> Diffs
> -----
> 
>   agents-common/src/main/resources/service-defs/ranger-servicedef-kafka.json 839d780

>   security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 54e61f1 
>   security-admin/src/test/java/org/apache/ranger/biz/TestServiceDBStore.java db958a5

> 
> Diff: https://reviews.apache.org/r/41409/diff/
> 
> 
> Testing
> -------
> 
> Did the following tests via both the admin ui and REST service APIs.
> 
> 1. Create an secure kafka service.  Validate that default policy created refers to the
username specified in the service configuration.
> 2. Create an non-secure kafka service.  Validate that default policy created ignores
the username specified in the service configuration and instead refers to public user group.
> 
> 
> File Attachments
> ----------------
> 
> 783.0.patch
>   https://reviews.apache.org/media/uploaded/files/2015/12/15/e80983c3-7e5f-4cca-8704-1dc53219c633__783.0.patch
> 
> 
> Thanks,
> 
> Alok Lal
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message