----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/71798/#review218751 -----------------------------------------------------------
plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java Line 105 (original) <https://reviews.apache.org/r/71798/#comment306624> I feel that when kerberos is enabled we should delete the exiting policy and add what is needed. Did you check in non kerberos cluster without this public policy, the default policy which are created in good enough to bring up the kafka and execute all operations? - Ramesh Mani On Nov. 21, 2019, 11:04 a.m., Dhaval Shah wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/71798/ > ----------------------------------------------------------- > > (Updated Nov. 21, 2019, 11:04 a.m.) > > > Review request for ranger, Ankita Sinha, bhavik patel, Gautam Borad, Abhay > Kulkarni, Mehul Parikh, Nikhil P, Pradeep Agrawal, and Velmurugan Periasamy. > > > Bugs: RANGER-2650 > https://issues.apache.org/jira/browse/RANGER-2650 > > > Repository: ranger > > > Description > ------- > > If authentication type is simple, we do add public group to default policy > item. Any user setting up Ranger in simple mode and after that enabling > Kerberos on that cluster will have this extra policy providing public group > all permissions on Kafka. > > We shouldn't be adding public group to default policies neither in simple > mode nor in kerberos. > > > Diffs > ----- > > > plugin-kafka/src/main/java/org/apache/ranger/services/kafka/RangerServiceKafka.java > cf5da97 > > > Diff: https://reviews.apache.org/r/71798/diff/2/ > > > Testing > ------- > > Public group is not added to default policies in simple mode. > > > Thanks, > > Dhaval Shah > >