[
https://issues.apache.org/jira/browse/RANGER-4165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17707414#comment-17707414
]
Madhan Neethiraj commented on RANGER-4165:
------------------------------------------
{quote}This is needed to implement a Ranger Kafka authorizer API which checks
if the caller is authorized to perform the given ACL operation on at least one
resource of the given type.
{quote}
[~rmani] - as you called out, there is no way to ask the policy-engine to find
if a given user has specific access on _any_ resource of a given type. For
example, find if user1 has WRITE access on _any_ TOPIC. This will require
special provision to represent *_any_* TOPIC.
One option to consider is to use a value like '**' to represent _*any*_
resource, similar to {{{}RangerAbstractResourceMatcher.WILDCARD_ASTERISK{}}}.
And have resource matcher implementations updated to handle this special case.
> API to find whether a user/group is authorized to the give operation on any
> resource of give type
> -------------------------------------------------------------------------------------------------
>
> Key: RANGER-4165
> URL: https://issues.apache.org/jira/browse/RANGER-4165
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Affects Versions: 3.0.0
> Reporter: Ramesh Mani
> Assignee: Ramesh Mani
> Priority: Major
>
> API to find whether a user/group is authorized to the give operation on any
> resource of give type.
> This is needed to implement a Ranger Kafka authorizer API which checks if the
> caller is authorized to perform the given ACL operation on at least one
> resource of the given type.
> https://kafka.apache.org/28/javadoc/org/apache/kafka/server/authorizer/Authorizer.html#authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext,org.apache.kafka.common.acl.AclOperation,org.apache.kafka.common.resource.ResourceType)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
