Daniel Fonai created RANGER-5069:
------------------------------------
Summary: Kafka plugin should add super users from Kafka
super.users config
Key: RANGER-5069
URL: https://issues.apache.org/jira/browse/RANGER-5069
Project: Ranger
Issue Type: Improvement
Components: plugins
Reporter: Daniel Fonai
[Kafka authorization|https://kafka.apache.org/documentation/#security_authz]
allows users to define super users via the super.users config property. If the
configured authorizer class also supports, these users will have access rights
by default.
Ranger plugin also has the notion of super users
([code|https://github.com/apache/ranger/blob/d8157a69e4363ce87b55808d90a2f0c6d44d1f5c/agents-common/src/main/java/org/apache/ranger/plugin/service/RangerBasePlugin.java#L105
]) which is configurable in the Ranger plugin config.
The Ranger Kafka plugin can be enhanced by adding the capability to read
super.users from Kafka config and add these users to Ranger plugin super users.
An example where this would be useful is to integrate a Strimzi managed Kafka
cluster with Ranger. [Strimzi|https://strimzi.io/] is a CNCF project to run
Kafka on Kubernetes which builds on the super.users config to provide admin
users access to the Kafka cluster.
In addition, Ranger plugin currently splits up super users by the ',' (comma)
character
([code|https://github.com/apache/ranger/blob/d8157a69e4363ce87b55808d90a2f0c6d44d1f5c/agents-common/src/main/java/org/apache/ranger/authorization/utils/StringUtil.java#L311]),
however, it is accepted in Kafka user names (as stated by the Kafka
[authorization
documentation|https://kafka.apache.org/documentation/#security_authz]). This
improvement could also be used as a workaround to add super users containing
comma to the Ranger Kafka plugin.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
