Description
Currently, cluster resource permissions are exposed in Ranger with Topic resource as *. This is not the right convention as cluster resource is not a super set including topic resources.
Cluster resource permissions:
Alter
AlterConfigs
ClusterAction
Create
Describe
DescribeConfigs
IdempotentWrite
Topic resource operations:
Alter
AlterConfigs
Create
Delete
Describe
DescribeConfigs
Read
Write
Users should be able to define policies with cluster resource and topic resource with respective permissions. Names of some of the permissions are same in topic and cluster but they are meant for the different purpose.
Example: AlterConfigs on the topic resource is about altering configs of a topic only but AlterConfigs permission on Custer resource is meant for altering configs on the broker.
Upgrading cluster should upgrade existing policies in to topic and cluster resource level policies with respective permissions. I believe that the default policy that is getting created would address this.
Attachments
Attachments
Issue Links
- blocks
-
RANGER-2221 Apache Ranger Kafka authorizer should support new resource "DelegationToken" in Apache Kafka 2.0.0 version
-
- Resolved
-
- links to
