Description
Updates in RANGER-785 added APIs for Ranger plugin implementations to specify list of users/groups for whom all access should be allowed without requiring explicit policies. This is useful for services like HBase, Kafka which have the notion of super users/groups. In addition, updates inĀ RANGER-2780 added APIs to specify list of users/groups/roles for whom audit logs are to be skipped.
The plugin implementation need to explicitly call these APIs to specify list of super users/groups, and audit-exclude users/groups/roles. Enhancing RangerBasePlugin to read such users/groups/roles list from plugin configuration will help avoid each implementation to call these APIs.
For example, with the following configurations in ranger-kafka-security.xml, Kafka plugin should allow all accesses to user kafka, and not generate audit logs for accesses from user kafka:
ranger.plugin.kafka.super.users=kafka ranger.plugin.kafka.audit.exclude.users=kafka