[RANGER-2829] support to specify super-users/groups and audit-exclude-users/groups via plugin config - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.1.0
Component/s: plugins
Labels:
None

Description

Updates in ~~RANGER-785~~ added APIs for Ranger plugin implementations to specify list of users/groups for whom all access should be allowed without requiring explicit policies. This is useful for services like HBase, Kafka which have the notion of super users/groups. In addition, updates in ~~RANGER-2780~~ added APIs to specify list of users/groups/roles for whom audit logs are to be skipped.

The plugin implementation need to explicitly call these APIs to specify list of super users/groups, and audit-exclude users/groups/roles. Enhancing RangerBasePlugin to read such users/groups/roles list from plugin configuration will help avoid each implementation to call these APIs.

For example, with the following configurations in ranger-kafka-security.xml, Kafka plugin should allow all accesses to user kafka, and not generate audit logs for accesses from user kafka:

ranger.plugin.kafka.super.users=kafka
ranger.plugin.kafka.audit.exclude.users=kafka

Attachments

Activity

People

Assignee:: Madhan Neethiraj

Reporter:: Madhan Neethiraj

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 17/May/20 19:14

Updated:: 18/May/20 03:36

Resolved:: 18/May/20 03:36