Ranger Kafka Policy Authorization Model
When attempting to create a topic in Kafka, there are two available permissions for the resource: cluster or topic. This describes the outcome of combinations of those permissions for the Kafka operation "create topic".
Overview
When configuring a Kafka policy in Ranger, there are 4 resource types available. Of those,
two (cluster and topic) have the permission type "create." Where these "create" permissions
interact or conflict across operations, the policy evaluation results are detailed below.
- Resource = Cluster: *
- Resource = Topic: $topic_name or *
| Cluster-level Create Permission | Topic-level Create Permission | Result | Policy in Audit |
|---|---|---|---|
| Allow | Allow | Allowed |
resource=kafka-cluster policy=Cluster lvl policy |
| Allow | Deny | Allowed |
resource=kafka-cluster policy=Cluster lvl policy |
| Allow | -- | Allowed |
resource=kafka-cluster policy=Cluster lvl policy |
| -- | Allow | Allowed |
resource=$topic_name policy=topic lvl policy |
| -- | Allow Topic=* | Allowed |
resource=$topic_name policy=topic lvl policy |
| -- | Deny | Denied |
resource=$topic_name policy=topic lvl policy |
| -- | -- | Denied |
resource=$topic_name policy=-- |
| Deny | Allow | Allowed |
resource=$topic_name policy=topic lvl policy |
| Deny | Deny | Denied |
resource=$topic_name policy=topic lvl policy |
| Deny | -- | Denied |
resource=$topic_name policy=-- |