Security Reference
Also available as:
PDF
loading table of contents...

Ranger Kafka Policy Authorization Model

When attempting to create a topic in Kafka, there are two available permissions for the resource: cluster or topic. This describes the outcome of combinations of those permissions for the Kafka operation "create topic".

Overview

When configuring a Kafka policy in Ranger, there are 4 resource types available. Of those, two (cluster and topic) have the permission type "create." Where these "create" permissions interact or conflict across operations, the policy evaluation results are detailed below.
  • Resource = Cluster: *
  • Resource = Topic: $topic_name or *
Where these "create" permissions interact or conflict across operations, the policy evaluation results are detailed below.
Cluster-level Create Permission Topic-level Create Permission Result Policy in Audit
Allow Allow Allowed

resource=kafka-cluster

policy=Cluster lvl policy

Allow Deny Allowed

resource=kafka-cluster

policy=Cluster lvl policy

Allow -- Allowed

resource=kafka-cluster

policy=Cluster lvl policy

-- Allow Allowed

resource=$topic_name

policy=topic lvl policy

-- Allow Topic=* Allowed

resource=$topic_name

policy=topic lvl policy

-- Deny Denied

resource=$topic_name

policy=topic lvl policy

-- -- Denied

resource=$topic_name

policy=--

Deny Allow Allowed

resource=$topic_name

policy=topic lvl policy

Deny Deny Denied

resource=$topic_name

policy=topic lvl policy

Deny -- Denied

resource=$topic_name

policy=--