forked from BROADSoftware/ranger_modules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ranger_kafka_policies.txt
143 lines (115 loc) · 4.67 KB
/
ranger_kafka_policies.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
> RANGER_KAFKA_POLICIES
This module will allow you to manage Kafka policy in Apache Ranger. Please refer to Apache Ranger documentation for
authorization policy concept and usage.
OPTIONS (= is mandatory):
= admin_password
The password associated with the admin_username
[Default: None]
= admin_url
The Ranger base URL to access Ranger API. Same host:port as the Ranger Admin GUI. Typically
http://myranger.server.com:6080 or https://myranger.server.com:6182
[Default: None]
= admin_username
The user name to log on the Ranger Admin. Must have enough rights to manage policies.
Also accepts the special value `KERBEROS'. In such case, a valid Kerberos ticket must exist for the ansible_user account
on the target system. (A `kinit' must be issued under this account). Then HDFS operation will be performed on behalf of
the user defined by the Kerberos ticket.
[Default: None]
- ca_bundle_file
Useful if Ranger Admin connection is using SSL. Allow to specify a CA_BUNDLE file, a file that contains root and
intermediate certificates to validate the Ranger Admin certificate.
In its simplest case, it could be a file containing the server certificate in .pem format.
This file will be looked up on the remote system, on which this module will be executed.
[Default: None]
= policies
The list of policies you want to be defined by this operation.
[Default: None]
- policies[0..n].audit
Whether this policy is audited
[Default: True]
- policies[0..n].enabled
Whether this policy is enabled.
[Default: True]
= policies[0..n].name
The name of the policy. Must be unique across the system.
[Default: None]
= policies[0..n].permissions
A list of permissions associated to this policy
[Default: None]
= policies[0..n].permissions[0..n].accesses
A list of access right granted by this permission.
[Default: None]
- policies[0..n].permissions[0..n].delegate_admin
When a policy is assigned to a user or a group of users those users become the delegated admin. The delegated admin can
update, delete the policies.
[Default: False]
- policies[0..n].permissions[0..n].groups
A list of groups this permission will apply on.
[Default: None]
- policies[0..n].permissions[0..n].ip_addresses
A list of source IP addresses to be bound to this permission
[Default: None]
- policies[0..n].permissions[0..n].users
A list of users this permission will apply on.
[Default: None]
= policies[0..n].topics
A list of Kafka topics this policy will apply on. Accept wildcard characters '*' and '?'
[Default: None]
- service_name
In most cases, you should not need to set this parameter. It define the Ranger Admin Kafka service, typically
<yourClusterName>_kafka.
It must be set if there are several such services defined in your Ranger Admin configuration, to select the one you
intend to use.
[Default: None]
- state
Whether to install (present) or remove (absent) these policies
(Choices: present, absent)[Default: present]
- validate_certs
Useful if Ranger Admin connection is using SSL. If no, SSL certificates will not be validated. This should only be used
on personally controlled sites using self-signed certificates.
[Default: True]
AUTHOR: Serge ALEXANDRE
EXAMPLES:
# Allow user 'app1' to publish to Kafka topic 'topic1'. And allow user 'app2' and all users belonging to groups 'grp1 and grp2 to consume.
- hosts: edge_node1
roles:
- ranger_modules
tasks:
- ranger_kafka_policies:
state: present
admin_url: https://ranger.mycompany.com:6182
admin_username: admin
admin_password: admin
validate_certs: no
policies:
- name: "kpolicy1"
topics:
- "topic1"
permissions:
- users:
- app1
accesses:
- Publish
- users:
- app2
groups:
- grp1
- grp2
accesses:
- consume
# Same result, expressed in a different way
- hosts: en1
vars:
policy1:
{ name: kpolicy1, topics: [ topic1 ], permissions: [ { users: [ app1 ], accesses: [ publish ] }, { users: [ app2 ], groups: [ grp1, grp2 ], accesses: [ consume ] } ] }
roles:
- ranger_modules
tasks:
- ranger_kafka_policies:
state: present
admin_url: https://nn1.hdp13.bsa.broadsoftware.com:6182
admin_username: admin
admin_password: admin
validate_certs: no
policies:
- "{{ policy1 }}"