Support Questions

Find answers, ask questions, and share your expertise

Ranger API Conflicting Data with UI

avatar
Expert Contributor

I am looking in the Kafka policies in my current Ranger Instance. There is a policy called "service_all - cluster".

 

When I look here are the two allow conditions for this policy -

drewski7_0-1687957828791.png

However, when I run this API call to get all the policies for kafka and search for the "service_all - cluster" this is result - 

<policies>
	<id>11</id>
	<guid>dbbd8ed1-2bc6-452d-991e-28082727e3cf</guid>
	<isEnabled>true</isEnabled>
	<version>1</version>
	<service>cm_kafka</service>
	<name>service_all - cluster</name>
	<policyType>0</policyType>
	<policyPriority>0</policyPriority>
	<description>Service Policy for all - cluster</description>
	<isAuditEnabled>true</isAuditEnabled>
	<resources>
		<entry>
			<key>cluster</key>
			<value>
				<values>*</values>
				<isExcludes>false</isExcludes>
				<isRecursive>false</isRecursive>
			</value>
		</entry>
	</resources>
	<policyItems>
		<accesses>
			<type>configure</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<accesses>
			<type>describe</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<accesses>
			<type>kafka_admin</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<accesses>
			<type>create</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<accesses>
			<type>idempotent_write</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<accesses>
			<type>describe_configs</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<accesses>
			<type>alter_configs</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<accesses>
			<type>cluster_action</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<accesses>
			<type>alter</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<accesses>
			<type>publish</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<accesses>
			<type>consume</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<accesses>
			<type>delete</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<users>cruisecontrol</users>
		<users>streamsmsgmgr</users>
		<users>kafka</users>
		<delegateAdmin>true</delegateAdmin>
	</policyItems>
	<policyItems>
		<accesses>
			<type>describe</type>
			<isAllowed>true</isAllowed>
		</accesses>
		<users>rangerlookup</users>
		<delegateAdmin>false</delegateAdmin>
	</policyItems>
	<serviceType>kafka</serviceType>
	<options/>
	<zoneName/>
	<isDenyAllElse>false</isDenyAllElse>
</policies>

 

Here you can see there are 3 extra accesses given called publish, consume, delete that aren't showing up in the user interface. 

Yesterday I did a whole reimport of all the policies for Kafka and it fixed the issue but after a restart of ranger this happened again. I checked the underlying database and it's consistent with the User Interface but again the API call is adding those three extra accesses. 

Does anyone know what happens after a restart that is causing the API call to differ from the User Interface?

 

0 REPLIES 0