question Re: Ranger Admin - Role Seperation in Archives of Support Questions (Read Only)

Ranger Admin - Role Seperation

sunile_manjee — Wed, 24 Feb 2016 04:47:52 GMT

Currently on ranger UI service manager a user has access to all available services. Screen shot:

2016-02-23-14-45-51.jpg

It is possible user only have access to certain services. Example DBA only have access to HBASE security control and not other services exposed on ranger ie yarn, hdfs, solr, hive, etc.

Rephrasing the question:

Role based access to users with admin roles. Currently any user with admin role will have access to all policy repos. Is there is way to control access to policies for users with admin role.

Re: Ranger Admin - Role Seperation

pminovic — Wed, 24 Feb 2016 07:11:08 GMT

Hi @Sunile Manjee, your screenshot is for the admin user. admin will be always able to see and change them all. For other users you control their access using Ranger -> Settings -> Permissions. If you remove a user from the "Resource Based Policy" list of users he will be able to see a read-only list of policies, but only those in which he was given "Delegate admin" permission (available on each policy to the right of basic permissions), see my screenshot. If he is in the "Resource Based Policy" list he will be presented with a top-level menu like in your screenshot but will be able to interact (edit) only his "Delegate admin" policies. By the way, the above applies to HDP-2.3.4, in earlier versions it might be somewhat different.

screen-shot-2016-02-24-at-80537-am.png

Re: Ranger Admin - Role Seperation

nsabharwal — Wed, 24 Feb 2016 07:23:19 GMT

@Sunile Manjee

See this thread and a demo

https://community.hortonworks.com/questions/17782/about-delegate-admin-in-ranger.html

Demo: http://i.giphy.com/l4Ki1Ng3uxdTnUTra.gif

Re: Ranger Admin - Role Seperation

shishir_saxena4 — Wed, 24 Feb 2016 21:25:03 GMT

@Sunile Manjee @Neeraj Sabharwal @Predrag Minovic I think Sunile's question is role based access to users with admin roles. Currently any user with admin role will have access to all policy repos. There is no way to control access to policies for users with admin role.

That should be high on enhancement list for Ranger to support role based access to policy repos.

Re: Ranger Admin - Role Seperation

sunile_manjee — Thu, 25 Feb 2016 04:34:21 GMT

@Shishir Saxena @Neeraj Sabharwal @Predrag Minovic

That is exactly my question. Ok so it is not a supported feature. We need to vote this up.

Re: Ranger Admin - Role Seperation

sunile_manjee — Thu, 25 Feb 2016 04:36:51 GMT

@Neeraj Sabharwal

Great demo!

Re: Ranger Admin - Role Seperation

nsabharwal — Thu, 25 Feb 2016 07:31:13 GMT

@Sunile Manjee @Shishir Saxena

ADMIN user creates policies based on departments "policy at root level" and delegate admin to particular user or groups to manage the policies and that's how you seggrate the admin roles

Re: Ranger Admin - Role Seperation

shishir_saxena4 — Thu, 25 Feb 2016 09:10:15 GMT

@Neeraj Sabharwal @Sunile Manjee Are you suggesting one default policy at root level per repo with delegated admin rights and then individual users in group managing additional policies ?

e.g. We can create one hive policy with root privileges and assign it to dba group with delegated admin rights ? Then DBA group can create any further Hive policies.

Re: Ranger Admin - Role Seperation

nsabharwal — Thu, 25 Feb 2016 09:13:50 GMT

@Shishir Saxena As DBA lead, I would the same.

I will create policies and I will define the root and then delegate admins to those policies and other admins based on the role that I defined will manage particular policies... @Sunile Manjee

Re: Ranger Admin - Role Seperation

sunile_manjee — Wed, 02 Mar 2016 12:02:33 GMT

@Neeraj Sabharwal

I am unclear about the direction. I need to create a user in ranger which only does admin for hbase (for example). right now it seems admin delegation is per policy. Lets say As a hadoop admin i want to provide my dba team access only to hbase admin rights. I don't believe this is possible. If so could you provide steps. Seems others in this post are as confused as I am.