Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)
Explorer

Q. What is Delegated Admin Privilege?

Instead of having a single central authority creating security policies for the entire Hadoop resources, Apache Ranger provides a feature, “Delegated-Admin” to delegate the security policy management to other resource administrators.

For example, the permissions associated with hdfs:/app/finance folder and all its contents can be entirely managed finance-admin group by granting “delegated-admin” permission to finance-admin group on “hdfs:/app/finance with recursive=true”

In simple-terms, Delegated-Admin permission allows other resource administrators to manage permissions for their managed-resources.

Q. What are the roles assigned to a user within ranger-ui?

In Apache Ranger, an user can be set with one of the following role: ADMIN, USER, KEYADMIN.

When a user is assigned with KEYADMIN role, he/she will have the ability to manage all ranger-kms policies and kms-audit information within the ranger-admin UI. Also, he/she can provide “delegate-admin” privileges for managing a set of keys to other users/groups by creating a ranger-kms policy. When a user is granted with “delegated-admin” privileges for a set of keys, the user can manage permissions associated with any keys that belong to the key set for which he/she has “delegated-admin” privilege.

When an user is assigned with ADMIN role, he/she will have the ability to manage all non-kms ranger policies and non-kms audit information within the ranger-admin UI. Also, he/she can provide “delegate-admin” privileges for managing a set of resources to other users/groups by creating a ranger policy. When a user is granted with “delegated-admin” privileges for a set of resources, the user can manage permissions associated with any resource that belongs to the resource set for which he/she has “delegated-admin” privilege.

When an user is assigned with USER role, he/she will have the ability to manage only resources/key for which he/she has been granted with “delegated-admin” privilege.

Q. What is the difference between ROLE vs “Delegated-Admin privilege”?

ROLE is assigned for a specific user by the Administrator.

Delegated-Admin Privilege is assigned on a specific set of resources for a specific set of users/groups by a person who already has Delegated-Admin privilege on the specific set of resources.

1,633 Views
Comments
Contributor

@sneethiraj Can non-admin user ( not admin ) assign ROLE or modify ROLE?

Straight question - Is admin user the only user who can assign/modify ROLE to a user?

Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎03-10-2017 02:29 PM
Updated by:
 
Contributors
Top Kudoed Authors