Community Articles

Find and share helpful community-sourced technical articles.
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Labels (1)
avatar
Contributor

Q. What is Delegated Admin Privilege?

Instead of having a single central authority creating security policies for the entire Hadoop resources, Apache Ranger provides a feature, “Delegated-Admin” to delegate the security policy management to other resource administrators.

For example, the permissions associated with hdfs:/app/finance folder and all its contents can be entirely managed finance-admin group by granting “delegated-admin” permission to finance-admin group on “hdfs:/app/finance with recursive=true”

In simple-terms, Delegated-Admin permission allows other resource administrators to manage permissions for their managed-resources.

Q. What are the roles assigned to a user within ranger-ui?

In Apache Ranger, an user can be set with one of the following role: ADMIN, USER, KEYADMIN.

When a user is assigned with KEYADMIN role, he/she will have the ability to manage all ranger-kms policies and kms-audit information within the ranger-admin UI. Also, he/she can provide “delegate-admin” privileges for managing a set of keys to other users/groups by creating a ranger-kms policy. When a user is granted with “delegated-admin” privileges for a set of keys, the user can manage permissions associated with any keys that belong to the key set for which he/she has “delegated-admin” privilege.

When an user is assigned with ADMIN role, he/she will have the ability to manage all non-kms ranger policies and non-kms audit information within the ranger-admin UI. Also, he/she can provide “delegate-admin” privileges for managing a set of resources to other users/groups by creating a ranger policy. When a user is granted with “delegated-admin” privileges for a set of resources, the user can manage permissions associated with any resource that belongs to the resource set for which he/she has “delegated-admin” privilege.

When an user is assigned with USER role, he/she will have the ability to manage only resources/key for which he/she has been granted with “delegated-admin” privilege.

Q. What is the difference between ROLE vs “Delegated-Admin privilege”?

ROLE is assigned for a specific user by the Administrator.

Delegated-Admin Privilege is assigned on a specific set of resources for a specific set of users/groups by a person who already has Delegated-Admin privilege on the specific set of resources.

3,490 Views
Comments
avatar
Contributor

@sneethiraj Can non-admin user ( not admin ) assign ROLE or modify ROLE?

Straight question - Is admin user the only user who can assign/modify ROLE to a user?