Instead of having a single central authority creating security policies for the entire Hadoop resources, Apache Ranger provides a feature, “Delegated-Admin” to delegate the security policy management to other resource administrators.
For example, the permissions associated with hdfs:/app/finance folder and all its contents can be entirely managed finance-admin group by granting “delegated-admin” permission to finance-admin group on “hdfs:/app/finance with recursive=true”
In simple-terms, Delegated-Admin permission allows other resource administrators to manage permissions for their managed-resources.
Q. What are the roles assigned to a user within ranger-ui?
In Apache Ranger, an user can be set with one of the following role: ADMIN, USER, KEYADMIN.
When a user is assigned with KEYADMIN role, he/she will have the ability to manage all ranger-kms policies and kms-audit information within the ranger-admin UI. Also, he/she can provide “delegate-admin” privileges for managing a set of keys to other users/groups by creating a ranger-kms policy. When a user is granted with “delegated-admin” privileges for a set of keys, the user can manage permissions associated with any keys that belong to the key set for which he/she has “delegated-admin” privilege.
When an user is assigned with ADMIN role, he/she will have the ability to manage all non-kms ranger policies and non-kms audit information within the ranger-admin UI. Also, he/she can provide “delegate-admin” privileges for managing a set of resources to other users/groups by creating a ranger policy. When a user is granted with “delegated-admin” privileges for a set of resources, the user can manage permissions associated with any resource that belongs to the resource set for which he/she has “delegated-admin” privilege.
When an user is assigned with USER role, he/she will have the ability to manage only resources/key for which he/she has been granted with “delegated-admin” privilege.
Q. What is the difference between ROLE vs “Delegated-Admin privilege”?
ROLE is assigned for a specific user by the Administrator.
Delegated-Admin Privilege is assigned on a specific set of resources for a specific set of users/groups by a person who already has Delegated-Admin privilege on the specific set of resources.