Support Questions

sunile_manjee · ‎02-23-2016

Currently on ranger UI service manager a user has access to all available services. Screen shot:

2016-02-23-14-45-51.jpg

It is possible user only have access to certain services. Example DBA only have access to HBASE security control and not other services exposed on ranger ie yarn, hdfs, solr, hive, etc.

Rephrasing the question:

Role based access to users with admin roles. Currently any user with admin role will have access to all policy repos. Is there is way to control access to policies for users with admin role.

shishir_saxena4 · ‎02-24-2016

@Sunile Manjee @Neeraj Sabharwal @Predrag Minovic I think Sunile's question is role based access to users with admin roles. Currently any user with admin role will have access to all policy repos. There is no way to control access to policies for users with admin role.

That should be high on enhancement list for Ranger to support role based access to policy repos.

View solution in original post

pminovic · ‎02-23-2016

Hi @Sunile Manjee, your screenshot is for the admin user. admin will be always able to see and change them all. For other users you control their access using Ranger -> Settings -> Permissions. If you remove a user from the "Resource Based Policy" list of users he will be able to see a read-only list of policies, but only those in which he was given "Delegate admin" permission (available on each policy to the right of basic permissions), see my screenshot. If he is in the "Resource Based Policy" list he will be presented with a top-level menu like in your screenshot but will be able to interact (edit) only his "Delegate admin" policies. By the way, the above applies to HDP-2.3.4, in earlier versions it might be somewhat different.

screen-shot-2016-02-24-at-80537-am.png

nsabharwal · ‎02-23-2016

@Sunile Manjee

See this thread and a demo

https://community.hortonworks.com/questions/17782/about-delegate-admin-in-ranger.html

Demo: http://i.giphy.com/l4Ki1Ng3uxdTnUTra.gif

sunile_manjee · ‎02-24-2016

@Neeraj Sabharwal

Great demo!

nsabharwal · ‎02-24-2016

@Sunile Manjee @Shishir Saxena

ADMIN user creates policies based on departments "policy at root level" and delegate admin to particular user or groups to manage the policies and that's how you seggrate the admin roles

shishir_saxena4 · ‎02-25-2016

@Neeraj Sabharwal @Sunile Manjee Are you suggesting one default policy at root level per repo with delegated admin rights and then individual users in group managing additional policies ?

e.g. We can create one hive policy with root privileges and assign it to dba group with delegated admin rights ? Then DBA group can create any further Hive policies.

nsabharwal · ‎02-25-2016

@Shishir Saxena As DBA lead, I would the same.

I will create policies and I will define the root and then delegate admins to those policies and other admins based on the role that I defined will manage particular policies... @Sunile Manjee

shishir_saxena4 · ‎02-24-2016

@Sunile Manjee @Neeraj Sabharwal @Predrag Minovic I think Sunile's question is role based access to users with admin roles. Currently any user with admin role will have access to all policy repos. There is no way to control access to policies for users with admin role.

That should be high on enhancement list for Ranger to support role based access to policy repos.

sunile_manjee · ‎02-24-2016

@Shishir Saxena @Neeraj Sabharwal @Predrag Minovic

That is exactly my question. Ok so it is not a supported feature. We need to vote this up.

sunile_manjee · ‎03-02-2016

@Neeraj Sabharwal

I am unclear about the direction. I need to create a user in ranger which only does admin for hbase (for example). right now it seems admin delegation is per policy. Lets say As a hadoop admin i want to provide my dba team access only to hbase admin rights. I don't believe this is possible. If so could you provide steps. Seems others in this post are as confused as I am.

Cloudera Community

Support Questions

Ranger Admin - Role Seperation