Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger Admin - Role Seperation

Solved Go to solution

Ranger Admin - Role Seperation

Super Guru

Currently on ranger UI service manager a user has access to all available services. Screen shot:

2016-02-23-14-45-51.jpg

It is possible user only have access to certain services. Example DBA only have access to HBASE security control and not other services exposed on ranger ie yarn, hdfs, solr, hive, etc.

Rephrasing the question:

Role based access to users with admin roles. Currently any user with admin role will have access to all policy repos. Is there is way to control access to policies for users with admin role.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Ranger Admin - Role Seperation

@Sunile Manjee @Neeraj Sabharwal @Predrag Minovic I think Sunile's question is role based access to users with admin roles. Currently any user with admin role will have access to all policy repos. There is no way to control access to policies for users with admin role.

That should be high on enhancement list for Ranger to support role based access to policy repos.

View solution in original post

9 REPLIES 9
Highlighted

Re: Ranger Admin - Role Seperation

Hi @Sunile Manjee, your screenshot is for the admin user. admin will be always able to see and change them all. For other users you control their access using Ranger -> Settings -> Permissions. If you remove a user from the "Resource Based Policy" list of users he will be able to see a read-only list of policies, but only those in which he was given "Delegate admin" permission (available on each policy to the right of basic permissions), see my screenshot. If he is in the "Resource Based Policy" list he will be presented with a top-level menu like in your screenshot but will be able to interact (edit) only his "Delegate admin" policies. By the way, the above applies to HDP-2.3.4, in earlier versions it might be somewhat different.

screen-shot-2016-02-24-at-80537-am.png

Highlighted

Re: Ranger Admin - Role Seperation

Highlighted

Re: Ranger Admin - Role Seperation

Super Guru

@Neeraj Sabharwal

Great demo!

Highlighted

Re: Ranger Admin - Role Seperation

@Sunile Manjee @Shishir Saxena

ADMIN user creates policies based on departments "policy at root level" and delegate admin to particular user or groups to manage the policies and that's how you seggrate the admin roles

Highlighted

Re: Ranger Admin - Role Seperation

@Neeraj Sabharwal @Sunile Manjee Are you suggesting one default policy at root level per repo with delegated admin rights and then individual users in group managing additional policies ?

e.g. We can create one hive policy with root privileges and assign it to dba group with delegated admin rights ? Then DBA group can create any further Hive policies.

Highlighted

Re: Ranger Admin - Role Seperation

@Shishir Saxena As DBA lead, I would the same.

I will create policies and I will define the root and then delegate admins to those policies and other admins based on the role that I defined will manage particular policies... @Sunile Manjee

Highlighted

Re: Ranger Admin - Role Seperation

@Sunile Manjee @Neeraj Sabharwal @Predrag Minovic I think Sunile's question is role based access to users with admin roles. Currently any user with admin role will have access to all policy repos. There is no way to control access to policies for users with admin role.

That should be high on enhancement list for Ranger to support role based access to policy repos.

View solution in original post

Highlighted

Re: Ranger Admin - Role Seperation

Super Guru

@Shishir Saxena @Neeraj Sabharwal @Predrag Minovic

That is exactly my question. Ok so it is not a supported feature. We need to vote this up.

Highlighted

Re: Ranger Admin - Role Seperation

Super Guru
@Neeraj Sabharwal

I am unclear about the direction. I need to create a user in ranger which only does admin for hbase (for example). right now it seems admin delegation is per policy. Lets say As a hadoop admin i want to provide my dba team access only to hbase admin rights. I don't believe this is possible. If so could you provide steps. Seems others in this post are as confused as I am.

Don't have an account?
Coming from Hortonworks? Activate your account here