Created 04-29-2019 01:22 PM
Hi,
I've configured usersync with LDAP (IPA backend) successfully and also LDAP for the Admin UI.
What I want to achieve:
Current state:
I've tried to filter users who can login to Ranger Admin via LDAP: ranger.ldap.user.searchfilter: (&(uid={0})(memberOf=cn=my_admin_team,cn=groups,cn=accounts,dc=example,dc=com)) but this does not work.
I've also tried to remove the users from the permissions (Settings -> Permissions -> Resource Based Policies) as explained here: https://community.hortonworks.com/questions/62605/permissions-for-using-ranger.html but after restarting the Ranger service, all users are back. Looks like the permission is not persisted, or is overriden by the service restart.
Note that this standard user can delete policies of other users.
Questions:
HDP 2.6.5, ranger 0.7 from HDP 2.6.5
Thanks
Created 05-02-2019 09:23 AM
I found the response of my last question. The default matching is hardcoded in java: https://github.com/hortonworks/ranger-release/blob/HDP-2.6.5.0-292-tag/security-admin/src/main/java/...
Latest version of Ranger have the same hardcoded matching.
Created 05-02-2019 11:32 AM
As LDAP is centralized tool. Once you integrate it in Ambari, every user in LDAP groups (which is integrated) will be able to login to UI. But they cannot see any created policies. If you provide permissions to them to create the policy in Ranger Admin UI then only they will be able to see the policies but otherwise after login, it will not show anything.
-Shashi
Created 05-02-2019 11:19 PM
Hi Shashi,
Unfortunately this is not completely true. A "normal" user can login to Ranger Admin UI and have by default the "Resource Based Policies" and "Reports" permissions. With the Resource Based Policies, this user can modify and delete already existing policies owned by other users / admins.
When I remove the Resource Based Policies permissions for that user, the user can see now only the "reports". However after restarting the entire Ranger services (Ranger admin, usersync, tagsync), the default permissions are applied again and the user can have access back to the Resource Based Policies.
I want to ensure that none-Admin user cannot modified the policies.
Vincent