Manage roles in Ranger Admin UI
Overview
A role in Apache Ranger combines users, groups, and other roles. Role-based authorization is a well-established security practice that is also supported in Ranger.
Each user in Ranger Admin UI has one of the three internal system roles:
-
User
— a role with basic permissions. -
Admin
— a role that has all the privileges for Ranger modules except for Key Manager. However, they can issue Key Manager permissions to themselves. -
Auditor
— a role that has all the privileges for Ranger modules.
There are also custom roles which are created by admins. You can manage such roles that are used for Ranger service policies in Ranger Admin UI on the Settings → Roles tab. It allows you to set permissions for a role, a group, or a user within a policy. Internal permissions for Ranger modules (Settings → Permissions) are not managed by custom roles. Also, custom roles cannot be mapped to a user in User → Profile.
Create a custom role
To create a custom role, follow the steps below:
-
On the Roles tab, click Add New Role.
Adding a new roleAdding a new role -
On the opened Role Create page, fill in the necessary details.
Role detailsRole details -
Click Save at the bottom of the page. The newly created role will appear on the Roles tab.
Edit a custom role
To edit a custom role, follow the steps below:
-
On the Roles tab, click the name of the role you want to edit in the Role Name column.
Editing a roleEditing a role -
On the opened Role Edit page, edit the necessary information.
Editing role detailsEditing role details -
Click Save at the bottom of the page.
Delete a custom role
To delete a custom role, follow the steps below:
-
On the Roles tab, tick a checkbox next to the name of the role you want to delete.
-
Click .
Deleting a roleDeleting a role -
Confirm the action by clicking OK in the pop-up window.
Role assignment
When LDAP users are imported into Ranger, they are assigned an internal role, by default it is User
. You can change the role for users or groups by applying the mapping filter. To do that, customize your ranger-ugsync-site.xml file contents:
ranger.usersync.group.based.role.assignment.rules: ROLE_SYS_ADMIN:g:group_name1, group_name2
ranger.usersync.group.based.role.assignment.rules: ROLE_SYS_ADMIN:u:username1, username2
External role | Internal role |
---|---|
ROLE_USER |
User |
ROLE_SYS_ADMIN |
Admin |
ROLE_ADMIN_AUDITOR |
Auditor |
The ROLE_KEY_ADMIN
and ROLE_KEY_ADMIN_AUDITOR
Ranger roles are not available for mapping and cannot be used in filter. The users or groups mapped to unavailable roles will not be added to Ranger Admin UI.