Manage roles in Ranger Admin UI

Sergei Tikhomirov

Overview

A role in Apache Ranger combines users, groups, and other roles. Role-based authorization is a well-established security practice that is also supported in Ranger.

Each user in Ranger Admin UI has one of the three internal system roles:

  • User — a role with basic permissions.

  • Admin — a role that has all the priveleges for Ranger modules except for Key Manager. However, they can issue Key Manager permissions to themselves.

  • Auditor — a role that has all the priveleges for Ranger modules.

There are also custom roles which are created by admins. You can manage such roles that are used for Ranger service policies in Ranger Admin UI on the Settings → Users/Groups/Roles → Roles tab. It allows you to set permissions for a role, a group, or a user within a policy. Internal permissions for Ranger modules (Settings → Permissions) are not managed by custom roles. Also, custom roles cannot be mapped to a user in User → Profile.

Roles tab
Roles tab
Roles tab
Roles tab

Create a custom role

To create a custom role, follow the steps below:

  1. On the Roles tab of the Settings → Users/Groups/Roles page, click Add New Role.

    Adding a new role
    Adding a new role
    Adding a new role
    Adding a new role

  2. On the opened Role Create page, fill in the necessary details.

    Role details
    Role details
    Role details
    Role details

  3. Click Save at the bottom of the page. The newly created role will appear on the Roles tab.

Edit a custom role

To edit a custom role, follow the steps below:

  1. On the Roles tab of the Settings → Users/Groups/Roles page, click the name of the role you want to edit in the Role Name column.

    Editing a role
    Editing a role
    Editing a role
    Editing a role

  2. On the opened Role Edit page, edit the necessary information.

    Editing role details
    Editing role details
    Editing role details
    Editing role details

  3. Click Save at the bottom of the page.

Delete a custom role

To delete a custom role, follow the steps below:

  1. On the Roles tab of the Settings → Users/Groups/Roles page, tick a checkbox next to the name of the role you want to delete.

  2. Click ranger delete service btn.

    Deleting a role
    Deleting a role
    Deleting a role
    Deleting a role

  3. Confirm the action by clicking OK in the pop-up window.

Role assignment

When LDAP users are imported into Ranger, they are assigned an internal role, by default it is User. You can change the role for users or groups by applying the mapping filter. To do that, customize your ranger-ugsync-site.xml file contents:

ranger.usersync.group.based.role.assignment.rules: ROLE_SYS_ADMIN:g:group_name1, group_name2
ranger.usersync.group.based.role.assignment.rules: ROLE_SYS_ADMIN:u:username1, username2
Roles mapping
External role Internal role

ROLE_USER

User

ROLE_SYS_ADMIN

Admin

ROLE_ADMIN_AUDITOR

Auditor

The ROLE_KEY_ADMIN and ROLE_KEY_ADMIN_AUDITOR Ranger roles are not available for mapping and cannot be used in filter. The users or groups mapped to unavailable roles will not be added to Ranger Admin UI.

Important notes

 
Make sure to restart Ranger to apply the newly modified filter. To remove a filter and restore default settings — remove imported users and restart Ranger.

The LDAP sync source for Ranger Admin authentication option should be enabled in the ADCM service configuration for Ranger.

Also, see that the LDAP parameters have values like shown below:

ranger.usersync.ldap.deltasync: true
ranger.usersync.group.searchenabled: true
ranger.usersync.group.search.first.enabled: false
ranger.usersync.group.usermapsyncenabled: true

See Configuration parameters for more parameter details.

Found a mistake? Seleсt text and press Ctrl+Enter to report it