You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Bhavik Patel (Jira)" <ji...@apache.org> on 2022/02/22 05:29:00 UTC

[jira] [Resolved] (RANGER-3069) Ranger users should be able to have both Keyadmin and Admin Roles

     [ https://issues.apache.org/jira/browse/RANGER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bhavik Patel resolved RANGER-3069.
----------------------------------
    Resolution: Not A Problem

> Ranger users should be able to have both Keyadmin and Admin Roles 
> ------------------------------------------------------------------
>
>                 Key: RANGER-3069
>                 URL: https://issues.apache.org/jira/browse/RANGER-3069
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin, kms
>    Affects Versions: 1.2.0
>            Reporter: Jasper Knulst
>            Priority: Major
>         Attachments: Screenshot 2020-11-03 at 16.38.11.png
>
>
> Hi,
> I have been assigned the 'Key Manager' role (Settings -> Permissions) and I do see the extra UI menu option 'Encryption'. However I don't get to see the extra tile/ranger-service for <cluster>_KMS at Resource Based policies to be able to edit key related policies. I still have to logon as user/identity 'keyadmin' to see the <cluster>_KMS tile in the Service Manager
> I learned that for all the capabilities of keyadmin user one has to have the 'keyadmin' role assigned (User Profile / Select Role). Looks like the permission 'Key Manager' and the user role 'keyadmin' are 2 disconnected things. 'Key manager' enables nothing in the classical non-KMS. It is confusing as it promises some extra KMS functions whereas this is really coupled to the 'keyadmin' user role.
> I suggest a user should be able to have both 'admin' and 'keyadmin' user roles as 2 alternatives available now are not very good: 
> 1. All KMS admin interactions done by a group of people that have access to the credentials of user 'keyadmin'
> 2. Setup separate personal account for superadmins. One for doing normal Ranger things and one for doing keyadmin things



--
This message was sent by Atlassian Jira
(v8.20.1#820001)