You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Madhan Neethiraj (Jira)" <ji...@apache.org> on 2020/04/01 07:47:00 UTC
[jira] [Commented] (RANGER-785) Ranger plugins should support a
formal notion of super user
[ https://issues.apache.org/jira/browse/RANGER-785?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17072481#comment-17072481 ]
Madhan Neethiraj commented on RANGER-785:
-----------------------------------------
* added method {{RangerBasePlugin.setSuperUsersAndGroups(users, groups)}}, which a plugin implementation can call to register users and groups for whom all permissions should be allowed
* additional super-users and groups can be specified via service-configurations {{ranger.plugin.super.users}}, {{ranger.plugin.super.groups}}
* Ranger plugin will allow all accesses from super users and groups
* Ranger plugin generates audit logs for such accesses - just as for regular users
> Ranger plugins should support a formal notion of super user
> -----------------------------------------------------------
>
> Key: RANGER-785
> URL: https://issues.apache.org/jira/browse/RANGER-785
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
> Reporter: Alok Lal
> Assignee: Madhan Neethiraj
> Priority: Major
> Fix For: 2.1.0
>
> Attachments: RANGER-785.patch
>
>
> Most services that we authorize have some notion of superuser.
> # hbase has a property which lists the superuse id. Ranger plugin skips most authorizations for that superuser.
> # In case of kafka unless proper policies exist for the service user cluster won't come up.
> # At other times people have asked that auditing be done differently for the service user.
> One way to remedy these is to add a formal notion of a superuser for a service and deal with it appropriately during service creation, during authorization in the plugin, etc.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)