You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Velmurugan Periasamy (Jira)" <ji...@apache.org> on 2020/11/03 15:49:00 UTC

[jira] [Comment Edited] (RANGER-3069) Enable KMS policy editor for all with Keyadmin Role

    [ https://issues.apache.org/jira/browse/RANGER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17225497#comment-17225497 ] 

Velmurugan Periasamy edited comment on RANGER-3069 at 11/3/20, 3:48 PM:
------------------------------------------------------------------------

This just means keyadmin role is not assigned to the user. if the user has keyadmin role, they won’t be able to see the other repos (such as hdfs, hive). These repos should be only visible to users with admin role. In Ranger, you can associate only one role (ranger built-in role) to users. Please check what role is assigned to your user in the user profile page. 

For KMS related policy operations, user's role in user profile needs to be granted keyadmin role. Just assigning encryption permission will not work. 


was (Author: vperiasamy):
This just means keyadmin role is not assigned to the user. if the user has keyadmin role, they won’t be able to see the other repos (such as hdfs, hive). These repos should be only visible to users with admin role. In Ranger, you can associate only one role (ranger built-in role) to users. Please check what role is assigned to your user in the user profile page. 

> Enable KMS policy editor for all with Keyadmin Role 
> ----------------------------------------------------
>
>                 Key: RANGER-3069
>                 URL: https://issues.apache.org/jira/browse/RANGER-3069
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin, kms
>    Affects Versions: 1.2.0
>            Reporter: Jasper Knulst
>            Priority: Major
>         Attachments: Screenshot 2020-11-03 at 16.38.11.png
>
>
> Hi,
> I have been assigned the 'keyadmin' role and I do see the extra UI menu option 'Encryption'. However I don't get to see the extra tile/ranger-service for <cluster>_KMS at Resource Based policies to be able to edit key related policies. I still have to logon as user/identity 'keyadmin' to see the <cluster>_KMS tile in the Service Manager
> This defeats the purpose of having the 'Key Admin' role as it doesn't enable the ones who have it anything. Currently it is also not auditable who specifically (in the ring of people that have access to the credentials for the keyadmin idenity credentials) has done what to key and zones



--
This message was sent by Atlassian Jira
(v8.3.4#803005)