You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Velmurugan Periasamy (Jira)" <ji...@apache.org> on 2020/11/03 17:35:00 UTC

[jira] [Commented] (RANGER-3069) Ranger users should be able to have both Keyadmin and Admin Roles

    [ https://issues.apache.org/jira/browse/RANGER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17225576#comment-17225576 ] 

Velmurugan Periasamy commented on RANGER-3069:
----------------------------------------------

This is fundamentally against roles separation - so it won't work. 

Option 2 is the recommended approach to cleanly separate the roles and responsibilities. 

> Ranger users should be able to have both Keyadmin and Admin Roles 
> ------------------------------------------------------------------
>
>                 Key: RANGER-3069
>                 URL: https://issues.apache.org/jira/browse/RANGER-3069
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin, kms
>    Affects Versions: 1.2.0
>            Reporter: Jasper Knulst
>            Priority: Major
>         Attachments: Screenshot 2020-11-03 at 16.38.11.png
>
>
> Hi,
> I have been assigned the 'Key Manager' role (Settings -> Permissions) and I do see the extra UI menu option 'Encryption'. However I don't get to see the extra tile/ranger-service for <cluster>_KMS at Resource Based policies to be able to edit key related policies. I still have to logon as user/identity 'keyadmin' to see the <cluster>_KMS tile in the Service Manager
> I learned that for all the capabilities of keyadmin user one has to have the 'keyadmin' role assigned (User Profile / Select Role). Looks like the permission 'Key Manager' and the user role 'keyadmin' are 2 disconnected things. 'Key manager' enables nothing in the classical non-KMS. It is confusing as it promises some extra KMS functions whereas this is really coupled to the 'keyadmin' user role.
> I suggest a user should be able to have both 'admin' and 'keyadmin' user roles as 2 alternatives available now are not very good: 
> 1. All KMS admin interactions done by a group of people that have access to the credentials of user 'keyadmin'
> 2. Setup separate personal account for superadmins. One for doing normal Ranger things and one for doing keyadmin things



--
This message was sent by Atlassian Jira
(v8.3.4#803005)