You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Jasper Knulst (Jira)" <ji...@apache.org> on 2020/11/03 16:25:00 UTC
[jira] [Updated] (RANGER-3069) Ranger users should be able to have
both Keyadmin and Admin Roles
[ https://issues.apache.org/jira/browse/RANGER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jasper Knulst updated RANGER-3069:
----------------------------------
Description:
Hi,
I have been assigned the 'Key Manager' role (Settings -> Permissions) and I do see the extra UI menu option 'Encryption'. However I don't get to see the extra tile/ranger-service for <cluster>_KMS at Resource Based policies to be able to edit key related policies. I still have to logon as user/identity 'keyadmin' to see the <cluster>_KMS tile in the Service Manager
I learned that for all the capabilities of keyadmin user one has to have the 'keyadmin' role assigned (User Profile / Select Role). Looks like the permission 'Key Manager' and the user role 'keyadmin' are 2 disconnected things. 'Key manager' enables nothing in the classical non-KMS. It is confusing as it promises some extra KMS functions whereas this is really coupled to the 'keyadmin' user role.
I suggest a user should be able to have both 'admin' and 'keyadmin' user roles as 2 alternatives available now are not very good:
1. All KMS admin interactions done by a group of people that have access to the credentials of user 'keyadmin'
2. Setup separate personal account for superadmins. One for doing normal Ranger things and one for doing keyadmin things
was:
Hi,
I have been assigned the 'keyadmin' role and I do see the extra UI menu option 'Encryption'. However I don't get to see the extra tile/ranger-service for <cluster>_KMS at Resource Based policies to be able to edit key related policies. I still have to logon as user/identity 'keyadmin' to see the <cluster>_KMS tile in the Service Manager
This defeats the purpose of having the 'Key Admin' role as it doesn't enable the ones who have it anything. Currently it is also not auditable who specifically (in the ring of people that have access to the credentials for the keyadmin idenity credentials) has done what to key and zones
Summary: Ranger users should be able to have both Keyadmin and Admin Roles (was: Enable KMS policy editor for all with Keyadmin Role )
> Ranger users should be able to have both Keyadmin and Admin Roles
> ------------------------------------------------------------------
>
> Key: RANGER-3069
> URL: https://issues.apache.org/jira/browse/RANGER-3069
> Project: Ranger
> Issue Type: Improvement
> Components: admin, kms
> Affects Versions: 1.2.0
> Reporter: Jasper Knulst
> Priority: Major
> Attachments: Screenshot 2020-11-03 at 16.38.11.png
>
>
> Hi,
> I have been assigned the 'Key Manager' role (Settings -> Permissions) and I do see the extra UI menu option 'Encryption'. However I don't get to see the extra tile/ranger-service for <cluster>_KMS at Resource Based policies to be able to edit key related policies. I still have to logon as user/identity 'keyadmin' to see the <cluster>_KMS tile in the Service Manager
> I learned that for all the capabilities of keyadmin user one has to have the 'keyadmin' role assigned (User Profile / Select Role). Looks like the permission 'Key Manager' and the user role 'keyadmin' are 2 disconnected things. 'Key manager' enables nothing in the classical non-KMS. It is confusing as it promises some extra KMS functions whereas this is really coupled to the 'keyadmin' user role.
> I suggest a user should be able to have both 'admin' and 'keyadmin' user roles as 2 alternatives available now are not very good:
> 1. All KMS admin interactions done by a group of people that have access to the credentials of user 'keyadmin'
> 2. Setup separate personal account for superadmins. One for doing normal Ranger things and one for doing keyadmin things
--
This message was sent by Atlassian Jira
(v8.3.4#803005)