As part of tasks taken in 1.0 release, 2 new roles named as Auditor and KMS Auditor has been introduced in ranger admin. They will have a read only access to all the services, policies, user/groups,audits and reports.
- Users with Auditor or Kms Auditor role will be able to able to export the policies in excel and csv.
- Even if the Auditor or KMS Auditor role user is added as a delegate admin in any policies of any service then also they will be given read only access.
- Auditor and KMS Auditor role user will not be able to create, update or delete any services, policies, users, groups.
How to use the feature:
There are two ways to create Auditor or Kms Auditor role user, one is using ranger UI and curl command.
Simple steps to create Auditor role user:
Using admin role user credentials login in ranger
Go to Settings => user/groups tab
Click on add user button
Fill in the details and select Auditor from the drop down of select role and save to create a user with Auditor role.
Simple steps assign KMS Auditor role to a user:
- Create a user using ranger admin credentials or choose one of the synced users.
Login to Ranger Admin using credentials of a user having role keyadmin.
In users groups tab select the user whose role you want to change to KMS Auditor.
From the dropdown of Select role, Select KMSAduitor role and save it to update role of user.
Other things to be Noted :
The objective behind Auditor role user is to allow Auditors to view all information that a Admin role user can see. User with role Auditor will get a read-only view of a Admin role user.
That is auditor role user will be blocked from create/update/delete/import/exportJson of all api in ranger UI and curl command.
The objective behind KMS Auditor role user is to allow KMS Auditors to view all information that a Keyadmin can see on Ranger UI. User with KMS Auditor role will get a read-only view of a Keydmin role user.
That is Kms Auditor role user will be blocked from create/update/delete/import/exportJson of all api in ranger UI and curl command.
Auditor/KmsAuditor role user even if made as delegate admin in any policies of any services will be restricted from create/update/delete/import/exportJson ie it will only have view access based on its role.
KMS Auditor will not be able to get keys even if that user is added in policy.
Auditor and KMS Auditor role users can change their password.
We don’t have any default user with Auditor or KMS Auditor role.