This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Page tree
Skip to end of metadata
Go to start of metadata

Introduction

As part of tasks taken in 1.0 release, 2 new roles named as  Auditor and KMS Auditor has been introduced in ranger admin. They will have a read only access to all the services, policies, user/groups,audits and reports.

  • Users with Auditor or Kms Auditor role will be able to able to export the policies in excel and csv.
  • Even if the Auditor or KMS Auditor role user is added as a delegate admin in any policies of any service then also they will be given read only access.
  • Auditor and KMS Auditor role user will not be able to create, update or delete any services, policies, users, groups.

How to use the feature:

There are two ways to create  Auditor or Kms Auditor role user, one is using ranger UI  and curl command.

Simple steps to create Auditor role user:

  1. Using admin role user credentials login in ranger 

  2. Go to Settings => user/groups tab

  3. Click on add user button

  4. Fill in the details and select Auditor from the drop down of select role and save to create a user with Auditor role.

 

Simple steps assign KMS Auditor role to a user:

  1. Create a user using ranger admin credentials or choose one of the synced users.
  2. Login to Ranger Admin using credentials of a user having role keyadmin.

  3. In users groups tab select the user whose role you want to change to KMS Auditor.


  4. From the dropdown of Select role, Select KMSAduitor role and save it to update role of user.


Apache JIRA

Other things to be Noted :

  • The objective behind Auditor role user is to allow Auditors to view all information that a Admin role user can see. User with role Auditor will get a read-only view of a Admin role user.

    • That is auditor role user will be blocked from create/update/delete/import/exportJson of all api in ranger UI and curl command. 

  •  The objective behind KMS Auditor role user is to allow KMS Auditors to view all information that a Keyadmin can see on Ranger UI. User with KMS Auditor role will get a read-only view of a Keydmin role user. 

    • That is Kms Auditor role user will be blocked from create/update/delete/import/exportJson of all api in ranger UI and curl command.

  • Auditor/KmsAuditor role user even if made as delegate admin in any policies of any services will be restricted from create/update/delete/import/exportJson ie it will only have view access based on its role.

  • KMS Auditor will not be able to get keys even if that user is added in policy.

  • Auditor and KMS Auditor role users can change their password.

  • We don’t have any default user with Auditor or KMS Auditor role.







  • No labels