[jira] [Comment Edited] (RANGER-3069) Enable KMS policy editor for all with Keyadmin Role

Tue, 03 Nov 2020 07:49:49 -0800 


    [ 
https://issues.apache.org/jira/browse/RANGER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17225497#comment-17225497
 ] 

Velmurugan Periasamy edited comment on RANGER-3069 at 11/3/20, 3:48 PM:
------------------------------------------------------------------------

This just means keyadmin role is not assigned to the user. if the user has 
keyadmin role, they won’t be able to see the other repos (such as hdfs, hive). 
These repos should be only visible to users with admin role. In Ranger, you can 
associate only one role (ranger built-in role) to users. Please check what role 
is assigned to your user in the user profile page. 

For KMS related policy operations, user's role in user profile needs to be 
granted keyadmin role. Just assigning encryption permission will not work. 


was (Author: vperiasamy):
This just means keyadmin role is not assigned to the user. if the user has 
keyadmin role, they won’t be able to see the other repos (such as hdfs, hive). 
These repos should be only visible to users with admin role. In Ranger, you can 
associate only one role (ranger built-in role) to users. Please check what role 
is assigned to your user in the user profile page. 

> Enable KMS policy editor for all with Keyadmin Role 
> ----------------------------------------------------
>
>                 Key: RANGER-3069
>                 URL: https://issues.apache.org/jira/browse/RANGER-3069
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin, kms
>    Affects Versions: 1.2.0
>            Reporter: Jasper Knulst
>            Priority: Major
>         Attachments: Screenshot 2020-11-03 at 16.38.11.png
>
>
> Hi,
> I have been assigned the 'keyadmin' role and I do see the extra UI menu 
> option 'Encryption'. However I don't get to see the extra tile/ranger-service 
> for <cluster>_KMS at Resource Based policies to be able to edit key related 
> policies. I still have to logon as user/identity 'keyadmin' to see the 
> <cluster>_KMS tile in the Service Manager
> This defeats the purpose of having the 'Key Admin' role as it doesn't enable 
> the ones who have it anything. Currently it is also not auditable who 
> specifically (in the ring of people that have access to the credentials for 
> the keyadmin idenity credentials) has done what to key and zones



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to