[
https://issues.apache.org/jira/browse/RANGER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jasper Knulst updated RANGER-3069:
----------------------------------
Description:
Hi,
I have been assigned the 'Key Manager' role (Settings -> Permissions) and I do
see the extra UI menu option 'Encryption'. However I don't get to see the extra
tile/ranger-service for <cluster>_KMS at Resource Based policies to be able to
edit key related policies. I still have to logon as user/identity 'keyadmin' to
see the <cluster>_KMS tile in the Service Manager
I learned that for all the capabilities of keyadmin user one has to have the
'keyadmin' role assigned (User Profile / Select Role). Looks like the
permission 'Key Manager' and the user role 'keyadmin' are 2 disconnected
things. 'Key manager' enables nothing in the classical non-KMS. It is confusing
as it promises some extra KMS functions whereas this is really coupled to the
'keyadmin' user role.
I suggest a user should be able to have both 'admin' and 'keyadmin' user roles
as 2 alternatives available now are not very good:
1. All KMS admin interactions done by a group of people that have access to the
credentials of user 'keyadmin'
2. Setup separate personal account for superadmins. One for doing normal Ranger
things and one for doing keyadmin things
was:
Hi,
I have been assigned the 'keyadmin' role and I do see the extra UI menu option
'Encryption'. However I don't get to see the extra tile/ranger-service for
<cluster>_KMS at Resource Based policies to be able to edit key related
policies. I still have to logon as user/identity 'keyadmin' to see the
<cluster>_KMS tile in the Service Manager
This defeats the purpose of having the 'Key Admin' role as it doesn't enable
the ones who have it anything. Currently it is also not auditable who
specifically (in the ring of people that have access to the credentials for the
keyadmin idenity credentials) has done what to key and zones
Summary: Ranger users should be able to have both Keyadmin and Admin
Roles (was: Enable KMS policy editor for all with Keyadmin Role )
> Ranger users should be able to have both Keyadmin and Admin Roles
> ------------------------------------------------------------------
>
> Key: RANGER-3069
> URL: https://issues.apache.org/jira/browse/RANGER-3069
> Project: Ranger
> Issue Type: Improvement
> Components: admin, kms
> Affects Versions: 1.2.0
> Reporter: Jasper Knulst
> Priority: Major
> Attachments: Screenshot 2020-11-03 at 16.38.11.png
>
>
> Hi,
> I have been assigned the 'Key Manager' role (Settings -> Permissions) and I
> do see the extra UI menu option 'Encryption'. However I don't get to see the
> extra tile/ranger-service for <cluster>_KMS at Resource Based policies to be
> able to edit key related policies. I still have to logon as user/identity
> 'keyadmin' to see the <cluster>_KMS tile in the Service Manager
> I learned that for all the capabilities of keyadmin user one has to have the
> 'keyadmin' role assigned (User Profile / Select Role). Looks like the
> permission 'Key Manager' and the user role 'keyadmin' are 2 disconnected
> things. 'Key manager' enables nothing in the classical non-KMS. It is
> confusing as it promises some extra KMS functions whereas this is really
> coupled to the 'keyadmin' user role.
> I suggest a user should be able to have both 'admin' and 'keyadmin' user
> roles as 2 alternatives available now are not very good:
> 1. All KMS admin interactions done by a group of people that have access to
> the credentials of user 'keyadmin'
> 2. Setup separate personal account for superadmins. One for doing normal
> Ranger things and one for doing keyadmin things
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
