[jira] [Commented] (RANGER-3069) Ranger users should be able to have both Keyadmin and Admin Roles

Tue, 03 Nov 2020 09:35:26 -0800 


    [ 
https://issues.apache.org/jira/browse/RANGER-3069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17225576#comment-17225576
 ] 

Velmurugan Periasamy commented on RANGER-3069:
----------------------------------------------

This is fundamentally against roles separation - so it won't work. 

Option 2 is the recommended approach to cleanly separate the roles and 
responsibilities. 

> Ranger users should be able to have both Keyadmin and Admin Roles 
> ------------------------------------------------------------------
>
>                 Key: RANGER-3069
>                 URL: https://issues.apache.org/jira/browse/RANGER-3069
>             Project: Ranger
>          Issue Type: Improvement
>          Components: admin, kms
>    Affects Versions: 1.2.0
>            Reporter: Jasper Knulst
>            Priority: Major
>         Attachments: Screenshot 2020-11-03 at 16.38.11.png
>
>
> Hi,
> I have been assigned the 'Key Manager' role (Settings -> Permissions) and I 
> do see the extra UI menu option 'Encryption'. However I don't get to see the 
> extra tile/ranger-service for <cluster>_KMS at Resource Based policies to be 
> able to edit key related policies. I still have to logon as user/identity 
> 'keyadmin' to see the <cluster>_KMS tile in the Service Manager
> I learned that for all the capabilities of keyadmin user one has to have the 
> 'keyadmin' role assigned (User Profile / Select Role). Looks like the 
> permission 'Key Manager' and the user role 'keyadmin' are 2 disconnected 
> things. 'Key manager' enables nothing in the classical non-KMS. It is 
> confusing as it promises some extra KMS functions whereas this is really 
> coupled to the 'keyadmin' user role.
> I suggest a user should be able to have both 'admin' and 'keyadmin' user 
> roles as 2 alternatives available now are not very good: 
> 1. All KMS admin interactions done by a group of people that have access to 
> the credentials of user 'keyadmin'
> 2. Setup separate personal account for superadmins. One for doing normal 
> Ranger things and one for doing keyadmin things



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to