[
https://issues.apache.org/jira/browse/RANGER-5627?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramachandran Krishnan reassigned RANGER-5627:
---------------------------------------------
Assignee: Ramachandran Krishnan
> support configuration-based super users and super groups in Ranger Admin
> ------------------------------------------------------------------------
>
> Key: RANGER-5627
> URL: https://issues.apache.org/jira/browse/RANGER-5627
> Project: Ranger
> Issue Type: Improvement
> Components: admin
> Reporter: Madhan Neethiraj
> Assignee: Ramachandran Krishnan
> Priority: Major
>
> Apache Ranger currently relies on a local Ranger user account with
> administrator privileges to perform/bootstrap privileged operations such as:
> * Creating and managing services, security zones, policies, roles
> * Viewing audits
> * Grant admin and auditor roles to other users
> * Performing Ranger administration tasks
> In environments where authentication is delegated to external identity
> providers such as LDAP, Kerberos, OIDC, or SAML, there is no straightforward
> mechanism to designate externally authenticated users as Ranger
> administrators independent of Ranger-managed roles and users.
> This creates several operational challenges:
> * Dependence on a local Ranger administrator account
> * Shared administrative credentials in some deployments
> * Difficulty integrating Ranger administration with enterprise identity
> management
> * Limited support for Kubernetes-native and SSO-based deployment models
> * Reduced auditability when multiple administrators share a common account
>
> *Proposed Enhancement*
> Introduce support for configuration-based Ranger super users, like:
> {code:java}
> ranger.admin.super.users=user1,user2
> ranger.admin.super.groups=group1,group2 {code}
> Specified users and users belonging to specified groups should be granted
> administrative privileges in Ranger.
> The authentication mechanism should be independent of the authorization
> decision and may include local authentication, LDAP, Kerberos, OIDC, SAML, or
> other supported authentication providers.
>
> *Expected Behavior*
> Users configured as super users should be able to perform all Ranger
> administrative operations, including but not limited to:
> * Service management
> * Policy management
> * User and group administration
> * Role administration
> * Audit access
> * Security administration functions
>
> *Benefits*
> * Better integration with enterprise identity providers
> * Elimination of shared local administrator accounts
> * Improved auditability through individual administrator identities
> * Simplified administration in SSO-enabled environments
> * Better support for containerized and Kubernetes-based deployments
> * Recovery and break-glass administrative access without dependence on
> Ranger-managed roles
>
> *Compatibility*
> The enhancement should be backward compatible. Existing Ranger administrator
> accounts and authorization mechanisms should continue to function unchanged
> when the new configuration properties are not specified.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
