ramackri opened a new pull request, #1013: URL: https://github.com/apache/ranger/pull/1013
## What changes were proposed in this pull request? Implements [RANGER-5627](https://issues.apache.org/jira/browse/RANGER-5627): configuration-based Ranger Admin super users and super groups via `ranger.admin.super.users` and `ranger.admin.super.groups` in `ranger-admin-site.xml`. **Problem addressed:** Externally authenticated users (LDAP/Kerberos/OIDC/SAML) could not be designated as Ranger administrators without Ranger managed DB roles. Deployments relied on shared local `admin` accounts, limiting enterprise IdM integration, SSO/K8s models, and per-user auditability. **Solution:** Matching users receive full admin session flags, Spring Security roles, module permissions, and REST authorization at login **without** changing `x_portal_user_role`. Authentication provider remains independent of the elevation decision. **Backward compatible** when both config properties are empty. Re-login required after config or UserSync group membership changes. ## How was this patch tested? ### 1. Unit tests Run from repo root: ```bash mvn test -pl security-admin \ -Dtest=TestRangerSuperUserConfig,TestSessionMgr,TestUserMgr,TestXUserMgr,TestRangerBizUtil,TestRoleDBStore \ -Dfrontend.skip=true ``` **Result:** All targeted unit tests pass. | Test class | Coverage | |------------|----------| | `TestRangerSuperUserConfig` | Config parsing, enable/disable, user/group match | | `TestSessionMgr` | Session flags and module permissions at login | | `TestUserMgr` | Authentication roles and profile overrides | | `TestXUserMgr` | `getSyncedGroupsForUser` vs `getGroupsForUser` | | `TestRangerBizUtil` | `isUserRangerAdmin`, access checks | | `TestRoleDBStore` | Role list bypass for elevated sessions | For more details: https://github.com/apache/ranger/pull/1000 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
