ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fatima Khan <fatimakhan4...@gmail.com>
Subject Re: Review Request 65914: Ranger 1948 : Support for Read-only Ranger Admin users
Date Thu, 08 Mar 2018 11:31:17 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65914/
-----------------------------------------------------------

(Updated March 8, 2018, 11:31 a.m.)


Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, Madhan Neethiraj,
Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and Sailaja Polavarapu.


Bugs: Ranger-1948
    https://issues.apache.org/jira/browse/Ranger-1948


Repository: ranger


Description
-------

This Jira is to cater to need of Auditor roles in Ranger Admin.  

We can introduce Auditor Roles for both the Administrator Roles in Ranger Admin. 
* Auditor (Readonly privileges from current Admin role user )
* KMS Auditor (Readonly privileges from current Keydmin role user )


Diffs (updated)
-----

  security-admin/scripts/rolebasedusersearchutil.py d651461 
  security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 15937c7 
  security-admin/src/main/java/org/apache/ranger/biz/AssetMgrBase.java 840bb38 
  security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java 03bcb60 
  security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 224f1a0 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java ecde444 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java a989c84 
  security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java 9eb8f1f 
  security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java 8341a73 
  security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java a110035 
  security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java c2fac0b 
  security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java 487fefa 
  security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java e31e9d7 
  security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java 0e99be1 
  security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java bcf9080 
  security-admin/src/main/java/org/apache/ranger/patch/cliutil/RoleBasedUserSearchUtil.java
d3a28f7 
  security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 9f7cd26 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java cb7ca52 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java 9c19bb0 
  security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java c81a6f3 
  security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
6951cbd 
  security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java 4227d85 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 87da9a0 
  unixauthservice/scripts/install.properties be8723c 


Diff: https://reviews.apache.org/r/65914/diff/3/

Changes: https://reviews.apache.org/r/65914/diff/2-3/


Testing
-------

Tested scenario's:
1.Tested admin user is able to create User role user.
2.Tested admin user is able to create Auditor role user.
3.Tested admin user is not able to create kms auditor role user.
4.Tested keyadmin user is able to create kms auditor.
5.Tested auditor is able to only view policies, users, services and audits.
6.Tested kms auditor is able to only view policies, users, services, audits and keys.
7.Tested auditor is able to see permission tab but kms auditor should not see permission tab.
8.Auditor role users are  not allowed to import/export policies
9.Verified syncing of users from auditor role :: if we add them in properties install.properties
of usersync during initial start of usersync.Property value in install.properties will be
GROUP_BASED_ROLE_ASSIGNMENT_RULES= &ROLE_ADMIN_AUDITOR:u:userName&ROLE_KEY_ADMIN_AUDITOR:u:userName&ROLE_KEY_ADMIN_AUDITOR:g:groupName&ROLE_ADMIN_AUDITOR:g:groupName


Thanks,

Fatima Khan


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message