Adding default service users and roles for Ranger
Cloudera Manager creates default Ranger Admin roles for the minimum set of service users by default.
Runtime releases 7.1.8 and 7.2.16 introduce a new configuration property:
- Name
- usersyncranger.usersync.whitelist.users.role.assignment.rules
- Default Value
- &ROLE_SYS_ADMIN:u:admin,rangerusersync,rangertagsync,ranger,rangeradmin,rangerraz,rangerrms&ROLE_KEY_ADMIN:u:keyadmin
This property uses same format as
ranger.usersync.group.based.role.assignment.rules. It is populated by
Cloudera Manager with default service usernames. For custom principals, this configuration must
be updated accordingly for the role assignments rules to be applied appropriately by Ranger
usersync. Any change to these configuration values requires a restart of Ranger usersync. Ranger
usersync applies these rules during restart and every sync cycle, if changed. If the same service
user exists in:
- ranger.usersync.whitelist.users.role.assignment.rules, and
- ranger.usersync.group.based.role.assignment.rules
with different role assignments, then the role assignment from ranger.usersync.whitelist.users takes priority. This is true even if ranger.usersync.group.based.role.assignment.rules has role assignment rules for a group that has service users as members. Any changes to the role assignments made to these service users from Ranger UI or rest API are temporary and will reset in the next Ranger usersync sync cycle.