Adding default service users and roles for Ranger

Cloudera Manager creates default Ranger Admin roles for the minimum set of service users by default.

Runtime releases 7.1.8 and 7.2.16 introduce a new configuration property:

Name
ranger.usersync.whitelist.users.role.assignment.rules
Default Value
&ROLE_SYS_ADMIN:u:admin,rangerusersync,rangertagsync,ranger,rangeradmin,rangerraz,rangerrms&ROLE_KEY_ADMIN:u:keyadmin
This property uses same format as ranger.usersync.group.based.role.assignment.rules. It is populated by Cloudera Manager with default service usernames. For custom principals, this configuration must be updated accordingly for the role assignments rules to be applied appropriately by Ranger usersync. Any change to these configuration values requires a restart of Ranger usersync. Ranger usersync applies these rules during restart and every sync cycle, if changed. If the same service user exists in:
  • ranger.usersync.whitelist.users.role.assignment.rules, and
  • ranger.usersync.group.based.role.assignment.rules

with different role assignments, then the role assignment from ranger.usersync.whitelist.users takes priority. This is true even if ranger.usersync.group.based.role.assignment.rules has role assignment rules for a group that has service users as members. Any changes to the role assignments made to these service users from Ranger UI or rest API are temporary and will reset in the next Ranger usersync sync cycle.