Administering Ranger Users, Groups, Roles, and Permissions

To list the users, groups, and roles for which Ranger manages aceess to CDP services, select Ranger Admin Web UI > Settings > Users/Groups/Roles.

Overview: Ranger User/Groups/Roles

Users lists:

  • Internal users who can log in to the Ranger portal; created by the Ranger console Service Manager.
  • External users who can access services controlled by the Ranger portal; created at other systems such as Active Directory, LDAP, or UNIX. Ranger Usersync syncronizes the list shown in Users with user lists stored in AD, LDAP or UNIX systems.
  • Admin users who are the only users with permission to create users and services, run reports, and perform other administrative tasks. Admin users can also create child policies based on the original policy (base policy).

Users also shows the Groups to which each user belongs.

The following example shows internal, external, and Admin users listed on Users:

Groups lists:

  • Internal groups, created by the Ranger console Service Manager.
  • External groups, created by other systems such as Active Directory, LDAP, or UNIX.
  • On the Groups page, you can click Users to view the members of a specific group.
The following figure shows internal and external groups lsited on Groups:

The Users and Groups pages lists a Sync Source for each user and group. To filter Users and Groups by sync source type, select Sync Source as a search filter, then enter a sync source type, such as Unix or LDAP/AD. To view more information about the sync source, click Sync Details for a user or group.

The following example shows the sync details for the rangertagsync user.

Roles lists:

  • Role names, and releated mappings to:
  • User names
  • Group names
  • Other role names

What is a Role ?

A role is a set of permissions that you assign to a user, group, or another role. You assign a role by adding a user, group or role to it. By adding multiple roles, you create a role hierarchy in which you manage permission sets at the role level. For example, your workflow to create a role hierarchy:
  1. Create a new role.
  2. Add permissions to the role. For example, in Hadoop SQL, create a policy for a table that provides necessary permissions and add the role in the Role selector of Allow.
  3. Repeat #2 until you have assigned all permissions.
  4. Add users, groups, or other roles to the new role, which assigns the permission set to that role.
Benefits that roles provide in a large environment:
  • A role may include many permissions, all of which may be granted or revoked to a user or group using a single command.
  • Adding or revoking a single permission to or from a role requires a single command, which also applies to all users and groups with that role.
  • Roles allow for some documentation about why a permission is granted or revoked.

In other words, a role is a collection of permissions. A group is a collection of users. You create a role and add permissions to it. Then, you grant that role to a group. Roles present an easier way to manage a set of permissions based on specific access criteria.

Example Ranger Role hierarchy

A simple example of a role heirarchy follows:
  • FinReadOnly role, which gives read permission on all tables in the Finance database and is defined by a Ranger policy that grants read on database:Finance, table:* to the FinReadOnly role.
  • FinWrite role, which gives write permission on all tables in the Finance database and is defined by a Ranger policy that grants write on database:Finance, table:* to the FinWrite role.
  • FinReadWrite role, which role is granted both the FinRead and FinWrite roles and thereby inherites read and write permisssion to all tables in the Finance database.
  • FinReporting group whose users require only read permission to the Finance tables. FinReporting group is added to FinReadOnly role in Ranger.
  • FinDataPrep group whose users require only write permission to the Finance tables. FinDataPrep group is added to the FinWrite role in Ranger.
  • FinPowerUser group whose users require read and write permission to all Finance tables. FinPowerUsers group is added to the FinReadWrite role in Ranger.