Adding default service users and roles for Ranger
Cloudera Manager adds a property and default values that define roles for the minimum set of service users by default.
Runtime releases 7.1.8 and 7.2.16 introduce a new configuration property:
- Name
- ranger.usersync.whitelist.users.role.assignment.rules
- Default Value
- &ROLE_SYS_ADMIN:u:admin,rangerusersync,rangertagsync,ranger,rangeradmin,rangerraz,rangerrms&ROLE_KEY_ADMIN:u:keyadmin
Go to Search to see the property and assigned values. Ranger Usersync creates roles for each service user during syncronization.
, then type whitelist inranger.usersync.whitelist.users.role.assignment.rules uses same format as ranger.usersync.group.based.role.assignment.rules.
If you add any custom principals, you must update the list of values for ranger.usersync.whitelist.users.role.assignment.rules accordingly so that Ranger usersync applies role assignments rules appropriately. Any change to these configuration values requires a restart of Ranger usersync. Ranger usersync applies these rules during restart and every sync cycle, if changed.
- ranger.usersync.whitelist.users.role.assignment.rules, and
- ranger.usersync.group.based.role.assignment.rules
with different role assignments, then the role assignment from ranger.usersync.whitelist.users.role.assignment.rules takes priority. This is true even if ranger.usersync.group.based.role.assignment.rules has role assignment rules for a group that has service users as members. Any changes to the role assignments made to these service users from Ranger UI or rest API are temporary. The next Ranger usersync sync cycle resets them.