Adding default service users and roles for Ranger

Cloudera Manager adds a property and default values that define roles for the minimum set of service users by default.

Runtime releases 7.1.8 and 7.2.16 introduce a new configuration property:

Name
ranger.usersync.whitelist.users.role.assignment.rules
Default Value
&ROLE_SYS_ADMIN:u:admin,rangerusersync,rangertagsync,ranger,rangeradmin,rangerraz,rangerrms&ROLE_KEY_ADMIN:u:keyadmin

Go to Cloudera Manager > Ranger > Configuration, then type whitelist in Search to see the property and assigned values. Ranger Usersync creates roles for each service user during syncronization.

ranger.usersync.whitelist.users.role.assignment.rules uses same format as ranger.usersync.group.based.role.assignment.rules.

If you add any custom principals, you must update the list of values for ranger.usersync.whitelist.users.role.assignment.rules accordingly so that Ranger usersync applies role assignments rules appropriately. Any change to these configuration values requires a restart of Ranger usersync. Ranger usersync applies these rules during restart and every sync cycle, if changed.

If the same service user exists in:
  • ranger.usersync.whitelist.users.role.assignment.rules, and
  • ranger.usersync.group.based.role.assignment.rules

with different role assignments, then the role assignment from ranger.usersync.whitelist.users.role.assignment.rules takes priority. This is true even if ranger.usersync.group.based.role.assignment.rules has role assignment rules for a group that has service users as members. Any changes to the role assignments made to these service users from Ranger UI or rest API are temporary. The next Ranger usersync sync cycle resets them.