Configuring Usersync assignment of Admin users

How to automatically assign Admin and Key Admin roles for external users

Ranger provides configuration for defining roles for external users.

Usersync pulls in users/groups from your external user repository, such as LDAP/AD, and populates the Ranger database with these users/groups. Use this procedure to automatically assign roles to specific users/groups. The example properties shown in this topic automatically assign the ADMIN/KEYADMIN role to external users.

Currently, Ranger supports various roles (or privileges) to be assigned to a user:

ROLE_SYS_ADMIN
Has permission to create users, group, roles, services, and policies, run reports, and perform other administrative tasks. Admin users can also create child policies based on the original policy.
ROLE_KEY_ADMIN
Has permission to manage (create, update, or delete) access policies and keys for Ranger KMS.
ROLE_USER

Has least privilege (and default role) assigned to a user. All users are assigned this default role.

ROLE_ADMIN_AUDITOR
An Admin user with read-only permission.
ROLE_KEY_ADMIN_AUDITOR
An Admin user with read-only permission for Ranger KMS.

Auditor and KMS Auditor roles have been introduced in Ranger Admin. Users with these roles have read-only access to all the services, policies, user/groups,audits and reports.

  • The Auditor role allows a user with Auditor role to view all information that a user with Admin role can see. A user with Auditor role will have a read-only view of a user with Admin role. In other words, a user with Auditor role user will be blocked from the create/update/delete/import/exportJson of all API in the Ranger UI and curl command.
  • The KMS Auditor role allows a user with KMS Auditor role to view all information that a user with Keyadmin role can see on the Ranger UI. A user with KMS Auditor role will have a read-only view of a user with Keyadmin role. In other words, a user with KMS Auditor role will be blocked from create/update/delete/import/exportJson of all API in the Ranger UI and curl command.
  • Users with the Auditor or KMSAuditor role, even if delegated as admin in any policies of any services, will be restricted from create/update/delete/import/exportJson. In other words, users with Auditor or KMS Auditor role have view-only access based on their role.
  • A user with KMS Auditor role cannot get keys, even if that user is added in policy.
  • Users with Auditor or KMS Auditor role can change their password.
  • No user has Auditor or KMS Auditor role by default.
  • Users with Auditor or KMS Auditor role can export policies to excel and csv file formats.

A user can have only one role, and that role is determined by the last role assigned, depending in part on group membership.

For example, if the role assignment rules are configured as follows:

ROLE_SYS_ADMIN:u:User1, User2&ROLE_SYS_ADMIN:g:Group1, Group2&ROLE_AUDITOR:g:Group3, Group4&ROLE_USER:g:Group5

and if a user belongs to Group1 & Group5, then the role assigned to that user is ROLE_USER.

Similarly, if a user belongs to Group2 & Group3, then the role assigned to that user is ROLE_AUDITOR.

If the user does not belong to any of these groups (Group1, Group2, Group3, Group4, or Group5), then the default role assigned to the user is ROLE_USER.

If the user belongs to only Group1, then the role assigned to the user is ROLE_SYS_ADMIN.

To automatically assign the ADMIN/KEYADMIN role to external users:

  1. In Ranger > Configuration > Search, type role.assignment.
  2. In Ranger Usersync Default Group: verify that the following default delimiter values appear for each property:
    Property Name Delimiter Value
    ranger.usersync.role.assignment.list.delimiter &
    ranger.usersync.users.groups.assignment.list.delimiter :
    ranger.usersync.username.groupname.assignment.list.delimiter ,
    ranger.usersync.group.based.role.assignment.rules
  3. In Ranger UserSync Group Based Role Assignment Rules, type the following value as one string:
    ROLE_SYS_ADMIN:u:User1,User2&ROLE_SYS_ADMIN:g:Group1,Group2&
    ROLE_KEY_ADMIN:u:kmsUser&ROLE_KEY_ADMIN:g:kmsGroup&
    ROLE_USER:u:User3,User4&ROLE_USER:g:Group3,Group4&
    ROLE_ADMIN_AUDITOR:u:auditorUsers,auditors& ROLE_ADMIN_AUDITOR:g:adminAuditorGroup,rangerAuditors&
    ROLE_KEY_ADMIN_AUDITOR:u:kmsAuditors&ROLE_KEY_ADMIN_AUDITOR:g:kmsAuditorGroup

    where "u" indicates user and "g" indicates group

  4. Click Save Changes (CTRL+S).
  5. If Usersync requires no other changes, choose Actions > Restart Usersync.