Administering Ranger Users, Groups, Roles, and Permissions

To view a list of the users, groups, and roles that can access the Ranger portal or its services, select Settings > Users/Groups/Roles from the Ranger top menu.

What is a Role ?

A role is a set of permissions that you assign to a user, group, or another role. You assign a role by adding a user, group or role to it. By adding multiple roles, you create a role hierarchy in which you manage permission sets at the role level. For example, your workflow to create a role hierarchy:
  1. Create a new role.
  2. Add permissions to the role. For example, in Hadoop SQL, create a policy for a table that provides necessary permissions and add the role in the Role selector of Allow.
  3. Repeat #2 until you have assigned all permissions.
  4. Add users, groups, or other roles to the new role, which assigns the permission set to that role.
Benefits that roles provide in a large environment:
  • A role may include many permissions, all of which may be granted or revoked to a user or group using a single command.
  • Adding or revoking a single permission to or from a role requires a single command, which also applies to all users and groups with that role.
  • Roles allow for some documentation about why a permission is granted or revoked.

In other words, a role is a collection of permissions. A group is a collection of users. You create a role and add permissions to it. Then, you grant that role to a group. Roles present an easier way to manage a set of permissions based on specific access criteria.

Example Ranger Role hierarchy

A simple example of a role heirarchy follows:
  • FinReadOnly role, which gives read permission on all tables in the Finance database and is defined by a Ranger policy that grants read on database:Finance, table:* to the FinReadOnly role.
  • FinWrite role, which gives write permission on all tables in the Finance database and is defined by a Ranger policy that grants write on database:Finance, table:* to the FinWrite role.
  • FinReadWrite role, which role is granted both the FinRead and FinWrite roles and thereby inherites read and write permisssion to all tables in the Finance database.
  • FinReporting group whose users require only read permission to the Finance tables. FinReporting group is added to FinReadOnly role in Ranger.
  • FinDataPrep group whose users require only write permission to the Finance tables. FinDataPrep group is added to the FinWrite role in Ranger.
  • FinPowerUser group whose users require read and write permission to all Finance tables. FinPowerUsers group is added to the FinReadWrite role in Ranger.

Overview of the Ranger Roles feature

The Users/Groups/Roles page lists:

  • Internal users who can log in to the Ranger portal; created by the Ranger console Service Manager.

  • External users who can access services controlled by the Ranger portal; created at other systems such as Active Directory, LDAP, or UNIX, and synched with those systems.

  • Admin users who are the only users with permission to create users and services, run reports, and perform other administrative tasks. Admin users can also create child policies based on the original policy (base policy).

  • On the Groups page, you can click the people icons in the Users column to view the members of the applicable group.

  • On the Roles page, you can view the roles that have been mapped to users and groups. Roles are application-managed and are easier to apply changes than users and groups.