Review Request 65914: Ranger 1948 : Support for Read-only Ranger Admin users

Fatima Khan Mon, 05 Mar 2018 23:09:00 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/65914/
-----------------------------------------------------------


Review request for ranger, Don Bosco Durai, Gautam Borad, Abhay Kulkarni, 
Madhan Neethiraj, Pradeep Agrawal, Ramesh Mani, Selvamohan Neethiraj, and 
Sailaja Polavarapu.


Bugs: Ranger-1948
    https://issues.apache.org/jira/browse/Ranger-1948


Repository: ranger


Description
-------

This Jira is to cater to need of Auditor roles in Ranger Admin.  

We can introduce Auditor Roles for both the Administrator Roles in Ranger 
Admin. 
* Auditor (Readonly privileges from current Admin role user )
* KMS Auditor (Readonly privileges from current Keydmin role user )


Diffs
-----

  security-admin/scripts/rolebasedusersearchutil.py d651461 
  security-admin/src/main/java/org/apache/ranger/biz/AssetMgr.java 15937c7 
  security-admin/src/main/java/org/apache/ranger/biz/AssetMgrBase.java 840bb38 
  security-admin/src/main/java/org/apache/ranger/biz/KmsKeyMgr.java 03bcb60 
  security-admin/src/main/java/org/apache/ranger/biz/RangerBizUtil.java 224f1a0 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java 
ecde444 
  security-admin/src/main/java/org/apache/ranger/biz/ServiceMgr.java a989c84 
  security-admin/src/main/java/org/apache/ranger/biz/SessionMgr.java 9eb8f1f 
  security-admin/src/main/java/org/apache/ranger/biz/TagDBStore.java 8341a73 
  security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java a110035 
  security-admin/src/main/java/org/apache/ranger/biz/XAuditMgr.java c2fac0b 
  security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b713d12 
  security-admin/src/main/java/org/apache/ranger/common/RangerConstants.java 
e31e9d7 
  security-admin/src/main/java/org/apache/ranger/common/ServiceUtil.java 
0e99be1 
  security-admin/src/main/java/org/apache/ranger/common/UserSessionBase.java 
bcf9080 
  
security-admin/src/main/java/org/apache/ranger/patch/cliutil/RoleBasedUserSearchUtil.java
 d3a28f7 
  security-admin/src/main/java/org/apache/ranger/rest/AssetREST.java 9f7cd26 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceREST.java cb7ca52 
  security-admin/src/main/java/org/apache/ranger/rest/ServiceTagsProcessor.java 
9c19bb0 
  security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java 9a9604f 
  
security-admin/src/main/java/org/apache/ranger/security/context/RangerPreAuthSecurityHandler.java
 6951cbd 
  security-admin/src/main/java/org/apache/ranger/service/XTrxLogService.java 
4227d85 
  security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml 
87da9a0 
  unixauthservice/scripts/install.properties 88bce69 


Diff: https://reviews.apache.org/r/65914/diff/1/


Testing
-------

Tested scenario's:
1.Tested admin user is able to create User role user.
2.Tested admin user is able to create Auditor role user.
3.Tested admin user is not able to create kms auditor role user.
4.Tested keyadmin user is able to create kms auditor.
5.Tested auditor is able to only view policies, users, services and audits.
6.Tested kms auditor is able to only view policies, users, services, audits and 
keys.
7.Tested auditor is able to see permission tab but kms auditor should not see 
permission tab.
8.Auditor role users are  not allowed to import/export policies
9.Verified syncing of users from auditor role :: if we add them in properties 
install.properties of usersync during initial start of usersync.Property value 
in install.properties will be GROUP_BASED_ROLE_ASSIGNMENT_RULES= 
&ROLE_ADMIN_AUDITOR:u:userName&ROLE_KEY_ADMIN_AUDITOR:u:userName&ROLE_KEY_ADMIN_AUDITOR:g:groupName&ROLE_ADMIN_AUDITOR:g:groupName


Thanks,

Fatima Khan

Review Request 65914: Ranger 1948 : Support for Read-only Ranger Admin users

Reply via email to