[jira] [Created] (RANGER-4757) Use Ranger roles similar to RBAC for administering Ranger APIs instead of role assignment rules

Wed, 20 Mar 2024 20:59:00 -0700 

Sailaja Polavarapu created RANGER-4757:
------------------------------------------

             Summary: Use Ranger roles similar to RBAC for administering Ranger 
APIs instead of role assignment rules
                 Key: RANGER-4757
                 URL: https://issues.apache.org/jira/browse/RANGER-4757
             Project: Ranger
          Issue Type: Improvement
          Components: Ranger
            Reporter: Sailaja Polavarapu


Currently users accessing/administering Ranger requires special privileges like 

ROLE_USER, ROLE_SYS_ADMIN, ROLE_KEY_ADMIN, ROLE_ADMIN_AUDITOR, or 
ROLE_KEY_ADMIN_AUDITOR. These roles are assigned to the user based on role 
assignment rules by Ranger Usersync process while syncing the users and groups 
from the sync source. This creates major overhead on Ranger User sync to 
compute the roles every time a group memberships are updated as well on Ranger 
admin to update the database to reflect the roles for each user.

As part of RANGER-2414, we introduced support for Role based authorization for 
plugins which basically checks the user/group in the authorization request is 
part of a role and uses that role information for authorization.

Proposal:
----------
Create default special roles (ROLE_USER, ROLE_SYS_ADMIN, ROLE_KEY_ADMIN, 
ROLE_ADMIN_AUDITOR, or ROLE_KEY_ADMIN_AUDITOR) in Ranger DB as part of the 
setup and add default admin, rangerusersync, rangertagsync, and keyadmin users 
to the corresponding roles.
Similar to plugin role computation, when a user is accessing any Ranger API, 
get the groups that this user belongs to (from ranger DB) and check if the 
user/group is part of any of these special roles to authorize these APIs.

Pros: 
1. Role of a user is computed at the time of API access which in some cases can 
be dynamic
2. Reduces performance overhead on Ranger Usersync and Ranger Admin
3. Uniform user experience for Ranger APIs authorization as well as data 
authorization
4. Avoids inconsistency of setting a specific role for a user via Ranger UI and 
thru role assignment rules.
5. Can consolidate few DB tables that currently saves role information for a 
user

Cons:
1. Requires decent amount of code changes
2. Regression testing impact
3. Migrating role assignment rules to Roles as part of upgrade



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to