Madhan Neethiraj created RANGER-5627:
----------------------------------------
Summary: support configuration-based super users and super groups
in Ranger Admin
Key: RANGER-5627
URL: https://issues.apache.org/jira/browse/RANGER-5627
Project: Ranger
Issue Type: Improvement
Components: admin
Reporter: Madhan Neethiraj
Apache Ranger currently relies on a local Ranger user account with
administrator privileges to perform/bootstrap privileged operations such as:
* Creating and managing services, security zones, policies, roles
* Viewing audits
* Grant admin and auditor roles to other users
* Performing Ranger administration tasks
In environments where authentication is delegated to external identity
providers such as LDAP, Kerberos, OIDC, or SAML, there is no straightforward
mechanism to designate externally authenticated users as Ranger administrators
independent of Ranger-managed roles and users.
This creates several operational challenges:
* Dependence on a local Ranger administrator account
* Shared administrative credentials in some deployments
* Difficulty integrating Ranger administration with enterprise identity
management
* Limited support for Kubernetes-native and SSO-based deployment models
* Reduced auditability when multiple administrators share a common account
*Proposed Enhancement*
Introduce support for configuration-based Ranger super users, like:
{{ranger.admin.super.users=user1,user2
ranger.admin.super.groups=group1,group2}}
Specified users and users belonging to specified groups should be granted
administrative privileges in Ranger.
The authentication mechanism should be independent of the authorization
decision and may include local authentication, LDAP, Kerberos, OIDC, SAML, or
other supported authentication providers.
*Expected Behavior*
Users configured as super users should be able to perform all Ranger
administrative operations, including but not limited to:
* Service management
* Policy management
* User and group administration
* Role administration
* Audit access
* Security administration functions
*Benefits*
* Better integration with enterprise identity providers
* Elimination of shared local administrator accounts
* Improved auditability through individual administrator identities
* Simplified administration in SSO-enabled environments
* Better support for containerized and Kubernetes-based deployments
* Recovery and break-glass administrative access without dependence on
Ranger-managed roles
*Compatibility*
The enhancement should be backward compatible. Existing Ranger administrator
accounts and authorization mechanisms should continue to function unchanged
when the new configuration properties are not specified.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
