Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Currently users accessing/administering Ranger requires special privileges like
ROLE_USER, ROLE_SYS_ADMIN, ROLE_KEY_ADMIN, ROLE_ADMIN_AUDITOR, or ROLE_KEY_ADMIN_AUDITOR. These roles are assigned to the user based on role assignment rules by Ranger Usersync process while syncing the users and groups from the sync source. This creates major overhead on Ranger User sync to compute the roles every time a group memberships are updated as well on Ranger admin to update the database to reflect the roles for each user.
As part of RANGER-2414, we introduced support for Role based authorization for plugins which basically checks the user/group in the authorization request is part of a role and uses that role information for authorization.
Proposal:
----------
Create default special roles (ROLE_USER, ROLE_SYS_ADMIN, ROLE_KEY_ADMIN, ROLE_ADMIN_AUDITOR, or ROLE_KEY_ADMIN_AUDITOR) in Ranger DB as part of the setup and add default admin, rangerusersync, rangertagsync, and keyadmin users to the corresponding roles.
Similar to plugin role computation, when a user is accessing any Ranger API, get the groups that this user belongs to (from ranger DB) and check if the user/group is part of any of these special roles to authorize these APIs.
Pros:
1. Role of a user is computed at the time of API access which in some cases can be dynamic
2. Reduces performance overhead on Ranger Usersync and Ranger Admin
3. Uniform user experience for Ranger APIs authorization as well as data authorization
4. Avoids inconsistency of setting a specific role for a user via Ranger UI and thru role assignment rules.
5. Can consolidate few DB tables that currently saves role information for a user
Cons:
1. Requires decent amount of code changes
2. Regression testing impact
3. Migrating role assignment rules to Roles as part of upgrade