Skip to content

Managing Reserved users in Ranger Admin

Overview

Enables the ability to reserve users in Ranger Admin. Reserved users are those that cannot be deleted or modified within Ranger Admin. This feature is particularly useful when you need to ensure that specific users remain available and unchanged in Ranger Admin.

Reserved users are typically service accounts or system users that are essential for operations and should not be deleted or modified.

Activate Ranger Reserved Users

Follow these steps to enable/disable Ranger metrics:

  1. SSH into the instance where Privacera Manager is installed.
  2. Navigate to the privacera-manager directory using the following command:
    Bash
    1
    cd ~/privacera/privacera-manager/
  3. Run the following command to copy the sample vars. The -n flag ensures that the file is not overwritten if it already exists:
    Bash
    1
    cp -n config/sample-vars/vars.ranger.admin.yml config/custom-vars/
  4. Run the following command to open the .yml file for editing.
    Bash
    1
    vi config/custom-vars/vars.ranger.admin.yml

  5. Add or update the following property:

    Variable Definition
    RANGER_INTERNAL_RESERVED_USERS_ACTIVATE When enabled, users listed in RANGER_INTERNAL_RESERVED_USERS will be reserved . Default is false
    RANGER_INTERNAL_RESERVED_USERS List of ranger reserved users.
    YAML
    1
2
    RANGER_INTERNAL_RESERVED_USERS_ACTIVATE: "true" #To enable ranger reserved users
RANGER_INTERNAL_RESERVED_USERS: "admin,rangerusersync,rangertagsync" #List of ranger reserved users

  6. Once the properties are configured, update your Privacera Manager platform instance by following the

    Bash
    1
2
3
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade

Reserved Users Restrictions in Apache Ranger

This document outlines the restrictions applied to reserved users in Apache Ranger to ensure secure and controlled access.

Restrictions on API Operations

PUT Operation

  • Updates (PUT requests) for reserved users are not allowed.
DELETE Operation
  • Deleting reserved users is prohibited.

Restrictions on User Visibility

GET Users from UI

  • Reserved users are hidden in the Privacera Portal UI and will not be displayed.

GET Users from API (POSTMAN/cURL)

  • Reserved users remain visible when retrieved through API requests using tools such as Postman, cURL, or other similar utilities.

Restrictions on Password Changes

Password Change via API

  • Changing the password of reserved users is not permitted through the API or the Privacera Portal UI.

Default Password Change via Privacera Manager

Login Session Audits

  • Login session audits for reserved users are not generated, meaning their authentication logs will not be recorded in the audit system.

These restrictions help preserve the integrity and security of system-reserved accounts in Apache Ranger.

Comments