Ranger K8s Operator

  • Commercial Systems
Channel Revision Published Runs on
latest/stable 33 12 Nov 2024
Ubuntu 22.04
latest/beta 23 06 Mar 2024
Ubuntu 22.04
latest/edge 33 12 Nov 2024
Ubuntu 22.04
juju deploy ranger-k8s
Show information

Platform:

Group management in Apache Ranger

The Charmed Ranger Operator makes use of the Ranger API and apache-ranger PyPi package to manage users and groups. The source of users and group memberships is a user-group-configuration.yaml file provided to the charm as a configuration value user-group-configuration.

An example of this file is here:

ranger-k8s:
   user-group-configuration: |
      relation_2:
         users:
            - name: user1
              firstname: One
              lastname: User
              email: user1@canonical.com
            - name: user2
              firstname: Two
              lastname: User
              email: user2@canonical.com


         groups:
            - name: developers
              description: users with developer level access.
            - name: users
              description: users with select only access.


         memberships:
            - groupname: users
              users: [user1, user2]
            - groupname: developers
              users: [user2]

The charm contains a RangerGroupManagement class which will on configuration change to this parameter:

  • Create new groups
  • Delete groups no longer required
  • Create new users (please note external users cannot be deleted via the API)
  • Associate users with groups
  • Remove user associations with groups that are no longer required

Group management in related application

The Ranger plugin schedules regular download of Ranger policies (every 3 minutes) storing these policies within the related application in a cache. On access request, the requesting user’s UNIX group is used when comparing to Ranger group policies to determine access.

Get relation ID

To automatically share this user and group information with the related charm, you must ensure the relation_id present in the user-group-configuration.yaml matches the corresponding application. The user data will then be available to the related application via the relation databag.

This can be done with:

juju show-unit <application name>/0 --format json | jq

Trino relation

The configuration of these groups is done automatically on relation with the Ranger charm in the Trino K8s charm.


Help improve this document in the forum (guidelines). Last updated 1 year, 2 months ago.