Group management in Apache Ranger
The Charmed Ranger Operator makes use of the Ranger API and apache-ranger PyPi package to manage users and groups. The source of users and group memberships is a user-group-configuration.yaml file provided to the charm as a configuration value user-group-configuration.
An example of this file is here:
ranger-k8s:
user-group-configuration: |
relation_2:
users:
- name: user1
firstname: One
lastname: User
email: user1@canonical.com
- name: user2
firstname: Two
lastname: User
email: user2@canonical.com
groups:
- name: developers
description: users with developer level access.
- name: users
description: users with select only access.
memberships:
- groupname: users
users: [user1, user2]
- groupname: developers
users: [user2]
The charm contains a RangerGroupManagement class which will on configuration change to this parameter:
- Create new groups
- Delete groups no longer required
- Create new users (please note external users cannot be deleted via the API)
- Associate users with groups
- Remove user associations with groups that are no longer required
Group management in related application
The Ranger plugin schedules regular download of Ranger policies (every 3 minutes) storing these policies within the related application in a cache. On access request, the requesting user’s UNIX group is used when comparing to Ranger group policies to determine access.
Get relation ID
To automatically share this user and group information with the related charm, you must ensure the relation_id present in the user-group-configuration.yaml matches the corresponding application. The user data will then be available to the related application via the relation databag.
This can be done with:
juju show-unit <application name>/0 --format json | jq
Trino relation
The configuration of these groups is done automatically on relation with the Ranger charm in the Trino K8s charm.