RANGER-3345 : Default Ranger policy for KMS should include 'om' user for Ozone bucket level encryption to work Signed-off-by: Mehul Parikh <mehul@apache.org>

commit: 8248039709eacab568491601f240d55a7a0d0942 [log] [tgz]
author: mateenmansoori <ma3naushad@gmail.com> Tue Jul 27 11:58:38 2021 +0530
committer: Mehul Parikh <mehul@apache.org> Wed Jul 28 14:44:18 2021 +0530
tree: c07190a2f555683b7a76adb86e82bdad105ae0dc
parent: dadf92160e311f43747ba6f69c0ca58544ad4210 [diff]
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
index 8af592b..eb48318 100644
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java

@@ -112,17 +112,20 @@
 
 		String adminUser = getLookupUser(authType, adminPrincipal, adminKeytab);
 
-		// Add default policies for HDFS & HIVE users.
+		// Add default policies for HDFS, HIVE, HABSE & OM users.
 		List<RangerServiceDef.RangerAccessTypeDef> hdfsAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
+		List<RangerServiceDef.RangerAccessTypeDef> omAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
 		List<RangerServiceDef.RangerAccessTypeDef> hiveAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
 		List<RangerServiceDef.RangerAccessTypeDef> hbaseAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
 
 		for(RangerServiceDef.RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
 			if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GET_METADATA)) {
 				hdfsAccessTypeDefs.add(accessTypeDef);
+				omAccessTypeDefs.add(accessTypeDef);
 				hiveAccessTypeDefs.add(accessTypeDef);
 			} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GENERATE_EEK)) {
 				hdfsAccessTypeDefs.add(accessTypeDef);
+				omAccessTypeDefs.add(accessTypeDef);
 			} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_DECRYPT_EEK)) {
 				hiveAccessTypeDefs.add(accessTypeDef);
 				hbaseAccessTypeDefs.add(accessTypeDef);
@@ -156,6 +159,14 @@
 				policyItems.add(policyItem);
 			}
 
+			final String omUser = getConfig().get("ranger.kms.service.user.om", "om");
+			if (StringUtils.isNotEmpty(omUser)) {
+				LOG.info("Creating default KMS policy item for " + omUser);
+				List<String> users = new ArrayList<String>();
+				users.add(omUser);
+				RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem(omAccessTypeDefs, users);
+				policyItems.add(policyItem);
+			}
 
 			String hiveUser = getConfig().get("ranger.kms.service.user.hive", "hive");
 

diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index 12eb8fe..793c479 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml

@@ -313,6 +313,10 @@
         <name>ranger.kms.service.user.hbase</name>
         <value>hbase</value>
     </property>
+    <property>
+        <name>ranger.kms.service.user.om</name>
+        <value>om</value>
+    </property>
 
     <property>
         <name>ranger.audit.hive.query.visibility</name>
commit	8248039709eacab568491601f240d55a7a0d0942	[log] [tgz]
author	mateenmansoori <ma3naushad@gmail.com>	Tue Jul 27 11:58:38 2021 +0530
committer	Mehul Parikh <mehul@apache.org>	Wed Jul 28 14:44:18 2021 +0530
tree	c07190a2f555683b7a76adb86e82bdad105ae0dc
parent	dadf92160e311f43747ba6f69c0ca58544ad4210 [diff]