RANGER-3345 : Default Ranger policy for KMS should include 'om' user for Ozone bucket level encryption to work
Signed-off-by: Mehul Parikh <mehul@apache.org>
diff --git a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
index 8af592b..eb48318 100644
--- a/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
+++ b/plugin-kms/src/main/java/org/apache/ranger/services/kms/RangerServiceKMS.java
@@ -112,17 +112,20 @@
String adminUser = getLookupUser(authType, adminPrincipal, adminKeytab);
- // Add default policies for HDFS & HIVE users.
+ // Add default policies for HDFS, HIVE, HABSE & OM users.
List<RangerServiceDef.RangerAccessTypeDef> hdfsAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
+ List<RangerServiceDef.RangerAccessTypeDef> omAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
List<RangerServiceDef.RangerAccessTypeDef> hiveAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
List<RangerServiceDef.RangerAccessTypeDef> hbaseAccessTypeDefs = new ArrayList<RangerServiceDef.RangerAccessTypeDef>();
for(RangerServiceDef.RangerAccessTypeDef accessTypeDef : serviceDef.getAccessTypes()) {
if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GET_METADATA)) {
hdfsAccessTypeDefs.add(accessTypeDef);
+ omAccessTypeDefs.add(accessTypeDef);
hiveAccessTypeDefs.add(accessTypeDef);
} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_GENERATE_EEK)) {
hdfsAccessTypeDefs.add(accessTypeDef);
+ omAccessTypeDefs.add(accessTypeDef);
} else if (accessTypeDef.getName().equalsIgnoreCase(ACCESS_TYPE_DECRYPT_EEK)) {
hiveAccessTypeDefs.add(accessTypeDef);
hbaseAccessTypeDefs.add(accessTypeDef);
@@ -156,6 +159,14 @@
policyItems.add(policyItem);
}
+ final String omUser = getConfig().get("ranger.kms.service.user.om", "om");
+ if (StringUtils.isNotEmpty(omUser)) {
+ LOG.info("Creating default KMS policy item for " + omUser);
+ List<String> users = new ArrayList<String>();
+ users.add(omUser);
+ RangerPolicy.RangerPolicyItem policyItem = createDefaultPolicyItem(omAccessTypeDefs, users);
+ policyItems.add(policyItem);
+ }
String hiveUser = getConfig().get("ranger.kms.service.user.hive", "hive");
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
index 12eb8fe..793c479 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-site.xml
@@ -313,6 +313,10 @@
<name>ranger.kms.service.user.hbase</name>
<value>hbase</value>
</property>
+ <property>
+ <name>ranger.kms.service.user.om</name>
+ <value>om</value>
+ </property>
<property>
<name>ranger.audit.hive.query.visibility</name>