ranger delegate admin

选择策略的时候, 配置用户权限里有个选项可以勾选“Delegate Admin", 每次看到都有点疑惑, 用户已经限制了权限, 为什么还能“代表管理员”呢?

这次搜索了一下, 原来确实是有实际意义的, 在这条策略授权的范围内, 可以对这条策略进行管理, 授予其他人子集权限, 或者删除这条策略. ranger里的子用户其实也能够登录ranger, 不过普通用户看到的策略列表为空. 当在几条策略里被勾选”Delegate Admin"这个选项后, 登录后就能看到这几条策略了.

https://docs-beta.otc.t-systems.com/mapreduce-service/operation-guide-lts/using_ranger/adding_a_ranger_access_permission_policy_for_hdfs.html

If users or user groups in the current condition need to manage this policy, select Delegate Admin. These users or user groups will become the agent administrators. The agent administrators can update and delete this policy and create sub-policies based on the original policy.

About "Delegate Admin" in Ranger

https://community.cloudera.com/t5/Support-Questions/About-quot-Delegate-Admin-quot-in-Ranger/td-p/146619

In my case , I have a user called demouser and I have created a policy called policy1 and its delegated policy. When I login with user demouser in ranger then I can see policy1 but when I remove delegated option from policy1 then demouser cant see it.