Set User Access to Ranger KMS
To give user access to the keys needed for encryption create a policy in Apache Ranger KMS as follows:
-
Log in to Ranger and select Access Manager>Resource Based Policies.
-
Under KMS, click privacera_kms.
-
Under List of Policies: privacera_kms, click Add New Policy.
-
In the Create Policy screen, enter the following information to create a policy and provide access to the user:
-
Policy Name: Enter the access policy name.
-
Policy Label: Optional label name.
-
Key Name: Type a character to list the existing key names that are already generated in Ranger.
-
Description: Enter a description for the policy.
-
Audit Logging: Toggle Yes or No.
-
-
Under Allow Conditions, select the following:
-
Select Role: Enter or select from existing roles.
-
Select Group: Enter or select from existing group.
-
Select User: This is the username that will be used in the encryption API - select or enter a new user name.
-
Add Permissions: Select user permissions - Create, Delete, Rollover, Set Key Material, Get, Get Keys, Get Metadata, Generate EEK, Decrypt EEK, Select/Deselect All.
-
Delegate Admin: If this user is delegate as the admin.
-
-
Similarly, for specific users, you can select users to Exclude from Allow Conditions, Deny Conditions, Exclude from Deny Conditions.
-
Click Add to save the policy.
Set User Access for Encryption Service
To set user access for the Encryption Service in the Apache Ranger KMS, use the following steps:
-
Log in to the Ranger portal.
-
Under the Access Manager tab, select
privacera_kms
policy. -
Click the edit button next to the all - key policy.
-
Under Allow Conditions, search and select
privacera_service_discovery
user in the Select User dropdown list. For more information on the user, see Add Discovery User for Encryption Service.