ranger-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matteo Alessandroni <matteo.alessandr...@tirasa.net>
Subject Re: How to extend the authorization engine in order to use an external service
Date Wed, 16 Jan 2019 11:22:10 GMT
Hi Bosco,

thanks for the detailed answer!

On 16/01/19 11:38, Don Bosco Durai wrote:
>
> Hi Matteo
>
> It depends on your use case.
>
>  1. You will be doing authorization exclusively based on your decision
>     engine.
>  2. You will be falling back to Ranger for additional checks.
>
> For #1, it might not be worth your effort to understand Ranger Plugin 
> implementation and change it. Ranger team has worked with almost all 
> open source Hadoop projects to make the component authorization 
> pluggable. You might just leverage that and directly implement the 
> component’s interface, which are generally very simple and straight 
> forward.
>

Ok thanks but could you please provide a sample for that? Any reference 
to start from and to integrate it with Ranger?
With this option #1 I should implement a component's interface for each 
product I need to support right?

> For #2, you could use extend Ranger. There are multiple ways.
>
>  1. Implementing additional conditions.
>  2. Extending Services Authorizer class
>  3. Extend or modify RangerPlugin class.
>  4. Reimplement the Authorizer Plugin
>
ok in caseof #2, I understand the different ways to do that more or 
less, but what I would like to have is an example (code, project etc...) 
for some of those options or at least to know the steps to do the job. 
Where can I find something?

At the moment I found the examples in the source code [1]; in that case 
I'm building a new custom plugin that implements "IAuthorizer", but I 
don't know how to install that plugin in Ranger and at this point I'm 
not sure it's a good idea to follow this way according to what you said.

Matteo

[1] 
https://github.com/apache/ranger/tree/master/ranger-examples/plugin-sampleapp

> While it is easy to add a new plugin which uses Ranger implementation, 
> but changing the internals could be pretty complex. The complexity 
> will vary depending upon your programming skills and integration 
> requirement. But I have to let you know, that this is not a trivial 
> effort. Since Ranger supports multiple services, almost all everything 
> is abstracted, so you will have to walk through all the code path and 
> put enough debug statements to understand it.
>
> Bosco
>
> *From: *Matteo Alessandroni <matteo.alessandroni@tirasa.net>
> *Reply-To: *<user@ranger.apache.org>
> *Date: *Wednesday, January 16, 2019 at 12:21 AM
> *To: *<user@ranger.apache.org>
> *Subject: *Re: How to extend the authorization engine in order to use 
> an external service
>
> Hi,
>
> just to clarify my question: the plugin I would like to build should 
> make the call to the external service and then use the obtained data 
> as a preliminary authorization check to use then with services like 
> HDFS, HBASE, HIVE. In my case Apache Ranger is already integrated to 
> those services so I just need to add that security layer before moving 
> to the specific service.
>
> In this case what would you suggest?
> Do I need to build a new brand plugin just to make the call and get 
> the response from the external service or I need to build multiple 
> plugins that extend each specific service provider?
>
> Thanks
>
> Regards,
> Matteo
>
> On 15/01/19 12:57, Matteo Alessandroni wrote:
>
>     Hi Bosco,
>
>     On 15/01/19 12:41, Don Bosco Durai wrote:
>
>         Matteo
>
>         Are you extending current plugin or creating brand new custom
>         plugin for another component?
>
>
>     Actually I'm not sure whether I need to extend an existing plugin
>     or create a new brand one.
>     I will use Apache Ranger to provide runtime policy enforcement
>     point for Hadoop products using policies from an external REST
>     service.
>     What solution do you think I should engage?
>
>
>         If it current plugin, then Ranger has a design where you can
>         enrich the context and use it in condition. IP based and most
>         internal extensions uses that design pattern. The Policy side,
>         you don’t need any code change. For the enricher, you might
>         have to add JAR files. If you feel this will work for you,
>         then Abhay or Madhan might be able to answer this in more detail.
>
>         If you are going to extend current plugin class, e.g. for
>         YARN, then you will have to extend RangerYarnAuthorizer class
>         on both implementation and shim package. You can then override
>         the checkPermission method or customize RangerYarnPlugin
>         (which does the actual check) and overwrite the init() to use
>         your plugin class.
>
>         Just FYI, right from the beginning, Ranger team has avoided
>         making outbound call during authorization. This could
>         significantly affect your performance, particularly in high
>         velocity components like HDFS, Kafka, etc. I would suggest (if
>         possible) that you consider caching some of the authorization
>         decisions within the plugin.
>
>     thank for the tip, I'll do that!
>
>     Anyway, in my current simple test I'm extending the YARN plugin (I
>     don't think I will need to extend it, it's just to test a custom
>     service registering operation), I registered it by using:
>
>     curl -u admin:admin -X POST -H "Accept: application/json" -H
>     "Content-Type: application/json" –d @ranger-servicedef-test.json
>     http://localhost:6080/service/plugins/definitions
>
>     but when I click "Add new service" for the new service type and
>     click "Save" I get an error:
>
>     /Test failed to find service class
>     org.apache.ranger.services.test.RangerServiceTest. Resource lookup
>     will not be available. Please make sure plugin jar is in the
>     correct place./
>
>     but the custom plugin folder is in the Apache Ranger main folder,
>     what am I missing?
>
>     Best Regards,
>     Matteo
>
>
>          Bosco
>
>         *From: *Matteo Alessandroni <matteo.alessandroni@tirasa.net>
>         <mailto:matteo.alessandroni@tirasa.net>
>         *Reply-To: *<user@ranger.apache.org>
>         <mailto:user@ranger.apache.org>
>         *Date: *Tuesday, January 15, 2019 at 3:07 AM
>         *To: *<user@ranger.apache.org> <mailto:user@ranger.apache.org>
>         *Subject: *How to extend the authorization engine in order to
>         use an external service
>
>         I would like to extend the authorization mechanism of Apache
>         Ranger in order to make authorization based on the response of
>         an external REST service.
>         So, when the Ranger policy engine is called I would like to
>         intercept the request, call an external REST service to obtain
>         some authorization data and use it to decide who can access what.
>         As a general idea the external service gets a username and
>         returns a list of permissions / policies that user has.
>
>         Do you think I should build a custom plugin for it? Do I have
>         to create an "*authorizer*"? If so, what class do I need to
>         extend (e.g. "YarnAuthorizationProvider)" ?
>         Could you please give me an hit on where to start or a sample
>         of something similar to what I need?
>
>         Currently I'm trying to build a custom plugin (I started by
>         seeing wiki on [1]). I have added a class that extends
>         "YarnAuthorizationProvider" (I really don't know what class to
>         use here). I've also created another subclass that extends
>         "RangerPlainIDAccessRequest" so that I could access the
>         request in the "checkPermission()" overridden method and maybe
>         do stuff there.
>         I'm not sure I'm in the right way! Any help would be appreciate!
>
>         Also, I'm not sure about how to test the plugin I have built.
>         I tried to put it in the Apache Ranger source code (v1.2.0)
>         and re-build, now I see the new service in the Apache Ranger
>         Admin Console but what's next?
>
>         Thank you!
>         Best regards,
>         Matteo
>
>         [1]
>         https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207
>
>     -- 
>
>     Dott. Matteo Alessandroni
>
>     Software Engineer @ Tirasa S.r.l.
>
>     Viale Vittoria Colonna, 97 - 65127 Pescara
>     Tel +39 0859116307 / FAX +39 0859111173
>
>     http://www.tirasa.net
>
>     Apache Syncope PMC Member
>     http://people.apache.org/phonebook.html?uid=skylark17
>
>     Image removed by sender. Tirasa S.r.l. <http://www.tirasa.net/>
>
> -- 
>
> Dott. Matteo Alessandroni
>
> Software Engineer @ Tirasa S.r.l.
>
> Viale Vittoria Colonna, 97 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
>
> http://www.tirasa.net
>
> Apache Syncope PMC Member
> http://people.apache.org/phonebook.html?uid=skylark17
>
> Image removed by sender. Tirasa S.r.l. <http://www.tirasa.net/>
>

-- 

Dott. Matteo Alessandroni

Software Engineer @ Tirasa S.r.l.

Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173

http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/phonebook.html?uid=skylark17 
<http://people.apache.org/phonebook.html?uid=skylark17>

Tirasa S.r.l. <http://www.tirasa.net>

Mime
View raw message