ranger-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matteo Alessandroni <matteo.alessandr...@tirasa.net>
Subject Re: How to extend the authorization engine in order to use an external service
Date Thu, 17 Jan 2019 14:53:33 GMT
Hi,

to add another info: in the solution I need I won't be able to edit the 
Apache Ranger code, so the only thing I can do is building one (or more) 
plugin for existing Apache Ranger instances.
Also, to answer to one of the previous questions, my custom 
authorization layer should fall back to Ranger for additional checks, if 
possible.

As I said, I have built a custom plugin by following guide [1] and it's 
a generic one, not relying on any specific service, I have simply built 
an "Authorizer".

My first doubt is that I'm not sure there is a way to use a generic 
plugin as a very first authorization layer to obtain data that will be 
used by the plugins specific for each service (HDFS, HIVE etc...).
In other words, is there any way a custom plugin could be use as main 
authorization layer upon all the other plugin for specific services?

Secondly, as asked before, I still don't get how to install a custom 
generic plugin (actually not only a generic one) on a Ranger instance 
that I have started from source code, and most of all if it's possible 
to do that somehow.

Could you please give an advice on those things?

Thanks.
Regards

[1] 
https://github.com/apache/ranger/tree/master/ranger-examples/plugin-sampleapp


On 16/01/19 12:22, Matteo Alessandroni wrote:
> Hi Bosco,
>
> thanks for the detailed answer!
>
> On 16/01/19 11:38, Don Bosco Durai wrote:
>>
>> Hi Matteo
>>
>> It depends on your use case.
>>
>>  1. You will be doing authorization exclusively based on your
>>     decision engine.
>>  2. You will be falling back to Ranger for additional checks.
>>
>> For #1, it might not be worth your effort to understand Ranger Plugin 
>> implementation and change it. Ranger team has worked with almost all 
>> open source Hadoop projects to make the component authorization 
>> pluggable. You might just leverage that and directly implement the 
>> component’s interface, which are generally very simple and straight 
>> forward.
>>
>
> Ok thanks but could you please provide a sample for that? Any 
> reference to start from and to integrate it with Ranger?
> With this option #1 I should implement a component's interface for 
> each product I need to support right?
>
>> For #2, you could use extend Ranger. There are multiple ways.
>>
>>  1. Implementing additional conditions.
>>  2. Extending Services Authorizer class
>>  3. Extend or modify RangerPlugin class.
>>  4. Reimplement the Authorizer Plugin
>>
> ok in caseof #2, I understand the different ways to do that more or 
> less, but what I would like to have is an example (code, project 
> etc...) for some of those options or at least to know the steps to do 
> the job. Where can I find something?
>
> At the moment I found the examples in the source code [1]; in that 
> case I'm building a new custom plugin that implements "IAuthorizer", 
> but I don't know how to install that plugin in Ranger and at this 
> point I'm not sure it's a good idea to follow this way according to 
> what you said.
>
> Matteo
>
> [1] 
> https://github.com/apache/ranger/tree/master/ranger-examples/plugin-sampleapp
>
>> While it is easy to add a new plugin which uses Ranger 
>> implementation, but changing the internals could be pretty complex. 
>> The complexity will vary depending upon your programming skills and 
>> integration requirement. But I have to let you know, that this is not 
>> a trivial effort. Since Ranger supports multiple services, almost all 
>> everything is abstracted, so you will have to walk through all the 
>> code path and put enough debug statements to understand it.
>>
>> Bosco
>>
>> *From: *Matteo Alessandroni <matteo.alessandroni@tirasa.net>
>> *Reply-To: *<user@ranger.apache.org>
>> *Date: *Wednesday, January 16, 2019 at 12:21 AM
>> *To: *<user@ranger.apache.org>
>> *Subject: *Re: How to extend the authorization engine in order to use 
>> an external service
>>
>> Hi,
>>
>> just to clarify my question: the plugin I would like to build should 
>> make the call to the external service and then use the obtained data 
>> as a preliminary authorization check to use then with services like 
>> HDFS, HBASE, HIVE. In my case Apache Ranger is already integrated to 
>> those services so I just need to add that security layer before 
>> moving to the specific service.
>>
>> In this case what would you suggest?
>> Do I need to build a new brand plugin just to make the call and get 
>> the response from the external service or I need to build multiple 
>> plugins that extend each specific service provider?
>>
>> Thanks
>>
>> Regards,
>> Matteo
>>
>> On 15/01/19 12:57, Matteo Alessandroni wrote:
>>
>>     Hi Bosco,
>>
>>     On 15/01/19 12:41, Don Bosco Durai wrote:
>>
>>         Matteo
>>
>>         Are you extending current plugin or creating brand new custom
>>         plugin for another component?
>>
>>
>>     Actually I'm not sure whether I need to extend an existing plugin
>>     or create a new brand one.
>>     I will use Apache Ranger to provide runtime policy enforcement
>>     point for Hadoop products using policies from an external REST
>>     service.
>>     What solution do you think I should engage?
>>
>>
>>         If it current plugin, then Ranger has a design where you can
>>         enrich the context and use it in condition. IP based and most
>>         internal extensions uses that design pattern. The Policy
>>         side, you don’t need any code change. For the enricher, you
>>         might have to add JAR files. If you feel this will work for
>>         you, then Abhay or Madhan might be able to answer this in
>>         more detail.
>>
>>         If you are going to extend current plugin class, e.g. for
>>         YARN, then you will have to extend RangerYarnAuthorizer class
>>         on both implementation and shim package. You can then
>>         override the checkPermission method or customize
>>         RangerYarnPlugin (which does the actual check) and overwrite
>>         the init() to use your plugin class.
>>
>>         Just FYI, right from the beginning, Ranger team has avoided
>>         making outbound call during authorization. This could
>>         significantly affect your performance, particularly in high
>>         velocity components like HDFS, Kafka, etc. I would suggest
>>         (if possible) that you consider caching some of the
>>         authorization decisions within the plugin.
>>
>>     thank for the tip, I'll do that!
>>
>>     Anyway, in my current simple test I'm extending the YARN plugin
>>     (I don't think I will need to extend it, it's just to test a
>>     custom service registering operation), I registered it by using:
>>
>>     curl -u admin:admin -X POST -H "Accept: application/json" -H
>>     "Content-Type: application/json" –d @ranger-servicedef-test.json
>>     http://localhost:6080/service/plugins/definitions
>>
>>     but when I click "Add new service" for the new service type and
>>     click "Save" I get an error:
>>
>>     /Test failed to find service class
>>     org.apache.ranger.services.test.RangerServiceTest. Resource
>>     lookup will not be available. Please make sure plugin jar is in
>>     the correct place./
>>
>>     but the custom plugin folder is in the Apache Ranger main folder,
>>     what am I missing?
>>
>>     Best Regards,
>>     Matteo
>>
>>
>>          Bosco
>>
>>         *From: *Matteo Alessandroni <matteo.alessandroni@tirasa.net>
>>         <mailto:matteo.alessandroni@tirasa.net>
>>         *Reply-To: *<user@ranger.apache.org>
>>         <mailto:user@ranger.apache.org>
>>         *Date: *Tuesday, January 15, 2019 at 3:07 AM
>>         *To: *<user@ranger.apache.org> <mailto:user@ranger.apache.org>
>>         *Subject: *How to extend the authorization engine in order to
>>         use an external service
>>
>>         I would like to extend the authorization mechanism of Apache
>>         Ranger in order to make authorization based on the response
>>         of an external REST service.
>>         So, when the Ranger policy engine is called I would like to
>>         intercept the request, call an external REST service to
>>         obtain some authorization data and use it to decide who can
>>         access what.
>>         As a general idea the external service gets a username and
>>         returns a list of permissions / policies that user has.
>>
>>         Do you think I should build a custom plugin for it? Do I have
>>         to create an "*authorizer*"? If so, what class do I need to
>>         extend (e.g. "YarnAuthorizationProvider)" ?
>>         Could you please give me an hit on where to start or a sample
>>         of something similar to what I need?
>>
>>         Currently I'm trying to build a custom plugin (I started by
>>         seeing wiki on [1]). I have added a class that extends
>>         "YarnAuthorizationProvider" (I really don't know what class
>>         to use here). I've also created another subclass that extends
>>         "RangerPlainIDAccessRequest" so that I could access the
>>         request in the "checkPermission()" overridden method and
>>         maybe do stuff there.
>>         I'm not sure I'm in the right way! Any help would be appreciate!
>>
>>         Also, I'm not sure about how to test the plugin I have built.
>>         I tried to put it in the Apache Ranger source code (v1.2.0)
>>         and re-build, now I see the new service in the Apache Ranger
>>         Admin Console but what's next?
>>
>>         Thank you!
>>         Best regards,
>>         Matteo
>>
>>         [1]
>>         https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207
>>
>>     -- 
>>
>>     Dott. Matteo Alessandroni
>>
>>     Software Engineer @ Tirasa S.r.l.
>>
>>     Viale Vittoria Colonna, 97 - 65127 Pescara
>>     Tel +39 0859116307 / FAX +39 0859111173
>>
>>     http://www.tirasa.net
>>
>>     Apache Syncope PMC Member
>>     http://people.apache.org/phonebook.html?uid=skylark17
>>
>>     Image removed by sender. Tirasa S.r.l. <http://www.tirasa.net/>
>>
>> -- 
>>
>> Dott. Matteo Alessandroni
>>
>> Software Engineer @ Tirasa S.r.l.
>>
>> Viale Vittoria Colonna, 97 - 65127 Pescara
>> Tel +39 0859116307 / FAX +39 0859111173
>>
>> http://www.tirasa.net
>>
>> Apache Syncope PMC Member
>> http://people.apache.org/phonebook.html?uid=skylark17
>>
>> Image removed by sender. Tirasa S.r.l. <http://www.tirasa.net/>
>>
>
> -- 
>
> Dott. Matteo Alessandroni
>
> Software Engineer @ Tirasa S.r.l.
>
> Viale Vittoria Colonna, 97 - 65127 Pescara
> Tel +39 0859116307 / FAX +39 0859111173
>
> http://www.tirasa.net
>
> Apache Syncope PMC Member
> http://people.apache.org/phonebook.html?uid=skylark17 
> <http://people.apache.org/phonebook.html?uid=skylark17>
>
> Tirasa S.r.l. <http://www.tirasa.net>

-- 

Dott. Matteo Alessandroni

Software Engineer @ Tirasa S.r.l.

Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173

http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/phonebook.html?uid=skylark17 
<http://people.apache.org/phonebook.html?uid=skylark17>

Tirasa S.r.l. <http://www.tirasa.net>

Mime
View raw message