Repository: atlas Updated Branches: refs/heads/branch-1.0 4964d3f1d -> a6a0348e6
ATLAS-2718: Documentation for Atlas Ranger authorization Signed-off-by: Madhan Neethiraj <mad...@apache.org> (cherry picked from commit 633f37b68e0f39a06a4de6b8619d56eb18e32fb1) Project: http://git-wip-us.apache.org/repos/asf/atlas/repo Commit: http://git-wip-us.apache.org/repos/asf/atlas/commit/a6a0348e Tree: http://git-wip-us.apache.org/repos/asf/atlas/tree/a6a0348e Diff: http://git-wip-us.apache.org/repos/asf/atlas/diff/a6a0348e Branch: refs/heads/branch-1.0 Commit: a6a0348e642ef48dd00a95d2114e686963add9d5 Parents: 4964d3f Author: nixonrodrigues <ni...@apache.org> Authored: Thu May 24 20:20:15 2018 +0530 Committer: Madhan Neethiraj <mad...@apache.org> Committed: Thu May 24 13:43:35 2018 -0700 ---------------------------------------------------------------------- .../resources/images/twiki/ranger-audit.png | Bin 0 -> 115948 bytes .../images/twiki/ranger-policy-admin.png | Bin 0 -> 227632 bytes .../images/twiki/ranger-policy-entities.png | Bin 0 -> 303316 bytes .../images/twiki/ranger-policy-types.png | Bin 0 -> 253200 bytes .../site/twiki/Atlas-Authorization-Model.twiki | 2 +- .../Atlas-Authorization-Ranger-Authorizer.twiki | 63 +++++++++++++++++++ .../Atlas-Authorization-Simple-Authorizer.twiki | 2 +- docs/src/site/twiki/index.twiki | 3 +- 8 files changed, 67 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/atlas/blob/a6a0348e/docs/src/site/resources/images/twiki/ranger-audit.png ---------------------------------------------------------------------- diff --git a/docs/src/site/resources/images/twiki/ranger-audit.png b/docs/src/site/resources/images/twiki/ranger-audit.png new file mode 100644 index 0000000..17abfad Binary files /dev/null and b/docs/src/site/resources/images/twiki/ranger-audit.png differ http://git-wip-us.apache.org/repos/asf/atlas/blob/a6a0348e/docs/src/site/resources/images/twiki/ranger-policy-admin.png ---------------------------------------------------------------------- diff --git a/docs/src/site/resources/images/twiki/ranger-policy-admin.png b/docs/src/site/resources/images/twiki/ranger-policy-admin.png new file mode 100644 index 0000000..6121c33 Binary files /dev/null and b/docs/src/site/resources/images/twiki/ranger-policy-admin.png differ http://git-wip-us.apache.org/repos/asf/atlas/blob/a6a0348e/docs/src/site/resources/images/twiki/ranger-policy-entities.png ---------------------------------------------------------------------- diff --git a/docs/src/site/resources/images/twiki/ranger-policy-entities.png b/docs/src/site/resources/images/twiki/ranger-policy-entities.png new file mode 100644 index 0000000..0dc2675 Binary files /dev/null and b/docs/src/site/resources/images/twiki/ranger-policy-entities.png differ http://git-wip-us.apache.org/repos/asf/atlas/blob/a6a0348e/docs/src/site/resources/images/twiki/ranger-policy-types.png ---------------------------------------------------------------------- diff --git a/docs/src/site/resources/images/twiki/ranger-policy-types.png b/docs/src/site/resources/images/twiki/ranger-policy-types.png new file mode 100644 index 0000000..8169cbe Binary files /dev/null and b/docs/src/site/resources/images/twiki/ranger-policy-types.png differ http://git-wip-us.apache.org/repos/asf/atlas/blob/a6a0348e/docs/src/site/twiki/Atlas-Authorization-Model.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/Atlas-Authorization-Model.twiki b/docs/src/site/twiki/Atlas-Authorization-Model.twiki index 4a6a729..ee09935 100644 --- a/docs/src/site/twiki/Atlas-Authorization-Model.twiki +++ b/docs/src/site/twiki/Atlas-Authorization-Model.twiki @@ -100,7 +100,7 @@ atlas.authorizer.impl=ranger </verbatim> Apache Ranger Authorizer requires configuration files to be setup, for example to specify Apache Ranger admin server URL, -name of the service containing authorization policies, etc. For more details on this, please refer to Apache Ranger documentation. +name of the service containing authorization policies, etc. For more details please see, [[Atlas-Authorization-Ranger-Authorizer][Setting up Atlas to use Ranger Authorizer]]. ---+++ None authorizer http://git-wip-us.apache.org/repos/asf/atlas/blob/a6a0348e/docs/src/site/twiki/Atlas-Authorization-Ranger-Authorizer.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/Atlas-Authorization-Ranger-Authorizer.twiki b/docs/src/site/twiki/Atlas-Authorization-Ranger-Authorizer.twiki new file mode 100644 index 0000000..33447b9 --- /dev/null +++ b/docs/src/site/twiki/Atlas-Authorization-Ranger-Authorizer.twiki @@ -0,0 +1,63 @@ +---+++ Setting up Apache Atlas to use Apache Ranger Authorization + +As detailed in [[Atlas-Authorization-Model][Atlas Authorization Model]], Apache Atlas supports pluggable authorization +model. Apache Ranger provides an authorizer implementation that uses Apache Ranger policies for authorization. In +addition, the authorizer provided by Apache Ranger audits all authorizations into a central audit store. + +---++++ Configure Apache Atlas +To configure Apache Atlas to use Apache Ranger authorizer, please follow the instructions given below: + + * Include the following property in atlas-application.properties config file: + <verbatim>atlas.authorizer.impl=ranger</verbatim> + + If you use Apache Ambari to deploy Apache Atlas and Apache Ranger, enable Atlas plugin in configuration pages for + Apache Ranger. + + * Include libraries of Apache Ranger plugin in libext directory of Apache Atlas + * =<Atlas installation directory>=/libext/ranger-atlas-plugin-impl/ + * =<Atlas installation directory>=/libext/ranger-atlas-plugin-shim-<version>.jar + * =<Atlas installation directory>=/libext/ranger-plugin-classloader-<version>.jar + + * Include configuration files for Apache Ranger plugin in configuration directory of Apache Atlas - typically under /etc/atlas/conf directory. For more details on configuration file contents, please refer to appropriate documentation in Apache Ranger. + * =<Atlas configuration directory>=/ranger-atlas-audit.xml + * =<Atlas configuration directory>=/ranger-atlas-security.xml + * =<Atlas configuration directory>=/ranger-policymgr-ssl.xml + * =<Atlas configuration directory>=/ranger-security.xml + + +---++++ Apache Ranger authorization policy model for Apache Atlas + +Apache Ranger authorization policy model for Apache Atlas supports 3 resource hierarchies, to control access to: types, +entities and admin operations. Following images show various details of each type of policy in Apache Ranger. + + * *Types* + +Following authorization policy allows user 'admin' to create/update/delete any classification type. +<p></p> +<img alt="Apache Ranger policy for type operations" src="images/twiki/ranger-policy-types.png" width="800" style="border:1px solid black; margin-left:20px"></img> + +------- + + * *Entity* + +Following authorization policy allows user 'admin' perform all operations on metadata entities of Hive database named "my_db". +<p></p> +<img alt="Apache Ranger policy for entity operations" src="images/twiki/ranger-policy-entities.png" width="800" style="border:1px solid black; margin-left:20px"></img> + +------- + + * *Admin Operations* +Following authorization policy allows user 'admin' to perform export/import admin operations. +<p></p> +<img alt="Apache Ranger policy for admin operations" src="images/twiki/ranger-policy-admin.png" width="800" style="border:1px solid black; margin-left:20px"></img> + + +------- + +---++++ Apache Ranger access audit for Apache Atlas authorizations +Apache Ranger authorization plugin generates audit logs with details of the access authorized by the plugin. The details +include the object accessed (eg. hive_table with ID cost_savings.claim_savings@cl1), type of access performed (eg. +entity-add-classification, entity-remove-classification), name of the user, time of access and the IP address the access +request came from - as shown in the following image. + +<img alt="Apache Ranger audit " src="images/twiki/ranger-audit.png" width="1000" style="border:1px solid black; margin-left:20px"></img> http://git-wip-us.apache.org/repos/asf/atlas/blob/a6a0348e/docs/src/site/twiki/Atlas-Authorization-Simple-Authorizer.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/Atlas-Authorization-Simple-Authorizer.twiki b/docs/src/site/twiki/Atlas-Authorization-Simple-Authorizer.twiki index 07753de..388be56 100644 --- a/docs/src/site/twiki/Atlas-Authorization-Simple-Authorizer.twiki +++ b/docs/src/site/twiki/Atlas-Authorization-Simple-Authorizer.twiki @@ -93,7 +93,7 @@ Simple authorizer supports Java reg-ex to specify values for privilege/entity-ty </verbatim> ----+++++ Assign Roles to Users and User Grips +---+++++ Assign Roles to Users and User Groups Roles defined above can be assigned (granted) to users as shown below: http://git-wip-us.apache.org/repos/asf/atlas/blob/a6a0348e/docs/src/site/twiki/index.twiki ---------------------------------------------------------------------- diff --git a/docs/src/site/twiki/index.twiki b/docs/src/site/twiki/index.twiki index 6cffcd7..29fc83f 100755 --- a/docs/src/site/twiki/index.twiki +++ b/docs/src/site/twiki/index.twiki @@ -58,7 +58,8 @@ capabilities around these data assets for data scientists, analysts and the data * [[security][Security]] * [[Atlas-Authentication][Authentication]] * [[Atlas-Authorization-Model][Atlas Authorization Model]] - * [[Configure-simple-authorizer][Steps to configure Atlas Simple Authorizer]] + * [[Atlas-Authorization-Simple-Authorizer][Steps to configure Atlas Simple Authorizer]] + * [[Atlas-Authorization-Ranger-Authorizer][Steps to configure Atlas Ranger Authorizer]] * [[ClassificationPropagation][Classification Propagation]] * [[Configuration][Configuration]] * [[Notifications][Notifications]]
