[
https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16073995#comment-16073995
]
Srikanth Venkat commented on RANGER-1672:
-----------------------------------------
This is a great feature to add, thanks Qiang for the contribution.
Few questions:
1) Where are the OLAP cubes and project information associated with Kylin
stored? In HDFS or externally?
2) A Ranger plugin without auditing feature is not very useful for the
community from a security perspective, so this plugin should support writing
audits using Ranger's audit framework (writing raw audits to HDFS and indexing
in Solr for querying). Kylin Ranger plugin should support auditing to capture
the same level of audit event metadata that other services in Hadoop provide.
3) Does Kylin have a server side component (such as HiveServer2) or is only a
client set of libraries? How will this plugin be deployed if it is client side
only? Does Kylin support doAs (impersonation) if there is a server side
component?
4) Is there a need to support dynamic policies for authorizing OLAP cubes and
projects?
5) Does Kylin already have any LDAP/AD authentication integration and support
the Hadoop user-group mapping facility? Without this group resolution will need
to be thought through carefully for the plugin implementation.
> Ranger supports plugin to enable, monitor and manage apache kylin
> -----------------------------------------------------------------
>
> Key: RANGER-1672
> URL: https://issues.apache.org/jira/browse/RANGER-1672
> Project: Ranger
> Issue Type: New Feature
> Components: plugins
> Reporter: Qiang Zhang
> Assignee: Qiang Zhang
> Labels: newbie, patch
>
> Apache Kylin is an open source Distributed Analytics Engine designed to
> provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop
> supporting extremely large datasets, original contributed from eBay Inc.
> Apache Kylin lets user query massive data set at sub-second latency in 3
> steps.
> 1. Identify a Star Schema on Hadoop.
> 2. Build Cube from the identified tables.
> 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or
> RESTful API.
> We should support that using Ranger to control kylin's access rights for
> project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the
> ranger plugin. kylin instantiates ranger plugin’s implementation class when
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the
> local, and updates project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's
> implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's
> existing permissions functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/KYLIN-2703
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
