[
https://issues.apache.org/jira/browse/KYLIN-2703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16118096#comment-16118096
]
hongbin ma edited comment on KYLIN-2703 at 8/8/17 9:24 AM:
-----------------------------------------------------------
hi [~peng.jianhua]
I have some questions before merging the patch:
1. About org.apache.kylin.rest.controller.AccessController#getAccessEntities:
Before your patch, this method is simple: return the access entry list of a
requested domain object. After your patch, Why is it necessary for the API
caller to provide a "name" (Is it a must?) and "owner" (Why should API caller
provide owner ) parameter?
2. On kylin side, What configurations should users make to take effect? Is
there a manual or doc?
was (Author: mahongbin):
hi [~peng.jianhua]
I have some questions before merging the patch:
1. About org.apache.kylin.rest.controller.AccessController#getAccessEntities:
Before your patch, this method is simple: return the access entry list of a
requested domain object. After your patch, Why is it necessary for the API
caller to provide a "name" (Is it a must?) and "owner" (Why should API caller
provide owner ) parameter?
2. What configurations should users make to use Ranger? Is there a manual or
doc?
> kylin supports managing access rights for project and cube through apache
> ranger.
> ---------------------------------------------------------------------------------
>
> Key: KYLIN-2703
> URL: https://issues.apache.org/jira/browse/KYLIN-2703
> Project: Kylin
> Issue Type: New Feature
> Components: General
> Reporter: peng.jianhua
> Assignee: peng.jianhua
> Labels: newbie, patch
> Attachments:
> 0001-KYLIN-2703-kylin-supports-managing-access-rights-for.patch,
> KylinAuditLog.jpg, KylinPlugins.jpg, KylinPolicies.jpg,
> KylinServiceEntry.jpg, NewKylinPolicy.jpg, NewKylinService.jpg,
> Ranger-PMS-hope.png
>
>
> Ranger is a framework to enable, monitor and manage comprehensive data
> security across the Hadoop platform. Apache Ranger has the following goals:
> 1. Centralized security administration to manage all security related tasks
> in a central UI or using REST APIs.
> 2. Fine grained authorization to do a specific action and/or operation with
> Hadoop component/tool and managed through a central administration tool
> 3. Standardize authorization method across all Hadoop components.
> 4. Enhanced support for different authorization methods - Role based access
> control, attribute based access control etc.
> 5. Centralize auditing of user access and administrative actions (security
> related) within all the components of Hadoop.
> Ranger has supported enable, monitor and manage following components:
> 1. HDFS
> 2. HIVE
> 3. HBASE
> 4. KNOX
> 5. YARN
> 6. STORM
> 7. SOLR
> 8. KAFKA
> 9. ATLAS
> In order to improve the flexibility of kylin privilege control and enhance
> value of kylin in the Apache Hadoop ecosystem, like hdfs, yarn, hive, hbase,
> Kylin should also support that using Ranger to control access rights for
> project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the
> ranger plugin. kylin instantiates ranger plugin’s implementation class when
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the
> local, and updates project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's
> implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's
> existing permissions functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/RANGER-1672
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
