While it is easy to add a new plugin which uses Ranger
implementation, but changing the internals could be pretty complex.
The complexity will vary depending upon your programming skills and
integration requirement. But I have to let you know, that this is not
a trivial effort. Since Ranger supports multiple services, almost all
everything is abstracted, so you will have to walk through all the
code path and put enough debug statements to understand it.
Bosco
*From: *Matteo Alessandroni <matteo.alessandr...@tirasa.net>
*Reply-To: *<user@ranger.apache.org>
*Date: *Wednesday, January 16, 2019 at 12:21 AM
*To: *<user@ranger.apache.org>
*Subject: *Re: How to extend the authorization engine in order to use
an external service
Hi,
just to clarify my question: the plugin I would like to build should
make the call to the external service and then use the obtained data
as a preliminary authorization check to use then with services like
HDFS, HBASE, HIVE. In my case Apache Ranger is already integrated to
those services so I just need to add that security layer before
moving to the specific service.
In this case what would you suggest?
Do I need to build a new brand plugin just to make the call and get
the response from the external service or I need to build multiple
plugins that extend each specific service provider?
Thanks
Regards,
Matteo
On 15/01/19 12:57, Matteo Alessandroni wrote:
Hi Bosco,
On 15/01/19 12:41, Don Bosco Durai wrote:
Matteo
Are you extending current plugin or creating brand new custom
plugin for another component?
Actually I'm not sure whether I need to extend an existing plugin
or create a new brand one.
I will use Apache Ranger to provide runtime policy enforcement
point for Hadoop products using policies from an external REST
service.
What solution do you think I should engage?
If it current plugin, then Ranger has a design where you can
enrich the context and use it in condition. IP based and most
internal extensions uses that design pattern. The Policy
side, you don’t need any code change. For the enricher, you
might have to add JAR files. If you feel this will work for
you, then Abhay or Madhan might be able to answer this in
more detail.
If you are going to extend current plugin class, e.g. for
YARN, then you will have to extend RangerYarnAuthorizer class
on both implementation and shim package. You can then
override the checkPermission method or customize
RangerYarnPlugin (which does the actual check) and overwrite
the init() to use your plugin class.
Just FYI, right from the beginning, Ranger team has avoided
making outbound call during authorization. This could
significantly affect your performance, particularly in high
velocity components like HDFS, Kafka, etc. I would suggest
(if possible) that you consider caching some of the
authorization decisions within the plugin.
thank for the tip, I'll do that!
Anyway, in my current simple test I'm extending the YARN plugin
(I don't think I will need to extend it, it's just to test a
custom service registering operation), I registered it by using:
curl -u admin:admin -X POST -H "Accept: application/json" -H
"Content-Type: application/json" –d @ranger-servicedef-test.json
http://localhost:6080/service/plugins/definitions
but when I click "Add new service" for the new service type and
click "Save" I get an error:
/Test failed to find service class
org.apache.ranger.services.test.RangerServiceTest. Resource
lookup will not be available. Please make sure plugin jar is in
the correct place./
but the custom plugin folder is in the Apache Ranger main folder,
what am I missing?
Best Regards,
Matteo
Bosco
*From: *Matteo Alessandroni <matteo.alessandr...@tirasa.net>
<mailto:matteo.alessandr...@tirasa.net>
*Reply-To: *<user@ranger.apache.org>
<mailto:user@ranger.apache.org>
*Date: *Tuesday, January 15, 2019 at 3:07 AM
*To: *<user@ranger.apache.org> <mailto:user@ranger.apache.org>
*Subject: *How to extend the authorization engine in order to
use an external service
I would like to extend the authorization mechanism of Apache
Ranger in order to make authorization based on the response
of an external REST service.
So, when the Ranger policy engine is called I would like to
intercept the request, call an external REST service to
obtain some authorization data and use it to decide who can
access what.
As a general idea the external service gets a username and
returns a list of permissions / policies that user has.
Do you think I should build a custom plugin for it? Do I have
to create an "*authorizer*"? If so, what class do I need to
extend (e.g. "YarnAuthorizationProvider)" ?
Could you please give me an hit on where to start or a sample
of something similar to what I need?
Currently I'm trying to build a custom plugin (I started by
seeing wiki on [1]). I have added a class that extends
"YarnAuthorizationProvider" (I really don't know what class
to use here). I've also created another subclass that extends
"RangerPlainIDAccessRequest" so that I could access the
request in the "checkPermission()" overridden method and
maybe do stuff there.
I'm not sure I'm in the right way! Any help would be appreciate!
Also, I'm not sure about how to test the plugin I have built.
I tried to put it in the Apache Ranger source code (v1.2.0)
and re-build, now I see the new service in the Apache Ranger
Admin Console but what's next?
Thank you!
Best regards,
Matteo
[1]
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207
--
Dott. Matteo Alessandroni
Software Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/phonebook.html?uid=skylark17
Image removed by sender. Tirasa S.r.l. <http://www.tirasa.net/>
--
Dott. Matteo Alessandroni
Software Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/phonebook.html?uid=skylark17
Image removed by sender. Tirasa S.r.l. <http://www.tirasa.net/>
