Aruna, can you give more detail on what you are trying to achieve? I was searching for integration design diagram, but couldn’t find one. We will work on creating one. In the meanwhile, here is the high level.
Ranger plugins run within the component process. It gives a light java library, which does the following: Provides method to check access. RangerBasePlugin.isAccessAllow() (explicit, you have to call it) Pulls policies from Ranger Admin (implicit) Does auditing (implicit) Ranger community works closely with the Hadoop component community for writing plugins for Hadoop components. Currently, there are close to 9 plugins available as part of Ranger (HDFS, Hive, Hbase, Kafka, Solr, YARN, Storm, Knox and KMS). We are working with the other communities to support more. The framework is generic and so you can use Ranger to provide access control to your home grown application also. The wiki page https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207 gives how to implement custom stack. Ranger design philosophy is not to change the authorization of the component, but have the component define an interface and abstract all the actions the component supports. This way the components are free to support any actions they want to and evolve them over the period of time. This also help other security providers to provide similar implementation. So if you are planning to write a custom plugin, I assume you are having your app and you want to use Ranger to provide the access control and audit. And if that is the case, some of the questions you have asked applies mostly on your side. log4j: Since Ranger plugin is embedded within the process, it uses the component’s logging framework. So out here, it will be yours If you want to use Ranger plugin, first you need to create an interface in your application for authorization. We recommend you provide the default/native simple implementation. Ranger will implement the same interface, but Ranger implementation will use the policies from Ranger Admin. You can review the following sample implementations: https://github.com/apache/incubator-ranger/blob/master/plugin-solr/src/main/java/org/apache/ranger/authorization/solr/authorizer/RangerSolrAuthorizer.java and https://github.com/apache/incubator-ranger/blob/master/plugin-kafka/src/main/java/org/apache/ranger/authorization/kafka/authorizer/RangerKafkaAuthorizer.java Once your interface is defined, then the wiki pages tells how to define a service using JSON. Which can be loaded in Ranger Admin. After that you can create the policies from Ranger Admin UI, the REST APIs for managing polices are automatically possible, the Ranger Admin audit UI will start showing the audits, etc. Please give your use case, so we can guide you better. Thanks Bosco From: Ramesh Mani <rm...@hortonworks.com> Reply-To: <user@ranger.incubator.apache.org> Date: Thursday, December 10, 2015 at 11:12 PM To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> Subject: Re: Queries on the developement for a new custom plugin Please find the answer below. From: Aruna Sivaram <sivaram.ar...@gmail.com> Reply-To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> Date: Thursday, December 10, 2015 at 8:34 PM To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> Subject: Re: Queries on the developement for a new custom plugin Thanks for your quick response.Please find my queries inline. On Fri, Dec 11, 2015 at 4:55 AM, Ramesh Mani <rm...@hortonworks.com> wrote: If you have created a CustomService, and if you want to authorize the access of components/resources in your CustomService, then you need to have default authorizer in your CustomService to do authorization, which you will extend in your Ranger custom plugin and will be called when your CustomService needs authorization check. [Aruna] : It would be great if you could provide a snippet/example where the authoriser code present in the plugin is invoked by the existing services (hive/hdfs/storm/kafka) for authorisation. This would give me a better picture as to how it exactly works. [RM] Each service dictates how to the register the custom authorizer with it. So you need to refer the respective service’s authorization mechanism. For logging, as you had seen it uses log4j you can have log4j appender in the log4.properties and get the log, all hadoop components have their log4j properties file where it specify the location it puts the log. By default it is /var/log/hadoop/ for hadoop. [Aruna] : there are many log4j.properties in the ranger code base and there is no specific log4j.properties for each of the plugins. Hence, which log4j.properties do i need to modify. My aim is to see all the logs generated by my custom plugin. This would enable me to debug the code better. [RM] Here also each service provides it log4j.properties file and that is where you define appender for ranger also. [Aruna ] : The other thing i wanted to know was how does one start the plugin or rather initiate the plugin which polls for the policies. I see that the enable-<service>-plugin.sh scripts sets the environment and copies property files to the right locations, but i dont see where the authoriser is instantiated in order to invoke the init() method of the RangerbasePlugin. [RM] This is already in the wiki page. Thanks for all your help Aruna From: Aruna Sivaram <sivaram.ar...@gmail.com> Reply-To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> Date: Wednesday, December 9, 2015 at 9:45 PM To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> Subject: Queries on the developement for a new custom plugin I am using ranger 0.5 for the access control. We are planning to develop a custom plugin which we plan to integrate with the ranger framework. This custom plugin will be used for access control of our components. In order to explore this possibility, i have written a custom plugin as per the example given in the link https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207 Since this is a custom plugin, my authoriser class (CustomServiceAuthoriser), will not be extending any of the hadoop security classes (Eg in case of storm or hive, the RangerStormAuthoriser implements IAuthorizer and RangerYarnAuthorizer extends YarnAuthorizationProvider. I have created the repository and policies for the same through the rest web service. I have written the custom service authoriser as per the example and deployed the same on the sandbox. I have a service named CustomService. What i wanted to know is how the customservice will communicate with my customserviceauthoriser which is contained in my plugin. Currently i dont find any documentation which talks about the mode of communication or rather how the plugin class will be invoked by the service. I am relatively new to ranger so may be I am missing something ? Also, i would like to know the location of the log where each of the plugin classes would be logging. This will help us in debugging the flow. I see a lot of log statements in the ranger plugin code base but am unable to find the location of the logs. Secondly, can ranger be used to develop custom plugins for access control of non hadoop components? Any help from your end would be appreciated -- Regards Aruna Sivaram -- Regards Aruna Sivaram
