This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: updated formatting

...

 Example: YARN Service Type definition

{

 "name": "yarn",

 "implClass": "org.apache.ranger.services.yarn.RangerServiceYarn",

...

 "guid": "5b710438-edcf-4e20-834c-a9a267b5b963",

   "resources":

 [

  {

   "name": "queue",

...

   "matcherOptions": {"wildCard":true, "ignoreCase":true, "pathSeparatorChar":"."},

   "label": "Queue",

   "description": "Queue"

  }

...

   "type": "string",

   "mandatory": true,

   "label": "Username"

  },

  {

   "name": "password",

   "type": "password",

   "mandatory": true,

   "label": "Password"

  },

  {

   "name": "yarn.url",

   "type": "string",

   "mandatory": true,

   "label": "YARN REST URL"

  },


  {

   "name": "commonNameForCertificate",

   "type": "string",

   "mandatory": false,

   "label": "Common Name for Certificate"

  }

 ],


 "policyConditions":

...

   "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerIpMatcher",

   "label": "IP Address Range",

   "description": "IP Address Range"

...

 public boolean checkPermission(AccessType       accessTypeaccessType, PrivilegedEntity entity,

...

 UserGroupInformation ugi) {

  RangerAccessRequestImpl request  = new RangerAccessRequestImpl();

  RangerResourceImpl      resource = new RangerResourceImpl();

 

   resource.setValue("queue", entity.getName());

   request.setResource(resource);

   request.setAccessType(getRangerAccessType(accessType));

   request.setUser(ugi.getShortUserName());

   request.setUserGroups(Sets.newHashSet(ugi.getGroupNames()));

   request.setAccessTime(new Date());

   request.setClientIPAddress(getRemoteIp());

  RangerAccessResult result = plugin.isAccessAllowed(request);

...

The implementation of this lookup is specific to the service in which the resources are accessed. It involves using the APIs provided by the service to connect and retrieve the available resources. To facilitate the autocomplete feature, Ranger Admin requires the plugin to provide the implementation of RangerBaseService interface. The implementation class should be registered with Ranger in service type definition and be made available in the CLASSPATH of Ranger Admin.


public class RangerServiceYarn extends RangerBaseService {

 public HashMap<String, Object> validateConfig() throws Exception {

  // TODO: connect to YARN resource manager; throw Exception on failure

    }

 public List<String> lookupResource(ResourceLookupContext context) throws Exception {

  // TODO: retrieve the resource list from YARN resource manager using REST API

    }

}



Install and configure plugin in the service

...