Versions Compared

Old Version 9

changes.mady.by.user Madhan Neethiraj

Saved on

compared with

New Version 10

changes.mady.by.user Madhan Neethiraj

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Apache Ranger provides centralized security for Enterprise Hadoop ecosystem, including fine-grained access control and centralized auditing. Currently, as of Apache Ranger 0.4 version, Apache Ranger provides authorization and auditing for the following services: HDFS, HBase, Hive, Knox and Storm. Adding support for more services would require changes to various modules of Apache Ranger implementation, like – UI, APIs, database schema, etc.

Apache Ranger now 0.5 supports stack-model to enable easier onboarding of new components, without requiring code changes in Apache Ranger. This document provides details of the stack model and the steps to enable a new service to integrate with Apache Ranger.

Steps to create a Ranger Authorization Plugin

This section provides a high level overview of the steps involved in creating a  anger authorization plugin. More details on each step are provided in later sections. 

Define Service-type

  1. Create a JSON file with the following details about the service:

    • Resources. Example: database, table, column, etc.

    • Access types. Example: select, update, create, drop, etc.

    • Configuration to connect to the service. Example: JDBC URL, JDBC driver, credentials, etc.

  • Load the JSON into Ranger.

Develop Ranger Authorization plugin

During initialization of the service:

  1. Create a static/global instance of RangerBasePlugIn class (or a class derived from this). Keep a reference to this instance for later – to authorize resource access.

  2. Call init() on this instance. This will initialize the policy-engine with the policies from local cache and trigger a background thread to periodically update policies from the Ranger Admin.

  3. Register an audit handler, like RangerDefaultAuditHandler, with the plugin instance. Plugin will use this audit handler to generate audit logs of resource accesses.

To authorize access to a resource:

  1. Create an instance of RangerAccessRequest implementation, like RangerAccessRequestImpl, with details of the access that needs to be authorized – resource, access-type, user, etc.

  2. Call isAccessAllowed() on the plugin instance created earlier.

  3. Depending upon the returned result, either allow or deny the access.

To support resource lookup:

  1. Extend class RangerBaseService and provide implementation of lookupResource() and validateConfig() methods.

  2. Provide the name of this class in service-type definition.

  3. Make the library (jar file) that includes the class implementation available in CLASSPATH of Ranger Admin

Install the plug-in in the service:

The ranger-plugin for the service must be installed and configured to run in the service where the access authorization is to be performed. Please consult the documentation of the service for details of registering an authorization.

Service Type

...

Service Type Definition

Resources of a service, along with other details like type of resource accesses (read/write/create/delete/submit/…), configuration needed to connect to the service (url, username, password, …) , custom conditions to evaluate in policies (IP range, …), etc., are defined using JSON – as shown in the following example.

 Example: YARN Service Type definition

{

 "name": "yarn",

 "implClass": "org.apache.ranger.services.yarn.RangerServiceYarn",

...

   "description": "IP Address Range"

  }

 ]

}

 

Register Service Type definition with Ranger

 

Service type definition should be registered with Ranger using REST API provided by Ranger Admin.  Once registered, Ranger admin will provide UI to create service instances (called as repositories in previous releases) and policies for the service-type. Ranger plugin uses the service type definition and the policies to determine if an access request should be granted or not. The REST API can be invoked using curl command as shown in the example below:

curl -u admin:admin -X POST -H "Accept: application/json" -H "Content-Type: application/json" –d @ranger-servicedef-yarn.json http://ranger-admin-host:port/service/plugins/definitions

 

Ranger Plugin Development

 

 

Ranger Authorizer

 

Ranger authorization for a service is generally built as a library that implements service specific hooks to intercept resource access requests and call Ranger APIs to authorize and audit the accesses. These hooks would be registered with the service while installing the plugin in a service. In this section, we will go through the details of Ranger plugin implementation for YARN. Service type definition for YARN is provided in the previous section.

...