Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Policy evaluation within a Ranger plugin can be thought of as consisting of 3 distinct phases:

Request Creation Phase:

This phase builds the Authorization request by gathering the context of the access which is to be authorized.

  • For example, for HDFS it may be the path of the file being accessed, access type (read, write, execute etc) requested along with other contextual information like user, group, time and ip addresses information.

Anchor
policy evaluation phase
policy evaluation phase
Policy Evaluation phase:

This is where the authorization request is evaluated by the policy engine to decide if access should be allowed or not.  It results in an authorization Result.

  • The Policy engine compares the information in the authorization request against the set of active policies to make its decision.
  • It makes decision about authorization and auditability of an access.

Post evaluation Phase

This is the phase where things that are to be done post evaluation are tackled, e.g. generating and logging the audit message to the right audit store, if required.

...

Example Context enrichers

Ranger ships with the following two context enrichers RangerProjectProvider and RangerCountryProvidersource code has a ranger-examples sub-project which maintains demo examples of these.  The project also is meant to serve as a template maven project that can be cloned and used to build your customer components.  Examples project has two context enrichers RangerSampleProjectProvider and RangerSampleCountryProvider.  Both of these provide a way to read a key/value map from a disk file (in the form of standard java properties list) that can be used to enrich the context.

...

A Condition Evaluator is a java class that extends the abstract class RangerAbstractConditionEvaluator.

Condition evaluator servers two related but distinct roles.  First is the role it plays during policy evaluation:

...

Example condition evaluators

Ranger ships with source code has a ranger-examples sub-project which maintains demo examples of these.  The project also is meant to serve as a template maven project that can be cloned and used to build your customer components.  Examples project has a sample condition evaluator RangerSampleSimpleMatcher.  In addition Ranger production code uses the following two condition evaluators: RangerIpMatcher and RangerTimeOfDayMatcher.  The former is used by the standard Knox plugin.

...

      "enricher": "org.apache.ranger.plugin.contextenricher.RangerProjectProviderRangerSampleProjectProvider",
      "enricherOptions": { "contextName" : "PROJECT", "dataFile":"/etc/ranger/data/userProject.txt"}

...

      "enricher": "org.apache.ranger.plugin.contextenricher.RangerProjectProviderRangerSampleProjectProvider",
      "enricherOptions": { "contextName" : "PROJECT", "dataFile":"/etc/ranger/data/userProject.txt"}

...

      "evaluator": "org.apache.ranger.plugin.conditionevaluator.RangerSimpleMatcherRangerSampleSimpleMatcher",
      "evaluatorOptions": { CONTEXT_NAME=’PROJECT’"PROJECT"},
      "validationRegEx":"",

...