This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 213735b5fb [doc](auth)ranger doc (#17927)
213735b5fb is described below
commit 213735b5fb87205983c70b09f3e9f656821e68c2
Author: zhangdong <[email protected]>
AuthorDate: Wed Mar 22 09:38:54 2023 +0800
[doc](auth)ranger doc (#17927)
---
docs/en/docs/lakehouse/multi-catalog/hive.md | 112 ++++++++++++++++++++----
docs/zh-CN/docs/lakehouse/multi-catalog/hive.md | 112 ++++++++++++++++++++----
2 files changed, 188 insertions(+), 36 deletions(-)
diff --git a/docs/en/docs/lakehouse/multi-catalog/hive.md
b/docs/en/docs/lakehouse/multi-catalog/hive.md
index c6b59bb802..0861357e01 100644
--- a/docs/en/docs/lakehouse/multi-catalog/hive.md
+++ b/docs/en/docs/lakehouse/multi-catalog/hive.md
@@ -134,25 +134,6 @@ CREATE CATALOG hive PROPERTIES (
);
```
-<version since="dev">
-
-when connecting to Hive Metastore which is authorized by Ranger, need some
properties and update FE runtime environment.
-
-1. add below properties when creating Catalog:
-
-```sql
-"access_controller.properties.ranger.service.name" = "<the ranger servive name
your hms using>",
-"access_controller.class" =
"org.apache.doris.catalog.authorizer.RangerHiveAccessControllerFactory",
-```
-
-2. update all FEs' runtime environment:
- a. copy all ranger-*.xml files to <doris_home>/conf which are located in
HMS/conf directory
- b. update value of `ranger.plugin.hive.policy.cache.dir` in
ranger-<ranger_service_name>-security.xml to a writable directory
- c. add a log4j.properties to <doris_home>/conf, thus you can get logs of
ranger authorizer
- d. restart FE
-
-</version>
-
In Doris 1.2.1 and newer, you can create a Resource that contains all these
parameters, and reuse the Resource when creating new Catalogs. Here is an
example:
```sql
@@ -214,3 +195,96 @@ This is applicable for Hive/Iceberge/Hudi.
| `map<KeyType, ValueType>` | `map<KeyType, ValueType>` | Not support nested
map. KeyType and ValueType should be primitive types. |
| `struct<col1: Type1, col2: Type2, ...>` | `struct<col1: Type1, col2: Type2,
...>` | Not support nested struct. Type1, Type2, ... should be primitive types.
|
| other | unsupported |
|
+
+## Use Ranger for permission verification
+
+<version since="dev">
+
+Apache Ranger is a security framework for monitoring, enabling services, and
managing comprehensive data security access on the Hadoop platform.
+
+Currently, Doris supports Ranger's library, table, and column permissions, but
does not support encryption, row permissions, and so on.
+
+</version>
+
+
+### Environment configuration
+
+Connecting to Hive Metastore with Ranger permission verification enabled
requires additional configuration&configuration environment:
+1. When creating a catalog, add:
+
+```sql
+"access_controller.properties.ranger.service.name" = "hive",
+"access_controller.class" =
"org.apache.doris.catalog.authorizer.RangerHiveAccessControllerFactory",
+```
+2. Configure all FE environments:
+
+ 1. Copy the configuration files ranger-live-audit.xml,
ranger-live-security.xml, ranger-policymgr-ssl.xml under the HMS conf directory
to<doris_ Home>/conf directory.
+
+ 2. Modify the properties of ranger-live-security.xml. The reference
configuration is as follows:
+
+ ```sql
+ <?xml version="1.0" encoding="UTF-8"?>
+ <?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+ <configuration>
+ #The directory for caching permission data, needs to be writable
+ <property>
+ <name>ranger.plugin.hive.policy.cache.dir</name>
+ <value>/mnt/datadisk0/zhangdong/rangerdata</value>
+ </property>
+ #The time interval for periodically pulling permission data
+ <property>
+ <name>ranger.plugin.hive.policy.pollIntervalMs</name>
+ <value>30000</value>
+ </property>
+
+ <property>
+
<name>ranger.plugin.hive.policy.rest.client.connection.timeoutMs</name>
+ <value>60000</value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hive.policy.rest.client.read.timeoutMs</name>
+ <value>60000</value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hive.policy.rest.ssl.config.file</name>
+ <value></value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hive.policy.rest.url</name>
+ <value>http://172.21.0.32:6080</value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hive.policy.source.impl</name>
+ <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hive.service.name</name>
+ <value>hive</value>
+ </property>
+
+ <property>
+ <name>xasecure.hive.update.xapolicies.on.grant.revoke</name>
+ <value>true</value>
+ </property>
+
+ </configuration>
+ ```
+ 3. To obtain the log of Ranger authentication itself, you can click<doris_
Add the configuration file log4j.properties under the home>/conf directory.
+
+ 4. Restart FE.
+
+### Best Practices
+
+1.Create user user1 on the ranger side and authorize the query permission of
db1.table1.col1
+
+2.Create the role role1 on the ranger side and authorize the query permission
of db1.table1.col2
+
+3.Create user user1 with the same name in Doris, and user1 will directly have
the query permission of db1.table1.col1
+
+4.Create the role role1 with the same name in Doris and assign role1 to user1.
User1 will have query permissions for both db1.table1.col1 and col2
+
diff --git a/docs/zh-CN/docs/lakehouse/multi-catalog/hive.md
b/docs/zh-CN/docs/lakehouse/multi-catalog/hive.md
index 89334a1272..db90f24435 100644
--- a/docs/zh-CN/docs/lakehouse/multi-catalog/hive.md
+++ b/docs/zh-CN/docs/lakehouse/multi-catalog/hive.md
@@ -130,23 +130,6 @@ CREATE CATALOG hive PROPERTIES (
);
```
-<version since="dev">
-
-连接开启 Ranger 权限校验的 Hive Metastore 需要增加配置 & 配置环境:
-1. 创建 Catalog 时增加:
-
-```sql
-"access_controller.properties.ranger.service.name" = "<the ranger servive name
your hms using>",
-"access_controller.class" =
"org.apache.doris.catalog.authorizer.RangerHiveAccessControllerFactory",
-```
-2. 配置所有 FE 环境:
- a. 将 HMS conf 目录下的三个 Ranger 配置文件Copy到 <doris_home>/conf 目录下
- b. 修改其中 ranger-<ranger_service_name>-security.xml 的属性
`ranger.plugin.hive.policy.cache.dir` 的值为一个可写目录
- c. 为获取到 Ranger 鉴权本身的日志,可在 <doris_home>/conf 目录下添加配置文件 log4j.properties
- d. 重启 FE
-
-</version>
-
在 1.2.1 版本之后,我们也可以将这些信息通过创建一个 Resource 统一存储,然后在创建 Catalog 时使用这个 Resource。示例如下:
```sql
@@ -207,3 +190,98 @@ CREATE CATALOG hive PROPERTIES (
| `map<KeyType, ValueType>` | `map<KeyType, ValueType>` | 暂不支持嵌套,KeyType 和
ValueType 需要为基础类型 |
| `struct<col1: Type1, col2: Type2, ...>` | `struct<col1: Type1, col2: Type2,
...>` | 暂不支持嵌套,Type1, Type2, ... 需要为基础类型 |
| other | unsupported | |
+
+## 使用Ranger进行权限校验
+
+<version since="dev">
+
+Apache Ranger是一个用来在Hadoop平台上进行监控,启用服务,以及全方位数据安全访问管理的安全框架。
+
+目前doris支持ranger的库、表、列权限,不支持加密、行权限等。
+
+</version>
+
+### 环境配置
+
+连接开启 Ranger 权限校验的 Hive Metastore 需要增加配置 & 配置环境:
+1. 创建 Catalog 时增加:
+
+```sql
+"access_controller.properties.ranger.service.name" = "hive",
+"access_controller.class" =
"org.apache.doris.catalog.authorizer.RangerHiveAccessControllerFactory",
+```
+2. 配置所有 FE 环境:
+
+ 1. 将 HMS conf
目录下的配置文件ranger-hive-audit.xml,ranger-hive-security.xml,ranger-policymgr-ssl.xml复制到
<doris_home>/conf 目录下。
+
+ 2. 修改 ranger-hive-security.xml 的属性,参考配置如下:
+
+ ```sql
+ <?xml version="1.0" encoding="UTF-8"?>
+ <?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+ <configuration>
+ #The directory for caching permission data, needs to be writable
+ <property>
+ <name>ranger.plugin.hive.policy.cache.dir</name>
+ <value>/mnt/datadisk0/zhangdong/rangerdata</value>
+ </property>
+ #The time interval for periodically pulling permission data
+ <property>
+ <name>ranger.plugin.hive.policy.pollIntervalMs</name>
+ <value>30000</value>
+ </property>
+
+ <property>
+
<name>ranger.plugin.hive.policy.rest.client.connection.timeoutMs</name>
+ <value>60000</value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hive.policy.rest.client.read.timeoutMs</name>
+ <value>60000</value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hive.policy.rest.ssl.config.file</name>
+ <value></value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hive.policy.rest.url</name>
+ <value>http://172.21.0.32:6080</value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hive.policy.source.impl</name>
+ <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.hive.service.name</name>
+ <value>hive</value>
+ </property>
+
+ <property>
+ <name>xasecure.hive.update.xapolicies.on.grant.revoke</name>
+ <value>true</value>
+ </property>
+
+ </configuration>
+ ```
+ 3. 为获取到 Ranger 鉴权本身的日志,可在 <doris_home>/conf 目录下添加配置文件 log4j.properties。
+
+ 4. 重启 FE。
+
+### 最佳实践
+
+1.在ranger端创建用户user1并授权db1.table1.col1的查询权限
+
+2.在ranger端创建角色role1并授权db1.table1.col2的查询权限
+
+3.在doris创建同名用户user1,user1将直接拥有db1.table1.col1的查询权限
+
+4.在doris创建同名角色role1,并将role1分配给user1,user1将同时拥有db1.table1.col1和col2的查询权限
+
+
+
+
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
