Fokko commented on a change in pull request #9579: Add Apache Ranger Authorization URL: https://github.com/apache/druid/pull/9579#discussion_r399774215
########## File path: docs/development/extensions-core/druid-ranger-security.md ########## @@ -0,0 +1,86 @@ +--- +id: druid-ranger-security +title: "Apache Ranger Security" +--- + +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one + ~ or more contributor license agreements. See the NOTICE file + ~ distributed with this work for additional information + ~ regarding copyright ownership. The ASF licenses this file + ~ to you under the Apache License, Version 2.0 (the + ~ "License"); you may not use this file except in compliance + ~ with the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, + ~ software distributed under the License is distributed on an + ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + ~ KIND, either express or implied. See the License for the + ~ specific language governing permissions and limitations + ~ under the License. + --> + +This Apache Druid extension adds: + +- an Authorizer which implements access control for the Druid metastore against Apache Ranger + +Make sure to [include](../../development/extensions.md#loading-extensions) `druid-ranger-security` as an extension. + +Please see [Authentication and Authorization](../../design/auth.md) for more information on the extension interfaces being implemented. + +## Configuration + +Support for Apache Ranger authorization consists of three elements: configuration of the extension +in Apache Druid, configuring the connection the Apache Ranger and providing the service definition for Druid to Apache Ranger. + +### Properties to configure the extension in Apache Druid +|Property|Description|Default|required| +|--------|-----------|-------|--------| +|`druid.auth.ranger.keytab`|Defines the keytab to be used while authenticating against Apache Ranger to obtain policies and provide auditing|null|No| +|`druid.auth.ranger.principal`|Defines the principal to be used while authenticating against Apache Ranger to obtain policies and provide auditing|null|No| +|`druid.auth.ranger.use_ugi`|Determines if groups that the authenticated user belongs to should be obtained from Hadoop's UserGroupInformation|null|No| +|`druid.auth.ranger.hadoop_config`|If defined, loads extra configuration for Hadoop's UserGroupInformation from this file|ranger-druid-site.xml|No| + +### Configuring the connection to Apache Ranger + +The Apache Ranger authorization extension will read several configuration files. Discussing the +the contents of those files is beyond the scope of this document. Depending your needs you will +need to create them. The minimum you will need to have is a `ranger-druid-security.xml` file +that you will need to put in the classpath. For auditing the configuration is in `ranger-druid-audit.xml`. Review comment: ```suggestion that you will need to put in the classpath. For auditing, the configuration is in `ranger-druid-audit.xml`. ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
