yuqi1129 commented on code in PR #4624:
URL: https://github.com/apache/gravitino/pull/4624#discussion_r1726681967
##########
docs/security/authorization-pushdown.md:
##########
@@ -0,0 +1,51 @@
+---
+title: "Permission System"
+slug: /security/permission-system
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Authorization Push-down
+
+
+
+Gravitino also provides a set of authorization frameworks to interact with
different underlying data source
+permission systems (e.g., MySQL's own permission management and the Apache
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+On top of this, Gravitino manages different underlying data sources through
Catalogs.
+When a user performs an authorization operation on the data in a Catalog,
Gravitino will call the interface of the Authorization Plugin module in the
respective Catalog to translate the Gravitino authorization model into the
underlying data source's permission rules of the underlying data source.
+Permission is then pushed down to the underlying permission system through the
client of the underlying data source (JDBC or Apache Ranger client, etc.).
+
+### Authorization Ranger Hive Plugin properties
+
+The Authorization Ranger Hive Plugin extends the following properties in the
[Apache Hive catalog properties](../apache-hive-catalog.md#catalog-properties):
+
+| Property Name | Description
| Default Value | Required | Since Version |
+|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|----------|---------------|
+| `authorization-provider` | Providers to use to implement
authorization plugin such as `ranger`.
| (none) | No | 0.6.0
|
+| `authorization.ranger.admin.url` | The Apache Ranger web URIs.
| (none) | No | 0.6.0 |
+| `authorization.ranger.auth.type` | The Apache Ranger authentication type
`simple` or `kerberos`.
| `simple` | No | 0.6.0 |
+| `authorization.ranger.username` | The Apache Ranger admin web login
username (auth type=simple), or kerberos principal(auth type=kerberos), Need
have Ranger administrator permission. | (none) | No | 0.6.0
|
+| `authorization.ranger.password` | The Apache Ranger admin web login user
password (auth type=simple), or path of the keytab file(auth type=kerberos)
| (none) | No | 0.6.0 |
+| `authorization.ranger.service.name` | The Apache Ranger service name.
| (none) | No | 0.6.0 |
+
+Once you have used the correct configuration, you can perform authorization
operations by calling Gravitino's [authorization RESTful
API](https://datastrato.ai/docs/latest/api/rest/grant-roles-to-a-user).
+
+#### Example of using the Authorization Ranger Hive Plugin
+
+Suppose you have an Apache Hive service in your datacenter, and you have
created a `hiveRepo` in Apache Ranger to manage the permissions of this Apache
Hive service.
+Assume that the service IP address and port of this Apache Ranger is
`172.0.0.100:6080`, and the username with Ranger administrator privileges is
`Jack` and the password is `PWD123`.
+First, you need to add this Hive service to Gravitino using hive catalog, and
you need to configure the following parameters.
Review Comment:
hive catalog -> Hive catalog.
##########
docs/security/authorization-pushdown.md:
##########
@@ -0,0 +1,51 @@
+---
+title: "Permission System"
+slug: /security/permission-system
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Authorization Push-down
+
+
+
+Gravitino also provides a set of authorization frameworks to interact with
different underlying data source
+permission systems (e.g., MySQL's own permission management and the Apache
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+On top of this, Gravitino manages different underlying data sources through
Catalogs.
+When a user performs an authorization operation on the data in a Catalog,
Gravitino will call the interface of the Authorization Plugin module in the
respective Catalog to translate the Gravitino authorization model into the
underlying data source's permission rules of the underlying data source.
+Permission is then pushed down to the underlying permission system through the
client of the underlying data source (JDBC or Apache Ranger client, etc.).
+
+### Authorization Ranger Hive Plugin properties
+
+The Authorization Ranger Hive Plugin extends the following properties in the
[Apache Hive catalog properties](../apache-hive-catalog.md#catalog-properties):
+
+| Property Name | Description
| Default Value | Required | Since Version |
+|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|----------|---------------|
+| `authorization-provider` | Providers to use to implement
authorization plugin such as `ranger`.
| (none) | No | 0.6.0
|
+| `authorization.ranger.admin.url` | The Apache Ranger web URIs.
| (none) | No | 0.6.0 |
+| `authorization.ranger.auth.type` | The Apache Ranger authentication type
`simple` or `kerberos`.
| `simple` | No | 0.6.0 |
+| `authorization.ranger.username` | The Apache Ranger admin web login
username (auth type=simple), or kerberos principal(auth type=kerberos), Need
have Ranger administrator permission. | (none) | No | 0.6.0
|
+| `authorization.ranger.password` | The Apache Ranger admin web login user
password (auth type=simple), or path of the keytab file(auth type=kerberos)
| (none) | No | 0.6.0 |
+| `authorization.ranger.service.name` | The Apache Ranger service name.
| (none) | No | 0.6.0 |
+
+Once you have used the correct configuration, you can perform authorization
operations by calling Gravitino's [authorization RESTful
API](https://datastrato.ai/docs/latest/api/rest/grant-roles-to-a-user).
+
+#### Example of using the Authorization Ranger Hive Plugin
+
+Suppose you have an Apache Hive service in your datacenter, and you have
created a `hiveRepo` in Apache Ranger to manage the permissions of this Apache
Hive service.
+Assume that the service IP address and port of this Apache Ranger is
`172.0.0.100:6080`, and the username with Ranger administrator privileges is
`Jack` and the password is `PWD123`.
+First, you need to add this Hive service to Gravitino using hive catalog, and
you need to configure the following parameters.
Review Comment:
Suppose you have an Apache Hive service in your datacenter and have created
a hiveRepo in Apache Ranger to manage its permissions. The Ranger service is
accessible at 172.0.0.100:6080, with the username Jack and the password PWD123.
To add this Hive service to Gravitino using the Hive catalog, you'll need to
configure the following parameters.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
