xunliu commented on code in PR #4624:
URL: https://github.com/apache/gravitino/pull/4624#discussion_r1726736867
##########
docs/security/authorization-pushdown.md:
##########
@@ -0,0 +1,51 @@
+---
+title: "Permission System"
+slug: /security/permission-system
Review Comment:
Fixed
##########
docs/security/access-control.md:
##########
@@ -7,6 +7,28 @@ license: "This software is licensed under the Apache License
version 2."
## Overview
+Apache Gravitino(incubating) is a technical data catalog that uses a unified
metadata paradigm to manage multiple data sources while still allowing multiple
engines like Spark, Trino, and Flink, or Python to connect to these data
sources for data processing through Gravitino.
Review Comment:
1
##########
docs/security/access-control.md:
##########
@@ -20,24 +42,90 @@ Gravitino doesn't support metadata authentication. It means
that Gravitino won't
:::
-
## Concept
+### Authorization
+
+Gravitino also provides a set of authorization frameworks to interact with
different underlying data source
+authorization systems (e.g., MySQL's own permission management and the Apache
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+More information you can see [Authorization push
down](authorization-pushdown.md).
+
+### Authentication
+
+As mentioned above, Gravitino uses Ownership to control the rights of
resources in the management category and uses Role to control the permissions
of operations in the operation category,
+so when a user performs a specific operation on a specified resource,
+Gravitino will perform a composite authentication on the Ownership and Role to
which the resource belongs.
+When a user has more than one Role, Gravitino will use the user's current Role
for authentication, and the user can switch the current Role to access
different resources.
+
+#### Permission fuzzy matching
+
+Gravitino uses the resource's ENTITY ID (long type) to preserve permission
relationships.
+So Gravitino can't directly support fuzzy matching of resource names (string
type), such as wildcards like (*) and (%).
+Gravitino uses the resource parent node to express support for all resource
(*) wildcards for child resources, for example,
+if we need to set read permissions for all table resources, we can set it to
`{catalog1.schema1, READ_TABLE_PRIVILEGE}`,
+which stands for having access to `catalog1.schema1.*` read access to all
tables.
+
+### Storage of authority data
Review Comment:
OK, I deleted `Storage of authority data` paragraph
##########
docs/security/access-control.md:
##########
@@ -20,24 +42,90 @@ Gravitino doesn't support metadata authentication. It means
that Gravitino won't
:::
-
## Concept
+### Authorization
+
+Gravitino also provides a set of authorization frameworks to interact with
different underlying data source
+authorization systems (e.g., MySQL's own permission management and the Apache
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+More information you can see [Authorization push
down](authorization-pushdown.md).
+
+### Authentication
+
+As mentioned above, Gravitino uses Ownership to control the rights of
resources in the management category and uses Role to control the permissions
of operations in the operation category,
+so when a user performs a specific operation on a specified resource,
+Gravitino will perform a composite authentication on the Ownership and Role to
which the resource belongs.
+When a user has more than one Role, Gravitino will use the user's current Role
for authentication, and the user can switch the current Role to access
different resources.
+
+#### Permission fuzzy matching
+
+Gravitino uses the resource's ENTITY ID (long type) to preserve permission
relationships.
+So Gravitino can't directly support fuzzy matching of resource names (string
type), such as wildcards like (*) and (%).
+Gravitino uses the resource parent node to express support for all resource
(*) wildcards for child resources, for example,
+if we need to set read permissions for all table resources, we can set it to
`{catalog1.schema1, READ_TABLE_PRIVILEGE}`,
+which stands for having access to `catalog1.schema1.*` read access to all
tables.
+
+### Storage of authority data
+
+A key requirement of Gravitino should be to display permission information and
perform operations such as grant and revoke, along with push-down of the
permission information to the underlying data source system.
+It also needs to be able to translate that information to the corresponding
permissions within the underlying system in order to achieve permission control
over the data in the data source.
+
+If Gravitino does not store privilege information itself and only push-down
permission to the underlying data source system,
+it would be very difficult for Gravitino to translate Gravitino's privilege
model back from the different privilege systems of the underlying data source.
+
+Gravitino currently stores all the permission information (Privilege,
SecurableObject, Role, User and Group) itself,
+and when there is a discrepancy between the permissions of the underlying data
source and the permissions stored in Gravitino, Gravitino’s permission system
will be trusted.
+
+Additionally, Gravitino provides a mechanism to ensure fault tolerance in the
privilege data storage and push-down to the underlying data source privilege
system.
+As a result of this, Gravitino’s push-downs to the underlying permission
system operations are required to be idempotent operation,
+meaning that each kind of privilege push-down operation can be repeated
without causing conflicts and will always achieve the same output.
+
### Role
-A metadata object to which privileges can be granted. Roles are in turn
assigned to users or groups.
+The traditional rights system generally uses RBAC (Role-Based Access Control)
for rights management,
+where each Role contains a collection of different operating privileges for
different resources.
+When the system adds a new user or user group, you can select the Roles which
they are expected to be granted to,
+so that the user can quickly start using it, without waiting for the
administrator to gradually set up the access rights to resources for him.
+
+Roles also employ the concept of ownership – the owner of a Role is by default
the creator of the Role,
+implying the owner has all the permissions to operate the Role, including
deleting the Role.
+
+Gravitino introduces the concept of the “Current” Role, where a user can own
multiple Roles at the same time,
Review Comment:
OK, I deleted `Current role` paragraph.
##########
docs/security/authorization-pushdown.md:
##########
@@ -0,0 +1,51 @@
+---
+title: "Permission System"
+slug: /security/permission-system
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Authorization Push-down
+
+
+
+Gravitino also provides a set of authorization frameworks to interact with
different underlying data source
+permission systems (e.g., MySQL's own permission management and the Apache
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+On top of this, Gravitino manages different underlying data sources through
Catalogs.
+When a user performs an authorization operation on the data in a Catalog,
Gravitino will call the interface of the Authorization Plugin module in the
respective Catalog to translate the Gravitino authorization model into the
underlying data source's permission rules of the underlying data source.
+Permission is then pushed down to the underlying permission system through the
client of the underlying data source (JDBC or Apache Ranger client, etc.).
+
+### Authorization Ranger Hive Plugin properties
+
+The Authorization Ranger Hive Plugin extends the following properties in the
[Apache Hive catalog properties](../apache-hive-catalog.md#catalog-properties):
+
+| Property Name | Description
| Default Value | Required | Since Version |
+|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|----------|---------------|
+| `authorization-provider` | Providers to use to implement
authorization plugin such as `ranger`.
| (none) | No | 0.6.0
|
+| `authorization.ranger.admin.url` | The Apache Ranger web URIs.
| (none) | No | 0.6.0 |
+| `authorization.ranger.auth.type` | The Apache Ranger authentication type
`simple` or `kerberos`.
| `simple` | No | 0.6.0 |
+| `authorization.ranger.username` | The Apache Ranger admin web login
username (auth type=simple), or kerberos principal(auth type=kerberos), Need
have Ranger administrator permission. | (none) | No | 0.6.0
|
+| `authorization.ranger.password` | The Apache Ranger admin web login user
password (auth type=simple), or path of the keytab file(auth type=kerberos)
| (none) | No | 0.6.0 |
+| `authorization.ranger.service.name` | The Apache Ranger service name.
| (none) | No | 0.6.0 |
+
+Once you have used the correct configuration, you can perform authorization
operations by calling Gravitino's [authorization RESTful
API](https://datastrato.ai/docs/latest/api/rest/grant-roles-to-a-user).
Review Comment:
Fixed.
##########
docs/security/authorization-pushdown.md:
##########
@@ -0,0 +1,51 @@
+---
+title: "Permission System"
Review Comment:
Fixed
##########
docs/security/access-control.md:
##########
@@ -20,24 +42,90 @@ Gravitino doesn't support metadata authentication. It means
that Gravitino won't
:::
-
## Concept
+### Authorization
+
+Gravitino also provides a set of authorization frameworks to interact with
different underlying data source
+authorization systems (e.g., MySQL's own permission management and the Apache
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+More information you can see [Authorization push
down](authorization-pushdown.md).
+
+### Authentication
+
+As mentioned above, Gravitino uses Ownership to control the rights of
resources in the management category and uses Role to control the permissions
of operations in the operation category,
+so when a user performs a specific operation on a specified resource,
+Gravitino will perform a composite authentication on the Ownership and Role to
which the resource belongs.
+When a user has more than one Role, Gravitino will use the user's current Role
for authentication, and the user can switch the current Role to access
different resources.
Review Comment:
The authorization relates to access control.
Here's just a brief description and add jump to authorization-pushdown.md
##########
docs/security/access-control.md:
##########
@@ -20,24 +42,90 @@ Gravitino doesn't support metadata authentication. It means
that Gravitino won't
:::
-
## Concept
+### Authorization
+
+Gravitino also provides a set of authorization frameworks to interact with
different underlying data source
+authorization systems (e.g., MySQL's own permission management and the Apache
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+More information you can see [Authorization push
down](authorization-pushdown.md).
+
+### Authentication
+
+As mentioned above, Gravitino uses Ownership to control the rights of
resources in the management category and uses Role to control the permissions
of operations in the operation category,
+so when a user performs a specific operation on a specified resource,
+Gravitino will perform a composite authentication on the Ownership and Role to
which the resource belongs.
+When a user has more than one Role, Gravitino will use the user's current Role
for authentication, and the user can switch the current Role to access
different resources.
+
+#### Permission fuzzy matching
Review Comment:
OK, I deleted `Permission fuzzy matching` paragraph
##########
docs/security/authorization-pushdown.md:
##########
@@ -0,0 +1,51 @@
+---
+title: "Permission System"
+slug: /security/permission-system
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Authorization Push-down
+
+
+
+Gravitino also provides a set of authorization frameworks to interact with
different underlying data source
+permission systems (e.g., MySQL's own permission management and the Apache
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+On top of this, Gravitino manages different underlying data sources through
Catalogs.
+When a user performs an authorization operation on the data in a Catalog,
Gravitino will call the interface of the Authorization Plugin module in the
respective Catalog to translate the Gravitino authorization model into the
underlying data source's permission rules of the underlying data source.
+Permission is then pushed down to the underlying permission system through the
client of the underlying data source (JDBC or Apache Ranger client, etc.).
+
+### Authorization Ranger Hive Plugin properties
+
+The Authorization Ranger Hive Plugin extends the following properties in the
[Apache Hive catalog properties](../apache-hive-catalog.md#catalog-properties):
Review Comment:
OK, I added description in the apache-hive-catalog.md
##########
docs/security/authorization-pushdown.md:
##########
@@ -0,0 +1,51 @@
+---
+title: "Permission System"
+slug: /security/permission-system
+keyword: security
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Authorization Push-down
+
+
+
+Gravitino also provides a set of authorization frameworks to interact with
different underlying data source
+permission systems (e.g., MySQL's own permission management and the Apache
Ranger permission management system for big data)
+in accordance with its own authorization model and methodology.
+On top of this, Gravitino manages different underlying data sources through
Catalogs.
+When a user performs an authorization operation on the data in a Catalog,
Gravitino will call the interface of the Authorization Plugin module in the
respective Catalog to translate the Gravitino authorization model into the
underlying data source's permission rules of the underlying data source.
+Permission is then pushed down to the underlying permission system through the
client of the underlying data source (JDBC or Apache Ranger client, etc.).
+
+### Authorization Ranger Hive Plugin properties
+
+The Authorization Ranger Hive Plugin extends the following properties in the
[Apache Hive catalog properties](../apache-hive-catalog.md#catalog-properties):
+
+| Property Name | Description
| Default Value | Required | Since Version |
+|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|----------|---------------|
+| `authorization-provider` | Providers to use to implement
authorization plugin such as `ranger`.
| (none) | No | 0.6.0
|
+| `authorization.ranger.admin.url` | The Apache Ranger web URIs.
| (none) | No | 0.6.0 |
+| `authorization.ranger.auth.type` | The Apache Ranger authentication type
`simple` or `kerberos`.
| `simple` | No | 0.6.0 |
+| `authorization.ranger.username` | The Apache Ranger admin web login
username (auth type=simple), or kerberos principal(auth type=kerberos), Need
have Ranger administrator permission. | (none) | No | 0.6.0
|
+| `authorization.ranger.password` | The Apache Ranger admin web login user
password (auth type=simple), or path of the keytab file(auth type=kerberos)
| (none) | No | 0.6.0 |
+| `authorization.ranger.service.name` | The Apache Ranger service name.
| (none) | No | 0.6.0 |
+
+Once you have used the correct configuration, you can perform authorization
operations by calling Gravitino's [authorization RESTful
API](https://datastrato.ai/docs/latest/api/rest/grant-roles-to-a-user).
+
+#### Example of using the Authorization Ranger Hive Plugin
+
+Suppose you have an Apache Hive service in your datacenter, and you have
created a `hiveRepo` in Apache Ranger to manage the permissions of this Apache
Hive service.
+Assume that the service IP address and port of this Apache Ranger is
`172.0.0.100:6080`, and the username with Ranger administrator privileges is
`Jack` and the password is `PWD123`.
+First, you need to add this Hive service to Gravitino using hive catalog, and
you need to configure the following parameters.
Review Comment:
DONE
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
