jerqi commented on code in PR #6115:
URL: https://github.com/apache/gravitino/pull/6115#discussion_r1909731713
##########
docs/security/authorization-pushdown.md:
##########
@@ -55,4 +59,49 @@ authorization.ranger.service.name=hiveRepo
Gravitino 0.8.0 only supports the authorization Apache Ranger Hive service ,
Apache Iceberg service and Apache Paimon Service.
Spark can use Kyuubi authorization plugin to access Gravitino's catalog. But
the plugin can't support to update or delete data for Paimon catalog.
More data source authorization is under development.
-:::
\ No newline at end of file
+:::
+
+### chain authorization plugin
+
+Gravitino supports chaining multiple authorization plugins to secure one
catalog.
+The authorization plugin chain is defined in the `authorization.chain.plugins`
property, with the plugin names separated by commas.
+When a user performs an authorization operation on data within a catalog, the
chained plugin will apply the authorization rules for every plugin defined in
the chain.
+
+In order to use the chained authorization plugin, you need to configure the
following properties:
+
+| Property Name | Description
|
Default Value | Required | Since Version |
+|-----------------------------------------------------------|-------------------------------------------------------------------------------------------|---------------|-----------------------------|------------------|
+| `authorization-provider` | Providers to use
to implement authorization plugin such as `chain` |
(none) | No | 0.8.0-incubating |
+| `authorization.chain.plugins` | The
comma-separated list of plugin names, just like
`${plugin-name1},${plugin-name2},...` | (none) | Yes if you use chain
plugin | 0.8.0-incubating |
+| `authorization.chain.${plugin-name}.ranger.admin.url` | The Ranger
authorization plugin properties of the `${plugin-name}`
| (none) | Yes if you use chain plugin | 0.8.0-incubating |
+| `authorization.chain.${plugin-name}.ranger.service.type` | The Ranger
authorization plugin properties of the `${plugin-name}`
| (none) | Yes if you use chain plugin | 0.8.0-incubating |
+| `authorization.chain.${plugin-name}.ranger.service.name` | The Ranger
authorization plugin properties of the `${plugin-name}`
| (none) | Yes if you use chain plugin | 0.8.0-incubating |
+| `authorization.chain.${plugin-name}.ranger.username` | The Ranger
authorization plugin properties of the `${plugin-name}`
| (none) | Yes if you use chain plugin | 0.8.0-incubating |
+| `authorization.chain.${plugin-name}.ranger.password` | The Ranger
authorization plugin properties of the `${plugin-name}`
| (none) | Yes if you use chain plugin | 0.8.0-incubating |
+
+:::caution
+The Gravitino chain authorization plugin only supports the Apache Ranger
HadoopSQL Plugin and Apache Ranger HDFS Plugin.
+The properties of every chained plugin in the authorization should be
configured with the `authorization.chain.${plugin-name}` as the prefix.
+:::
+
+#### Example of using the chain authorization Plugin
+
+Suppose you have an Apache Hive service in your datacenter and have created a
`hiveRepo` in Apache Ranger to manage its permissions.
+The Apache Hive service will use HDFS to store its data. You have created a
`hdfsRepo` in Apache Ranger to manage HDFS's permissions.
Review Comment:
Yes, they are assumptions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
