This is an automated email from the ASF dual-hosted git repository. awong pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/kudu.git
commit b9faf6c23ac1499bddf7b32b6433268d12df642b Author: Hao Hao <[email protected]> AuthorDate: Thu Mar 26 15:57:52 2020 -0700 [ranger] add more comments for Ranger privilege model Change-Id: I1b827d06c7657e450903333d820dc9ef9313dcd6 Reviewed-on: http://gerrit.cloudera.org:8080/15566 Tested-by: Kudu Jenkins Reviewed-by: Andrew Wong <[email protected]> --- src/kudu/master/ranger_authz_provider.h | 8 ------- src/kudu/ranger/ranger.proto | 37 +++++++++++++++++++++++---------- src/kudu/ranger/ranger_client.h | 7 ++++++- 3 files changed, 32 insertions(+), 20 deletions(-) diff --git a/src/kudu/master/ranger_authz_provider.h b/src/kudu/master/ranger_authz_provider.h index a97ad12..bdfb11a 100644 --- a/src/kudu/master/ranger_authz_provider.h +++ b/src/kudu/master/ranger_authz_provider.h @@ -40,14 +40,6 @@ namespace master { // An implementation of AuthzProvider that connects to Ranger and translates // authorization requests to Ranger and allows or denies the actions based on // the received responses. -// -// The privilege model for Kudu operations with Ranger follows the existing -// one enforced with Sentry (see sentry_authz_provider.cc). However note that -// in terms of policy evaluation, Ranger is different than Sentry that a policy -// with a higher scope in the hierarchy cannot imply a lower scope its hierarchy -// tree. e.g. 'METADATA on db=a' cannot imply 'METADATA on db=a->table=tbl'. -// Therefore, in Ranger world one can grant 'METADATA on db=a->table=*->column=*' -// to match with Sentry policy 'METADATA on db=a'. class RangerAuthzProvider : public AuthzProvider { public: diff --git a/src/kudu/ranger/ranger.proto b/src/kudu/ranger/ranger.proto index 939f3b0..1f9169a 100644 --- a/src/kudu/ranger/ranger.proto +++ b/src/kudu/ranger/ranger.proto @@ -18,17 +18,32 @@ syntax = "proto2"; package kudu.ranger; option java_package = "org.apache.kudu.ranger"; -// Describes the type of action that can be performed in Ranger. -// -// SQL-like action types used by Ranger. ALL implies all other privilege types -// and all privilege types imply METADATA. METADATA is used for discovery -// (listing tables). -// -// The action type mapping is similar to the one in Sentry which was implemented -// before Ranger and the same privileges have to be enforced with both -// authorization providers. -// -// For more information on fine grained authz check out docs/security.adoc +// Similar to Sentry, in Ranger, an action is an operation taken on an +// authorizable, an authorizable is a linear hierarchically structured +// resource (database -> table -> column), and 'privileges' are composed +// of an authorizable and an action, e.g. CREATE ON DATABASE a (db=a). + +// SQL-like action types are used in Ranger. All actions are independent, +// except that ALL subsumes every other action, and every action subsumes +// METADATA. + +// In term of privilege evaluation, unlike Sentry, (where authorizables higher +// up on the hierarchy can imply authorizables lower on the hierarchy, e.g. +// database implies table), Ranger doesn't have the concept of hierarchical +// implication. To be more specific, privilege 'METADATA ON DATABASE a (db=a)' +// does not imply 'METADATA ON TABLE a.tbl (db=a->table=tbl)'. Thus, in Ranger +// users granted with 'METADATA ON DATABASE a' cannot perform an action that +// requires 'METADATA ON TABLE a.tbl'. On the other hand, Ranger supports +// wildcard matching on authorizables, e.g. 'db=a->table=*' matches all the +// tables that belong to DATABASE a. Therefore, in Ranger users actually need +// 'METADATA ON db=a->table=*->column=*' privilege to match the semantics of +// 'METADATA ON db=a' in Sentry. + +// Nevertheless, the same set of privileges are enforced/required for Kudu +// operations with both Sentry and Ranger. For the detailed privilege +// enforcement information see 'Policy for Kudu Masters/Tablet Servers' +// section in docs/security.adoc. + enum ActionPB { SELECT = 0; INSERT = 1; diff --git a/src/kudu/ranger/ranger_client.h b/src/kudu/ranger/ranger_client.h index 2b1bbe1..cdfb8ed 100644 --- a/src/kudu/ranger/ranger_client.h +++ b/src/kudu/ranger/ranger_client.h @@ -52,7 +52,12 @@ typedef subprocess::SubprocessProxy<RangerRequestListPB, RangerResponseListPB, class RangerClient { public: // Similar to SentryAuthorizableScope scope which indicates the - // hierarchy of authorizables (database → table). + // hierarchy of authorizables (database -> table -> column). For + // example, authorizable 'db=a' has database level scope, while + // authorizable 'db=a->table=b' has table level scope. Note that + // COLUMN level scope is not defined in the enum as it is not + // used yet in the code (although the concept still apply when + // authorizing column level privileges). enum Scope { DATABASE, TABLE
