This is an automated email from the ASF dual-hosted git repository.
ulyssesyou pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new 8f29b4fd8 [KYUUBI #2395] [DOC] Add Documentation for Spark AuthZ
Extension
8f29b4fd8 is described below
commit 8f29b4fd8f4de5c7e495bf9da5826883c59678e5
Author: Kent Yao <[email protected]>
AuthorDate: Mon Apr 18 10:57:24 2022 +0800
[KYUUBI #2395] [DOC] Add Documentation for Spark AuthZ Extension
### _Why are the changes needed?_
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including
negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [ ] [Run
test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests)
locally before make a pull request
Closes #2395 from yaooqinn/doc2.
Closes #2395
109440bf [Kent Yao] [DOC] Add Documentation for Spark AuthZ Extension
852e7fd5 [Kent Yao] [DOC] Add Documentation for Spark AuthZ Extension
dfeef884 [Kent Yao] [DOC] Add Documentation for Spark AuthZ Extension
Authored-by: Kent Yao <[email protected]>
Signed-off-by: ulysses-you <[email protected]>
---
docs/security/authorization.md | 49 --------
docs/security/{ => authorization}/index.rst | 14 +--
docs/security/authorization/spark/build.md | 104 +++++++++++++++++
docs/security/{ => authorization/spark}/index.rst | 16 ++-
docs/security/authorization/spark/install.md | 126 +++++++++++++++++++++
docs/security/authorization/spark/overview.md | 57 ++++++++++
docs/security/index.rst | 8 +-
.../spark/authz/ranger/RangerSparkExtension.scala | 2 +-
8 files changed, 305 insertions(+), 71 deletions(-)
diff --git a/docs/security/authorization.md b/docs/security/authorization.md
deleted file mode 100644
index 15078088f..000000000
--- a/docs/security/authorization.md
+++ /dev/null
@@ -1,49 +0,0 @@
-<!--
- - Licensed to the Apache Software Foundation (ASF) under one or more
- - contributor license agreements. See the NOTICE file distributed with
- - this work for additional information regarding copyright ownership.
- - The ASF licenses this file to You under the Apache License, Version 2.0
- - (the "License"); you may not use this file except in compliance with
- - the License. You may obtain a copy of the License at
- -
- - http://www.apache.org/licenses/LICENSE-2.0
- -
- - Unless required by applicable law or agreed to in writing, software
- - distributed under the License is distributed on an "AS IS" BASIS,
- - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- - See the License for the specific language governing permissions and
- - limitations under the License.
- -->
-
-# ACL Management Guide
-
-- [Authorization Modes](#1)
- - [Storage-Based Authorization](#1.1)
- - [SQL-Standard Based Authorization](#1.2)
- - [Ranger Security Support](#1.3)
-
-
-<h2 id="1">Authorization Modes</h2>
-
-Three primary modes for Kyuubi authorization are available by [Submarine Spark
Security](https://github.com/apache/submarine/tree/master/submarine-security/spark-security):
-
-<h4 id="1.1">Storage-Based Authorization</h4>
-
-Enabling Storage Based Authorization in the `Hive Metastore Server` uses the
HDFS permissions to act as the main source for verification and allows for
consistent data and metadata authorization policy. This allows control over
metadata access by verifying if the user has permission to access corresponding
directories on the HDFS. Similar with `HiveServer2`, files and directories will
be translated into hive metadata objects, such as dbs, tables, partitions, and
be protected from end use [...]
-
-Storage-Based Authorization offers users with Database, Table and
Partition-level coarse-gained access control.
-
-<h4 id="1.2">SQL-Standard Based Authorization</h4>
-
-Enabling SQL-Standard Based Authorization gives users more fine-gained control
over access comparing with Storage Based Authorization. Besides of the ability
of Storage Based Authorization, SQL-Standard Based Authorization can improve
it to Views and Column-level. Unfortunately, Spark SQL does not support
grant/revoke statements which controls access, this might be done only through
the HiveServer2. But it's gratifying that [Submarine Spark
Security](https://github.com/apache/submarine [...]
-
-With [Kyuubi](https://github.com/apache/incubator-kyuubi), the SQL-Standard
Based Authorization is guaranteed for the security configurations, metadata,
and storage information is preserved from end users.
-
-Please refer to the [Submarine Spark
Security](https://submarine.apache.org/docs/userDocs/submarine-security/spark-security/README)
in the online documentation for an overview on how to configure SQL-Standard
Based Authorization for Spark SQL.
-
-<h4 id="1.3">Ranger Security Support (Recommended)</h4>
-
-[Apache Ranger](https://ranger.apache.org/) is a framework to enable, monitor
and manage comprehensive data security across the Hadoop platform but end
before Spark or Spark SQL. The [Submarine Spark
Security](https://github.com/apache/submarine/tree/master/submarine-security/spark-security)
enables Kyuubi with control access ability reusing [Ranger Plugin for Hive
MetaStore
-](https://cwiki.apache.org/confluence/display/RANGER/Ranger+Plugin+for+Hive+MetaStore).
[Apache Ranger](https://ranger.apache.org/) makes the scope of existing
SQL-Standard Based Authorization expanded but without supporting Spark SQL.
[Submarine Spark
Security](https://github.com/apache/submarine/tree/master/submarine-security/spark-security)
sticks them together.
-
-Please refer to the [Submarine Spark
Security](https://submarine.apache.org/docs/userDocs/submarine-security/spark-security/README)
in the online documentation for an overview on how to configure Ranger for
Spark SQL.
diff --git a/docs/security/index.rst b/docs/security/authorization/index.rst
similarity index 80%
copy from docs/security/index.rst
copy to docs/security/authorization/index.rst
index 63e6d896c..f7241847a 100644
--- a/docs/security/index.rst
+++ b/docs/security/authorization/index.rst
@@ -13,18 +13,14 @@
See the License for the specific language governing permissions and
limitations under the License.
-.. image:: ../imgs/kyuubi_logo.png
+.. image::
https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg
:align: center
+ :width: 25%
-Kyuubi Security Overview
-========================
+Kyuubi Authorization Guide
+==========================
.. toctree::
:maxdepth: 2
- :numbered: 3
-
- Authentication <authentication>
- kinit
- hadoop_credentials_manager
- authorization
+ Spark AuthZ Plugin <spark/index>
diff --git a/docs/security/authorization/spark/build.md
b/docs/security/authorization/spark/build.md
new file mode 100644
index 000000000..c4d71d1aa
--- /dev/null
+++ b/docs/security/authorization/spark/build.md
@@ -0,0 +1,104 @@
+<!--
+ - Licensed to the Apache Software Foundation (ASF) under one or more
+ - contributor license agreements. See the NOTICE file distributed with
+ - this work for additional information regarding copyright ownership.
+ - The ASF licenses this file to You under the Apache License, Version 2.0
+ - (the "License"); you may not use this file except in compliance with
+ - the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing, software
+ - distributed under the License is distributed on an "AS IS" BASIS,
+ - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ - See the License for the specific language governing permissions and
+ - limitations under the License.
+ -->
+
+
+
+# Building Kyuubi Spark AuthZ Plugin
+
+<img
src="https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg";
alt="Kyuubi logo" width="50%" align="right" />
+
+## Build with Apache Maven
+
+Kyuubi Spark AuthZ Plugin is built using [Apache
Maven](http://maven.apache.org).
+To build it, `cd` to the root direct of kyuubi project and run:
+
+```shell
+build/mvn clean package -pl :kyuubi-spark-authz_2.12 -DskipTests
+```
+
+After a while, if everything goes well, you will get the plugin finally in two
parts:
+
+- The main plugin jar, which is under
`./extensions/spark/kyuubi-spark-authz/target/kyuubi-spark-authz_${scala.binary.version}-${project.version}.jar`
+- The least transitive dependencies needed, which are under
`./extensions/spark/kyuubi-spark-authz/target/scala-${scala.binary.version}/jars`
+
+### Build against Different Apache Spark Versions
+
+The maven option `spark.version` is used for specifying Spark version to
compile with and generate corresponding transitive dependencies.
+By default, it is always built with the latest `spark.version` defined in
kyuubi project main pom file.
+Sometimes, it may be incompatible with other Spark distributions, then you may
need to build the plugin on your own targeting the Spark version you use.
+
+For example,
+
+```shell
+build/mvn clean package -pl :kyuubi-spark-authz_2.12 -DskipTests
-Dspark.version=3.0.2
+```
+
+The available `spark.version`s are shown in the following table.
+
+| Spark Version | Supported |
Remark
|
+|:-----------------:|:-----------:|:--------------------------------------------------------------------------------------------------------------------------------:|
+| master | √ |
-
|
+| 3.3.x | √ |
-
|
+| 3.2.x | √ |
-
|
+| 3.1.x | √ |
-
|
+| 3.0.x | √ |
-
|
+| 2.4.x | √ |
-
|
+| 2.3.x and earlier | × | [PR
2367](https://github.com/apache/incubator-kyuubi/pull/2367) is used to track
how we work with older releases with scala 2.11 |
+
+Currently, Spark released with Scala 2.12 are supported.
+
+### Build against Different Apache Ranger Versions
+
+The maven option `ranger.version` is used for specifying Ranger version to
compile with and generate corresponding transitive dependencies.
+By default, it is always built with the latest `ranger.version` defined in
kyuubi project main pom file.
+Sometimes, it may be incompatible with other Ranger Admins, then you may need
to build the plugin on your own targeting the Ranger Admin version you connect
with.
+
+```shell
+build/mvn clean package -pl :kyuubi-spark-authz_2.12 -DskipTests
-Dranger.version=0.7.0
+```
+
+The available `ranger.version`s are shown in the following table.
+
+| Ranger Version | Supported | Remark |
+|:--------------:|:-----------:|:------:|
+| 2.2.x | √ | - |
+| 2.1.x | √ | - |
+| 2.0.x | √ | - |
+| 1.2.x | √ | - |
+| 1.1.x | √ | - |
+| 1.0.x | √ | - |
+| 0.7.x | √ | - |
+| 0.6.x | √ | - |
+
+Currently, all ranger releases are supported.
+
+## Test with ScalaTest Maven plugin
+If you omit `-DskipTests` option in the command above, you will also get all
unit tests run.
+
+```shell
+build/mvn clean package -pl :kyuubi-spark-authz_2.12
+```
+
+If any bug occurs and you want to debug the plugin yourself, you can configure
`-DdebugForkedProcess=true` and `-DdebuggerPort=5005`(optional).
+
+```shell
+build/mvn clean package -pl :kyuubi-spark-authz_2.12 -DdebugForkedProcess=true
+```
+
+The tests will suspend at startup and wait for a remote debugger to attach to
the configured port.
+
+We will appreciate if you can share the bug or the fix to the Kyuubi community.
diff --git a/docs/security/index.rst
b/docs/security/authorization/spark/index.rst
similarity index 78%
copy from docs/security/index.rst
copy to docs/security/authorization/spark/index.rst
index 63e6d896c..73d0f3475 100644
--- a/docs/security/index.rst
+++ b/docs/security/authorization/spark/index.rst
@@ -13,18 +13,16 @@
See the License for the specific language governing permissions and
limitations under the License.
-.. image:: ../imgs/kyuubi_logo.png
+.. image::
https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg
:align: center
+ :width: 25%
-Kyuubi Security Overview
-========================
+Kyuubi Spark AuthZ Plugin
+=========================
.. toctree::
:maxdepth: 2
- :numbered: 3
-
- Authentication <authentication>
- kinit
- hadoop_credentials_manager
- authorization
+ Overview <overview>
+ Building <build>
+ Installing <install>
diff --git a/docs/security/authorization/spark/install.md
b/docs/security/authorization/spark/install.md
new file mode 100644
index 000000000..5d3dc22a8
--- /dev/null
+++ b/docs/security/authorization/spark/install.md
@@ -0,0 +1,126 @@
+<!--
+ - Licensed to the Apache Software Foundation (ASF) under one or more
+ - contributor license agreements. See the NOTICE file distributed with
+ - this work for additional information regarding copyright ownership.
+ - The ASF licenses this file to You under the Apache License, Version 2.0
+ - (the "License"); you may not use this file except in compliance with
+ - the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing, software
+ - distributed under the License is distributed on an "AS IS" BASIS,
+ - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ - See the License for the specific language governing permissions and
+ - limitations under the License.
+ -->
+
+<img
src="https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg";
alt="Kyuubi logo" width="25%" align="center" />
+
+
+# Installing and Configuring Kyuubi Spark AuthZ Plugin
+
+## Pre-install
+
+- [Apache Ranger](https://ranger.apache.org/)
+
+ This plugin works as a ranger rest client with Apache Ranger admin server to
do privilege check.
+ Thus, a ranger server need to be installed ahead and available to use.
+
+- Building(optional)
+
+ If your ranger admin or spark distribution is not compatible with the
official pre-built
[artifact](https://mvnrepository.com/artifact/org.apache.kyuubi/kyuubi-spark-authz)
in maven central.
+ You need to [build](build.md) the plugin targeting the spark/ranger you are
using by yourself.
+
+## Install
+
+With the `kyuubi-spark-authz_*.jar` and its transitive dependencies available
for spark runtime classpath, such as
+- Copied to `$SPARK_HOME/jars`, or
+- Specified to `spark.jars` configuration
+
+## Configure
+
+### Settings for Connecting Ranger Admin
+
+#### ranger-spark-security.xml
+- Create `ranger-spark-security.xml` in `$SPARK_HOME/conf` and add the
following configurations
+for pointing to the right Ranger admin server.
+
+```xml
+<configuration>
+ <property>
+ <name>ranger.plugin.spark.policy.rest.url</name>
+ <value>ranger admin address like http://ranger-admin.org:6080</value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.spark.service.name</name>
+ <value>a ranger hive service name</value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.spark.policy.cache.dir</name>
+ <value>./a ranger hive service name/policycache</value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.spark.policy.pollIntervalMs</name>
+ <value>5000</value>
+ </property>
+
+ <property>
+ <name>ranger.plugin.spark.policy.source.impl</name>
+ <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
+ </property>
+
+</configuration>
+```
+
+#### ranger-spark-audit.xml
+
+Create `ranger-spark-audit.xml` in `$SPARK_HOME/conf` and add the following
configurations
+to enable/disable auditing.
+
+```xml
+<configuration>
+
+ <property>
+ <name>xasecure.audit.is.enabled</name>
+ <value>true</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.db</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.db.jdbc.driver</name>
+ <value>com.mysql.jdbc.Driver</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.db.jdbc.url</name>
+ <value>jdbc:mysql://10.171.161.78/ranger</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.db.password</name>
+ <value>rangeradmin</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.db.user</name>
+ <value>rangeradmin</value>
+ </property>
+
+</configuration>
+```
+
+### Settings for Spark Session Extensions
+
+Add `org.apache.kyuubi.plugin.spark.authz.ranger.RangerSparkExtension` to the
spark configuration `spark.sql.extensions`.
+
+```properties
+spark.sql.extensions=org.apache.kyuubi.plugin.spark.authz.ranger.RangerSparkExtension
+```
diff --git a/docs/security/authorization/spark/overview.md
b/docs/security/authorization/spark/overview.md
new file mode 100644
index 000000000..52cae3880
--- /dev/null
+++ b/docs/security/authorization/spark/overview.md
@@ -0,0 +1,57 @@
+<!--
+ - Licensed to the Apache Software Foundation (ASF) under one or more
+ - contributor license agreements. See the NOTICE file distributed with
+ - this work for additional information regarding copyright ownership.
+ - The ASF licenses this file to You under the Apache License, Version 2.0
+ - (the "License"); you may not use this file except in compliance with
+ - the License. You may obtain a copy of the License at
+ -
+ - http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing, software
+ - distributed under the License is distributed on an "AS IS" BASIS,
+ - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ - See the License for the specific language governing permissions and
+ - limitations under the License.
+ -->
+
+# Kyuubi AuthZ Plugin For Spark SQL
+
+<img
src="https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg";
alt="Kyuubi logo" width="25%" align="right" />
+
+Security is one of the fundamental features for enterprise adoption with
Kyuubi.
+When deploying Kyuubi against secured clusters,
+storage-based authorization is enabled by default, which only provides
file-level coarse-grained authorization mode.
+When row/column-level fine-grained access control is required,
+we can enhance the data access model with the Kyuubi Spark AuthZ plugin.
+
+## Authorization in Kyuubi
+
+### Storage-based Authorization
+
+As Kyuubi supports multi tenancy, a tenant can only visit authorized resources,
+including computing resources, data, etc.
+Most file systems, such as HDFS, support ACL management based on files and
directories.
+
+A so called Storage-based authorization mode is supported by Kyuubi by default.
+In this model, all objects, such as databases, tables, partitions, in meta
layer are mapping to folders or files in the storage layer,
+as well as their permissions.
+
+Storage-based authorization offers users with database, table and
partition-level coarse-gained access control.
+
+### SQL-standard authorization with Ranger
+
+A SQL-standard authorization usually offers a row/colum-level fine-grained
access control to meet the real-world data security need.
+
+[Apache Ranger](https://ranger.apache.org/) is a framework to enable, monitor
and manage comprehensive data security across the Hadoop platform.
+This plugin enables Kyuubi with data and metadata control access ability for
Spark SQL Engines, including,
+
+- Column-level fine-grained authorization
+- Row-level fine-grained authorization, a.k.a. Row-level filtering
+- Data masking
+
+## The Plugin Itself
+
+Kyuubi Spark Authz Plugin itself provides general purpose for ACL management
for data & metadata while using Spark SQL.
+It is not necessary to deploy it with the Kyuubi server and engine, and can be
used as an extension for any Spark SQL jobs.
+However, the authorization always requires a robust authentication layer and
multi tenancy support, so Kyuubi is a perfect match.
diff --git a/docs/security/index.rst b/docs/security/index.rst
index 63e6d896c..2e8cee822 100644
--- a/docs/security/index.rst
+++ b/docs/security/index.rst
@@ -13,18 +13,20 @@
See the License for the specific language governing permissions and
limitations under the License.
-.. image:: ../imgs/kyuubi_logo.png
+.. image::
https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg
:align: center
+ :width: 25%
Kyuubi Security Overview
========================
+Securing Kyuubi involves enabling authentication(authn), authorization(authz)
and encryption, etc.
+
.. toctree::
:maxdepth: 2
- :numbered: 3
Authentication <authentication>
+ Authorization <authorization/index>
kinit
hadoop_credentials_manager
- authorization
diff --git
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtension.scala
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtension.scala
index daaa6754a..979fc550b 100644
---
a/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtension.scala
+++
b/extensions/spark/kyuubi-spark-authz/src/main/scala/org/apache/kyuubi/plugin/spark/authz/ranger/RangerSparkExtension.scala
@@ -26,7 +26,7 @@ import
org.apache.kyuubi.plugin.spark.authz.util.RuleEliminateMarker
* <ul>
* <li>Table/Column level authorization(yes)</li>
* <li>Row level filtering(yes)</li>
- * <li>Data masking(no)</li>
+ * <li>Data masking(yes)</li>
* <ul>
*
* To work with Spark SQL, we need to enable it via spark extensions
![https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg"](https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg"){kind=link}