WHBANG opened a new pull request, #1262: URL: https://github.com/apache/incubator-pegasus/pull/1262
### What problem does this PR solve? <!--add issue link with summary if exists--> https://github.com/apache/incubator-pegasus/issues/1054 ### What is changed and how does it work? 1. The class diagram <img width="1355" alt="image" src="https://user-images.githubusercontent.com/38547944/203976026-4efc94bc-f8af-4e65-be3f-2dd24042a541.png";> First, you need to add ACL related configurations. The client configuration has not changed, the server has added new configurations: ``` enable_ranger_acl: indicates whether to use ranger for acl ranger_service_url: ranger server url ranger_service_name: use ranger policy name mandatory_enable_acl: mandatory use range policy, currently used for testing ``` The details are as follows: ``` server [security] enable_auth = true krb5_keytab = /root/apache/pegasus.keytab krb5_config = /etc/krb5.conf krb5_principal = XXXXX sasl_plugin_path = /root/apache/incubator-pegasus/thirdparty/output/lib/sasl2 service_fqdn = XXXXX service_name = XXXXX open_auth = true mandatory_auth = true enable_acl = true super_users = meta_acl_rpc_allow_list = enable_ranger_acl = true ``` ``` java client java meta_servers = 127.0.0.1:34601,127.0.0.1:34602,127.0.0.1:34603 operation_timeout = 5000 async_workers = 4 enable_perf_counter = false perf_counter_tags = cluster=onebox,app=unit_test push_counter_interval_secs = 10 meta_query_timeout = 5000 auth_protocol = kerberos kerberos_service_name = XXXXX kerberos_service_fqdn = XXXXX kerberos_keytab = /root/apache/pegasus.keytab kerberos_principal = XXXXX ``` ``` shell [security] enable_auth = true krb5_keytab = /root/apache/pegasus.keytab krb5_config = /etc/krb5.conf krb5_principal = XXXXX sasl_plugin_path = /root/apache/incubator-pegasus/thirdparty/output/lib/sasl2 service_fqdn = XXXXX service_name = XXXXX ``` Second compatibility: Retained the old ACL mode 1. Use the old ACL ``` enable_acl = true enable_ranger_acl = false ``` 2. user ranger for ACL ``` enable_acl = true enable_ranger_acl = true ``` 3. Third, define the ranger policy - Pegasus resources can be divided into multiple types, and the operation types of each resource can also be divided. One operation type corresponds to one ACL symbol <img width="773" alt="image" src="https://user-images.githubusercontent.com/38547944/204430376-17e8ae9a-bdac-466c-a2a7-d4f27cae09e0.png";> - ACLs on each type of resource correspond to specific rpc_code <img width="646" alt="image" src="https://user-images.githubusercontent.com/38547944/204430797-5b45e079-84c5-4f3e-a470-db063d6d87d5.png";> <img width="846" alt="image" src="https://user-images.githubusercontent.com/38547944/204430865-ffc16771-90ca-43c7-903a-5451cb58c86c.png";> <img width="629" alt="image" src="https://user-images.githubusercontent.com/38547944/204430917-febf6ba1-eddc-4db0-b428-a00e7e651828.png";> 4. pegasus+ranger After completing the integration of ranger with pegasus, you can set permissions on the ranger web page according to your own needs <img width="444" alt="image" src="https://user-images.githubusercontent.com/38547944/204432012-230db07c-47d0-4960-9c10-04340c19b2ff.png";> <img width="1382" alt="image" src="https://user-images.githubusercontent.com/38547944/204432186-344267c5-d966-4b21-99f5-cc6d4ade55db.png";> ### Checklist <!--REMOVE the items that are not applicable--> ##### Tests <!-- At least one of them must be included. --> - Manual test (add detailed scripts or steps below) ##### Code changes - Has exported function/method change - Has exported variable/fields change - Has interface methods change - Has persistent data change ##### Side effects - Possible performance regression - Increased code complexity - Breaking backward compatibility -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
![https://user-images.githubusercontent.com/38547944/203976026-4efc94bc-f8af-4e65-be3f-2dd24042a541.png"](https://user-images.githubusercontent.com/38547944/203976026-4efc94bc-f8af-4e65-be3f-2dd24042a541.png"){kind=link}
![https://user-images.githubusercontent.com/38547944/204430376-17e8ae9a-bdac-466c-a2a7-d4f27cae09e0.png"](https://user-images.githubusercontent.com/38547944/204430376-17e8ae9a-bdac-466c-a2a7-d4f27cae09e0.png"){kind=link}
![https://user-images.githubusercontent.com/38547944/204430797-5b45e079-84c5-4f3e-a470-db063d6d87d5.png"](https://user-images.githubusercontent.com/38547944/204430797-5b45e079-84c5-4f3e-a470-db063d6d87d5.png"){kind=link}
![https://user-images.githubusercontent.com/38547944/204430865-ffc16771-90ca-43c7-903a-5451cb58c86c.png"](https://user-images.githubusercontent.com/38547944/204430865-ffc16771-90ca-43c7-903a-5451cb58c86c.png"){kind=link}
![https://user-images.githubusercontent.com/38547944/204430917-febf6ba1-eddc-4db0-b428-a00e7e651828.png"](https://user-images.githubusercontent.com/38547944/204430917-febf6ba1-eddc-4db0-b428-a00e7e651828.png"){kind=link}
![https://user-images.githubusercontent.com/38547944/204432012-230db07c-47d0-4960-9c10-04340c19b2ff.png"](https://user-images.githubusercontent.com/38547944/204432012-230db07c-47d0-4960-9c10-04340c19b2ff.png"){kind=link}
![https://user-images.githubusercontent.com/38547944/204432186-344267c5-d966-4b21-99f5-cc6d4ade55db.png"](https://user-images.githubusercontent.com/38547944/204432186-344267c5-d966-4b21-99f5-cc6d4ade55db.png"){kind=link}