Adding to Abhay comment,

In most of the Ranger Plugin from the components side we use
org.apache.hadoop.security.UserGroupInformation API
https://hadoop.apache.org/docs/r1.0.4/api/org/apache/hadoop/security/UserGr
oupInformation.html which will wrap around JAAS and provides the mechanism
to determine the User and Groups. Please check if this can be used.

Thanks,
Ramesh

On 3/24/17, 12:03 PM, "Abhay Kulkarni" <akulka...@hortonworks.com> wrote:

>Hi Alex,
>
>This is exactly right. Users, groups and their associations in Ranger
>(specifically Ranger Admin) are props for being able to define policies.
>They are not the Œsource of truth¹. It is expected that the correct user
><‹-> group associations will be available in the component (service) from
>appropriate authentication system, and provided to Ranger Plugin as part
>of authorization request.
>
>Thanks!
>-Abhay
>
>On 3/24/17, 11:51 AM, "Alexander Denissov" <adenis...@pivotal.io> wrote:
>
>>Hi Ranger experts,
>>
>>We are developing a custom Ranger Plugin for Apache HAWQ(incubating) and
>>noticed that group policies are not behaving as we expected.
>>
>>In Ranger, we define a user U (actually synched from OS). We then
>>manually
>>define group G and enroll user U into it. We then define a policy and
>>grant
>>a privilege to the group G in this policy.
>>
>>On the client side, we do not know that user U belongs to group G, as
>>this
>>information is only defined in Ranger. When we request policy evaluation,
>>we send an empty set for the userGroups API parameter, assuming Ranger
>>will
>>use its internal mapping. But the access is denied by Ranger.
>>
>>So, it seems Ranger will not use the information from its internal user
>><--> group mapping when evaluating policies and would rely on client
>>providing the set of groups for the user explicitly ?
>>
>>This also means user <--> group mapping in Ranger is NOT the source of
>>truth, but rather a mirror of some other authentication system (OS, LDAP,
>>etc) and a service will need to fetch this information upon user
>>authentication and provide to Ranger ?
>>
>>I will appreciate clarification on these points.
>>--
>>Thanks,
>>Alex.
>
>

Reply via email to