peng.jianhua commented on KYLIN-2703:
Hi [~mahongbin], I had updated the patch according to our discussion. Thanks.
> kylin supports managing access rights for project and cube through apache
> Key: KYLIN-2703
> URL: https://issues.apache.org/jira/browse/KYLIN-2703
> Project: Kylin
> Issue Type: New Feature
> Components: General
> Reporter: peng.jianhua
> Assignee: peng.jianhua
> Labels: newbie, patch
> KylinAuditLog.jpg, KylinPlugins.jpg, KylinPolicies.jpg,
> KylinServiceEntry.jpg, NewKylinPolicy.jpg, NewKylinService.jpg,
> Ranger is a framework to enable, monitor and manage comprehensive data
> security across the Hadoop platform. Apache Ranger has the following goals:
> 1. Centralized security administration to manage all security related tasks
> in a central UI or using REST APIs.
> 2. Fine grained authorization to do a specific action and/or operation with
> Hadoop component/tool and managed through a central administration tool
> 3. Standardize authorization method across all Hadoop components.
> 4. Enhanced support for different authorization methods - Role based access
> control, attribute based access control etc.
> 5. Centralize auditing of user access and administrative actions (security
> related) within all the components of Hadoop.
> Ranger has supported enable, monitor and manage following components:
> 1. HDFS
> 2. HIVE
> 3. HBASE
> 4. KNOX
> 5. YARN
> 6. STORM
> 7. SOLR
> 8. KAFKA
> 9. ATLAS
> In order to improve the flexibility of kylin privilege control and enhance
> value of kylin in the Apache Hadoop ecosystem, like hdfs, yarn, hive, hbase,
> Kylin should also support that using Ranger to control access rights for
> project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user
> access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the
> ranger plugin. kylin instantiates ranger plugin’s implementation class when
> starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the
> local, and updates project and cube access rights based on policy information.
> In the Kylin side：
> 1. Kylin provides an abstract class that enables the ranger plugin's
> implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin
> implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's
> authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's
> existing permissions functions and logic.
> In the Ranger side：
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to
> the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin
> to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/RANGER-1672
This message was sent by Atlassian JIRA