Re: [PR] [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin [gravitino]
xunliu merged PR #5467: URL: https://github.com/apache/gravitino/pull/5467 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin [gravitino]
jerqi commented on code in PR #5467: URL: https://github.com/apache/gravitino/pull/5467#discussion_r1830566574 ## docs/security/authorization-pushdown.md: ## @@ -43,6 +43,36 @@ authorization.ranger.password=PWD123 authorization.ranger.service.name=hiveRepo ``` +### Authorization Iceberg with Ranger properties + +In order to use the Authorization Ranger Iceberg Plugin, you need to configure the following properties and [Lakehouse_Iceberg catalog properties](../lakehouse-iceberg-catalog.md#catalog-properties): + +| Property Name | Description | Default Value | Required | Since Version| +|-|--|---|--|--| +| `authorization-provider`| Providers to use to implement authorization plugin such as `ranger`. | (none)| No | 0.6.0-incubating | +| `authorization.ranger.admin.url`| The Apache Ranger web URIs. | (none)| No | 0.6.0-incubating | +| `authorization.ranger.auth.type`| The Apache Ranger authentication type `simple` or `kerberos`. | `simple` | No | 0.6.0-incubating | +| `authorization.ranger.username` | The Apache Ranger admin web login username (auth type=simple), or kerberos principal(auth type=kerberos), Need have Ranger administrator permission. | (none)| No | 0.6.0-incubating | +| `authorization.ranger.password` | The Apache Ranger admin web login user password (auth type=simple), or path of the keytab file(auth type=kerberos) | (none)| No | 0.6.0-incubating | +| `authorization.ranger.service.name` | The Apache Ranger service name. | (none)| No | 0.6.0-incubating | Review Comment: Change to 0.8.0-incubating. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin [gravitino]
jerqi commented on code in PR #5467: URL: https://github.com/apache/gravitino/pull/5467#discussion_r1830536028 ## docs/security/authorization-pushdown.md: ## @@ -43,6 +43,36 @@ authorization.ranger.password=PWD123 authorization.ranger.service.name=hiveRepo ``` +### Authorization Iceberg with Ranger properties + +In order to use the Authorization Ranger Iceberg Plugin, you need to configure the following properties and [Lakehouse_Iceberg catalog properties](../lakehouse-iceberg-catalog.md#catalog-properties): + +| Property Name | Description | Default Value | Required | Since Version| +|-|--|---|--|--| +| `authorization-provider`| Providers to use to implement authorization plugin such as `ranger`. | (none)| No | 0.6.0-incubating | +| `authorization.ranger.admin.url`| The Apache Ranger web URIs. | (none)| No | 0.6.0-incubating | +| `authorization.ranger.auth.type`| The Apache Ranger authentication type `simple` or `kerberos`. | `simple` | No | 0.6.0-incubating | +| `authorization.ranger.username` | The Apache Ranger admin web login username (auth type=simple), or kerberos principal(auth type=kerberos), Need have Ranger administrator permission. | (none)| No | 0.6.0-incubating | +| `authorization.ranger.password` | The Apache Ranger admin web login user password (auth type=simple), or path of the keytab file(auth type=kerberos) | (none)| No | 0.6.0-incubating | +| `authorization.ranger.service.name` | The Apache Ranger service name. | (none)| No | 0.6.0-incubating | Review Comment: This option reuse Hive properties. I don't add a new properity. This propeties are introduced in 0.6.0-incubating. But property doesn't bind to a fixed version. If you think it's necessary, I can this version. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin [gravitino]
jerqi commented on code in PR #5467: URL: https://github.com/apache/gravitino/pull/5467#discussion_r1830536028 ## docs/security/authorization-pushdown.md: ## @@ -43,6 +43,36 @@ authorization.ranger.password=PWD123 authorization.ranger.service.name=hiveRepo ``` +### Authorization Iceberg with Ranger properties + +In order to use the Authorization Ranger Iceberg Plugin, you need to configure the following properties and [Lakehouse_Iceberg catalog properties](../lakehouse-iceberg-catalog.md#catalog-properties): + +| Property Name | Description | Default Value | Required | Since Version| +|-|--|---|--|--| +| `authorization-provider`| Providers to use to implement authorization plugin such as `ranger`. | (none)| No | 0.6.0-incubating | +| `authorization.ranger.admin.url`| The Apache Ranger web URIs. | (none)| No | 0.6.0-incubating | +| `authorization.ranger.auth.type`| The Apache Ranger authentication type `simple` or `kerberos`. | `simple` | No | 0.6.0-incubating | +| `authorization.ranger.username` | The Apache Ranger admin web login username (auth type=simple), or kerberos principal(auth type=kerberos), Need have Ranger administrator permission. | (none)| No | 0.6.0-incubating | +| `authorization.ranger.password` | The Apache Ranger admin web login user password (auth type=simple), or path of the keytab file(auth type=kerberos) | (none)| No | 0.6.0-incubating | +| `authorization.ranger.service.name` | The Apache Ranger service name. | (none)| No | 0.6.0-incubating | Review Comment: This option reuse Hive properties. I don't a a new properity. This propeties are introduced in 0.6.0-incubating. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin [gravitino]
xunliu commented on code in PR #5467: URL: https://github.com/apache/gravitino/pull/5467#discussion_r1830531400 ## docs/security/authorization-pushdown.md: ## @@ -43,6 +43,36 @@ authorization.ranger.password=PWD123 authorization.ranger.service.name=hiveRepo ``` +### Authorization Iceberg with Ranger properties + +In order to use the Authorization Ranger Iceberg Plugin, you need to configure the following properties and [Lakehouse_Iceberg catalog properties](../lakehouse-iceberg-catalog.md#catalog-properties): + +| Property Name | Description | Default Value | Required | Since Version| +|-|--|---|--|--| +| `authorization-provider`| Providers to use to implement authorization plugin such as `ranger`. | (none)| No | 0.6.0-incubating | +| `authorization.ranger.admin.url`| The Apache Ranger web URIs. | (none)| No | 0.6.0-incubating | +| `authorization.ranger.auth.type`| The Apache Ranger authentication type `simple` or `kerberos`. | `simple` | No | 0.6.0-incubating | +| `authorization.ranger.username` | The Apache Ranger admin web login username (auth type=simple), or kerberos principal(auth type=kerberos), Need have Ranger administrator permission. | (none)| No | 0.6.0-incubating | +| `authorization.ranger.password` | The Apache Ranger admin web login user password (auth type=simple), or path of the keytab file(auth type=kerberos) | (none)| No | 0.6.0-incubating | +| `authorization.ranger.service.name` | The Apache Ranger service name. | (none)| No | 0.6.0-incubating | Review Comment: Maybe need to change `0.6.0-incubating` to `0.8.0-xxx`? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin [gravitino]
jerqi closed pull request #5467: [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin URL: https://github.com/apache/gravitino/pull/5467 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin [gravitino]
jerqi commented on code in PR #5467:
URL: https://github.com/apache/gravitino/pull/5467#discussion_r1830392959
##
authorizations/authorization-ranger/build.gradle.kts:
##
@@ -126,7 +129,7 @@ tasks {
tasks.test {
doFirst {
-environment("HADOOP_USER_NAME", "test")
+environment("HADOOP_USER_NAME", "gravitino")
}
Review Comment:
Default HADOOP_HOME is anoymous. So I added it back.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin [gravitino]
jerqi commented on code in PR #5467:
URL: https://github.com/apache/gravitino/pull/5467#discussion_r1830360241
##
authorizations/authorization-ranger/build.gradle.kts:
##
@@ -126,7 +129,7 @@ tasks {
tasks.test {
doFirst {
-environment("HADOOP_USER_NAME", "test")
+environment("HADOOP_USER_NAME", "gravitino")
}
Review Comment:
OK, reverted.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin [gravitino]
jerqi commented on code in PR #5467: URL: https://github.com/apache/gravitino/pull/5467#discussion_r1830353220 ## authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerIcebergE2EIT.java: ## Review Comment: They are similar but different. For same update SQL, Iceberg will succeed but Hive will throw exception. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin [gravitino]
xunliu commented on code in PR #5467:
URL: https://github.com/apache/gravitino/pull/5467#discussion_r1830350443
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerIcebergE2EIT.java:
##
Review Comment:
The `RangerIcebergE2EIT` class is the same as `RangerHiveE2EIT`, I think we
can abstract a common IT class.
##
authorizations/authorization-ranger/build.gradle.kts:
##
@@ -126,7 +129,7 @@ tasks {
tasks.test {
doFirst {
-environment("HADOOP_USER_NAME", "test")
+environment("HADOOP_USER_NAME", "gravitino")
}
Review Comment:
The `HADOOP_USER_NAME` default is `gravitino`, If we do not need to set a
different value, we can remove this paragraph code.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin [gravitino]
jerqi closed pull request #5467: [#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authorization plugin URL: https://github.com/apache/gravitino/pull/5467 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
