I would like to extend the authorization mechanism of Apache Ranger in
order to make authorization based on the response of an external REST
service.
So, when the Ranger policy engine is called I would like to intercept
the request, call an external REST service to obtain some authorization
data and use it to decide who can access what.
As a general idea the external service gets a username and returns a
list of permissions / policies that user has.
Do you think I should build a custom plugin for it? Do I have to create
an "*authorizer*"? If so, what class do I need to extend (e.g.
"YarnAuthorizationProvider)" ?
Could you please give me an hit on where to start or a sample of
something similar to what I need?
Currently I'm trying to build a custom plugin (I started by seeing wiki
on [1]). I have added a class that extends "YarnAuthorizationProvider"
(I really don't know what class to use here). I've also created another
subclass that extends "RangerPlainIDAccessRequest" so that I could
access the request in the "checkPermission()" overridden method and
maybe do stuff there.
I'm not sure I'm in the right way! Any help would be appreciate!
Also, I'm not sure about how to test the plugin I have built. I tried to
put it in the Apache Ranger source code (v1.2.0) and re-build, now I see
the new service in the Apache Ranger Admin Console but what's next?
Thank you!
Best regards,
Matteo
[1]
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207
