Matteo
Are you extending current plugin or creating brand new custom plugin for another component? If it current plugin, then Ranger has a design where you can enrich the context and use it in condition. IP based and most internal extensions uses that design pattern. The Policy side, you don’t need any code change. For the enricher, you might have to add JAR files. If you feel this will work for you, then Abhay or Madhan might be able to answer this in more detail. If you are going to extend current plugin class, e.g. for YARN, then you will have to extend RangerYarnAuthorizer class on both implementation and shim package. You can then override the checkPermission method or customize RangerYarnPlugin (which does the actual check) and overwrite the init() to use your plugin class. Just FYI, right from the beginning, Ranger team has avoided making outbound call during authorization. This could significantly affect your performance, particularly in high velocity components like HDFS, Kafka, etc. I would suggest (if possible) that you consider caching some of the authorization decisions within the plugin. Bosco From: Matteo Alessandroni <matteo.alessandr...@tirasa.net> Reply-To: <user@ranger.apache.org> Date: Tuesday, January 15, 2019 at 3:07 AM To: <user@ranger.apache.org> Subject: How to extend the authorization engine in order to use an external service I would like to extend the authorization mechanism of Apache Ranger in order to make authorization based on the response of an external REST service. So, when the Ranger policy engine is called I would like to intercept the request, call an external REST service to obtain some authorization data and use it to decide who can access what. As a general idea the external service gets a username and returns a list of permissions / policies that user has. Do you think I should build a custom plugin for it? Do I have to create an "authorizer"? If so, what class do I need to extend (e.g. "YarnAuthorizationProvider)" ? Could you please give me an hit on where to start or a sample of something similar to what I need? Currently I'm trying to build a custom plugin (I started by seeing wiki on [1]). I have added a class that extends "YarnAuthorizationProvider" (I really don't know what class to use here). I've also created another subclass that extends "RangerPlainIDAccessRequest" so that I could access the request in the "checkPermission()" overridden method and maybe do stuff there. I'm not sure I'm in the right way! Any help would be appreciate! Also, I'm not sure about how to test the plugin I have built. I tried to put it in the Apache Ranger source code (v1.2.0) and re-build, now I see the new service in the Apache Ranger Admin Console but what's next? Thank you! Best regards, Matteo [1] https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207
