Hi,
just to clarify my question: the plugin I would like to build should
make the call to the external service and then use the obtained data as
a preliminary authorization check to use then with services like HDFS,
HBASE, HIVE. In my case Apache Ranger is already integrated to those
services so I just need to add that security layer before moving to the
specific service.
In this case what would you suggest?
Do I need to build a new brand plugin just to make the call and get the
response from the external service or I need to build multiple plugins
that extend each specific service provider?
Thanks
Regards,
Matteo
On 15/01/19 12:57, Matteo Alessandroni wrote:
Hi Bosco,
On 15/01/19 12:41, Don Bosco Durai wrote:
Matteo
Are you extending current plugin or creating brand new custom plugin
for another component?
Actually I'm not sure whether I need to extend an existing plugin or
create a new brand one.
I will use Apache Ranger to provide runtime policy enforcement point
for Hadoop products using policies from an external REST service.
What solution do you think I should engage?
If it current plugin, then Ranger has a design where you can enrich
the context and use it in condition. IP based and most internal
extensions uses that design pattern. The Policy side, you don’t need
any code change. For the enricher, you might have to add JAR files.
If you feel this will work for you, then Abhay or Madhan might be
able to answer this in more detail.
If you are going to extend current plugin class, e.g. for YARN, then
you will have to extend RangerYarnAuthorizer class on both
implementation and shim package. You can then override the
checkPermission method or customize RangerYarnPlugin (which does the
actual check) and overwrite the init() to use your plugin class.
Just FYI, right from the beginning, Ranger team has avoided making
outbound call during authorization. This could significantly affect
your performance, particularly in high velocity components like HDFS,
Kafka, etc. I would suggest (if possible) that you consider caching
some of the authorization decisions within the plugin.
thank for the tip, I'll do that!
Anyway, in my current simple test I'm extending the YARN plugin (I
don't think I will need to extend it, it's just to test a custom
service registering operation), I registered it by using:
curl -u admin:admin -X POST -H "Accept: application/json" -H
"Content-Type: application/json" –d @ranger-servicedef-test.json
http://localhost:6080/service/plugins/definitions
but when I click "Add new service" for the new service type and click
"Save" I get an error:
/Test failed to find service class
org.apache.ranger.services.test.RangerServiceTest. Resource lookup
will not be available. Please make sure plugin jar is in the correct
place./
but the custom plugin folder is in the Apache Ranger main folder, what
am I missing?
Best Regards,
Matteo
Bosco
*From: *Matteo Alessandroni <matteo.alessandr...@tirasa.net>
*Reply-To: *<user@ranger.apache.org>
*Date: *Tuesday, January 15, 2019 at 3:07 AM
*To: *<user@ranger.apache.org>
*Subject: *How to extend the authorization engine in order to use an
external service
I would like to extend the authorization mechanism of Apache Ranger
in order to make authorization based on the response of an external
REST service.
So, when the Ranger policy engine is called I would like to intercept
the request, call an external REST service to obtain some
authorization data and use it to decide who can access what.
As a general idea the external service gets a username and returns a
list of permissions / policies that user has.
Do you think I should build a custom plugin for it? Do I have to
create an "*authorizer*"? If so, what class do I need to extend (e.g.
"YarnAuthorizationProvider)" ?
Could you please give me an hit on where to start or a sample of
something similar to what I need?
Currently I'm trying to build a custom plugin (I started by seeing
wiki on [1]). I have added a class that extends
"YarnAuthorizationProvider" (I really don't know what class to use
here). I've also created another subclass that extends
"RangerPlainIDAccessRequest" so that I could access the request in
the "checkPermission()" overridden method and maybe do stuff there.
I'm not sure I'm in the right way! Any help would be appreciate!
Also, I'm not sure about how to test the plugin I have built. I tried
to put it in the Apache Ranger source code (v1.2.0) and re-build, now
I see the new service in the Apache Ranger Admin Console but what's next?
Thank you!
Best regards,
Matteo
[1]
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207
--
Dott. Matteo Alessandroni
Software Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/phonebook.html?uid=skylark17
<http://people.apache.org/phonebook.html?uid=skylark17>
Tirasa S.r.l. <http://www.tirasa.net>
--
Dott. Matteo Alessandroni
Software Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
http://people.apache.org/phonebook.html?uid=skylark17
<http://people.apache.org/phonebook.html?uid=skylark17>
Tirasa S.r.l. <http://www.tirasa.net>
