Hi Matteo
It depends on your use case. You will be doing authorization exclusively based on your decision engine. You will be falling back to Ranger for additional checks. For #1, it might not be worth your effort to understand Ranger Plugin implementation and change it. Ranger team has worked with almost all open source Hadoop projects to make the component authorization pluggable. You might just leverage that and directly implement the component’s interface, which are generally very simple and straight forward. For #2, you could use extend Ranger. There are multiple ways. Implementing additional conditions. Extending Services Authorizer class Extend or modify RangerPlugin class. Reimplement the Authorizer Plugin While it is easy to add a new plugin which uses Ranger implementation, but changing the internals could be pretty complex. The complexity will vary depending upon your programming skills and integration requirement. But I have to let you know, that this is not a trivial effort. Since Ranger supports multiple services, almost all everything is abstracted, so you will have to walk through all the code path and put enough debug statements to understand it. Bosco From: Matteo Alessandroni <matteo.alessandr...@tirasa.net> Reply-To: <user@ranger.apache.org> Date: Wednesday, January 16, 2019 at 12:21 AM To: <user@ranger.apache.org> Subject: Re: How to extend the authorization engine in order to use an external service Hi, just to clarify my question: the plugin I would like to build should make the call to the external service and then use the obtained data as a preliminary authorization check to use then with services like HDFS, HBASE, HIVE. In my case Apache Ranger is already integrated to those services so I just need to add that security layer before moving to the specific service. In this case what would you suggest? Do I need to build a new brand plugin just to make the call and get the response from the external service or I need to build multiple plugins that extend each specific service provider? Thanks Regards, Matteo On 15/01/19 12:57, Matteo Alessandroni wrote: Hi Bosco, On 15/01/19 12:41, Don Bosco Durai wrote: Matteo Are you extending current plugin or creating brand new custom plugin for another component? Actually I'm not sure whether I need to extend an existing plugin or create a new brand one. I will use Apache Ranger to provide runtime policy enforcement point for Hadoop products using policies from an external REST service. What solution do you think I should engage? If it current plugin, then Ranger has a design where you can enrich the context and use it in condition. IP based and most internal extensions uses that design pattern. The Policy side, you don’t need any code change. For the enricher, you might have to add JAR files. If you feel this will work for you, then Abhay or Madhan might be able to answer this in more detail. If you are going to extend current plugin class, e.g. for YARN, then you will have to extend RangerYarnAuthorizer class on both implementation and shim package. You can then override the checkPermission method or customize RangerYarnPlugin (which does the actual check) and overwrite the init() to use your plugin class. Just FYI, right from the beginning, Ranger team has avoided making outbound call during authorization. This could significantly affect your performance, particularly in high velocity components like HDFS, Kafka, etc. I would suggest (if possible) that you consider caching some of the authorization decisions within the plugin. thank for the tip, I'll do that! Anyway, in my current simple test I'm extending the YARN plugin (I don't think I will need to extend it, it's just to test a custom service registering operation), I registered it by using: curl -u admin:admin -X POST -H "Accept: application/json" -H "Content-Type: application/json" –d @ranger-servicedef-test.json http://localhost:6080/service/plugins/definitions but when I click "Add new service" for the new service type and click "Save" I get an error: Test failed to find service class org.apache.ranger.services.test.RangerServiceTest. Resource lookup will not be available. Please make sure plugin jar is in the correct place. but the custom plugin folder is in the Apache Ranger main folder, what am I missing? Best Regards, Matteo Bosco From: Matteo Alessandroni <matteo.alessandr...@tirasa.net> Reply-To: <user@ranger.apache.org> Date: Tuesday, January 15, 2019 at 3:07 AM To: <user@ranger.apache.org> Subject: How to extend the authorization engine in order to use an external service I would like to extend the authorization mechanism of Apache Ranger in order to make authorization based on the response of an external REST service. So, when the Ranger policy engine is called I would like to intercept the request, call an external REST service to obtain some authorization data and use it to decide who can access what. As a general idea the external service gets a username and returns a list of permissions / policies that user has. Do you think I should build a custom plugin for it? Do I have to create an "authorizer"? If so, what class do I need to extend (e.g. "YarnAuthorizationProvider)" ? Could you please give me an hit on where to start or a sample of something similar to what I need? Currently I'm trying to build a custom plugin (I started by seeing wiki on [1]). I have added a class that extends "YarnAuthorizationProvider" (I really don't know what class to use here). I've also created another subclass that extends "RangerPlainIDAccessRequest" so that I could access the request in the "checkPermission()" overridden method and maybe do stuff there. I'm not sure I'm in the right way! Any help would be appreciate! Also, I'm not sure about how to test the plugin I have built. I tried to put it in the Apache Ranger source code (v1.2.0) and re-build, now I see the new service in the Apache Ranger Admin Console but what's next? Thank you! Best regards, Matteo [1] https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207 -- Dott. Matteo Alessandroni Software Engineer @ Tirasa S.r.l. Viale Vittoria Colonna, 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 0859111173 http://www.tirasa.net Apache Syncope PMC Member http://people.apache.org/phonebook.html?uid=skylark17 -- Dott. Matteo Alessandroni Software Engineer @ Tirasa S.r.l. Viale Vittoria Colonna, 97 - 65127 Pescara Tel +39 0859116307 / FAX +39 0859111173 http://www.tirasa.net Apache Syncope PMC Member http://people.apache.org/phonebook.html?uid=skylark17
