I reviewed the RangerPDPKnoxFilter code. Since Knox has only one resource (topology), you will have to the following:
Update the Knox servicedef to add your “model” resource type You have to decide whether you want hierarchy. E.g. topology -> model, model-> topology or model and topology at the same level Update RangerPDPKnoxFilter to create the request with what you want to send to model I might be missing some steps… Thanks Bosco From: Ebrahim Khalil Abbasi <ebrahim.khalil.abb...@gmail.com> Reply-To: <user@ranger.apache.org> Date: Tuesday, December 8, 2020 at 10:24 PM To: <user@ranger.apache.org> Subject: Re: Method Level Authorization for Knox Sorry for typos Am I on the right way? On Wed, Dec 9, 2020 at 9:53 AM Ebrahim Khalil Abbasi <ebrahim.khalil.abb...@gmail.com> wrote: Thanks Bosco. What I understand is that the only config we have in the Knox's authorization interface is just set it to XASecurePDPKnox, then the authorization is controlled by the Ranger's Knox plugin. The solution I am working on is to update the knox-agent and the ranger-knox-plugin-shim modules to support the model level authorization. Am I on the write way? Thanks Ebrahim On Tue, Dec 8, 2020 at 1:27 PM Don Bosco Durai <bo...@apache.org> wrote: I think, either will need you to update the Knox’s authorization interface. Please note, Ranger Plugin just implements the interface provided by the host process, in this case Knox. Have you posted the same question the Knox’s mailing list? Thanks Bosco From: Ebrahim Khalil Abbasi <ebrahim.khalil.abb...@gmail.com> Reply-To: <user@ranger.apache.org> Date: Tuesday, December 8, 2020 at 1:40 AM To: <user@ranger.apache.org> Subject: Re: Method Level Authorization for Knox There is no suggestion what I should do? On Wed, Dec 2, 2020 at 9:18 AM Ebrahim Khalil Abbasi <ebrahim.khalil.abb...@gmail.com> wrote: Hi, My problem is there. Some suggested me to change the current existing knox plugin and improve it to support the method level authorization, so no integration required. Another proposed solution is to configure the Apache knox so that in addition to the Ranger's knox pluging also use my HTTP service plugin in the chain of authorization process. I am not sure the second solution is easy to implement. On Wed, Dec 2, 2020 at 5:45 AM Velmurugan Periasamy <v...@apache.org> wrote: Hi - can you please elaborate on how you are planning to integrate with the existing Knox plugin? On Tue, Dec 1, 2020 at 12:16 AM Ebrahim Khalil Abbasi <ebrahim.khalil.abb...@gmail.com> wrote: Hi there, I am using knox to access livy to manage spark sessions. To implement authorization I want to provide the method level (get/post/delete/...) authorization. I implemented a new HTTP Service plugin in Ranger but I need to integrate it to the Ranger's knox plugin so that each HTTP request to the knox is authorized based on the method by the Ranger. Thanks for your any help! Ebrahim
