Bosco,
Thanks for your reply.
I followed these steps but *could not manage to get it working*:
1. I added the GET, DELETE, and POST methods to the service definition's
access type and updated the service definition in the server.
2. In the authorization/knox/KnoxRangerPlugin class two methods (actionType
and accessType) are added which are respectively used in building the
action and access type of the RangerAccessRequest instance.
3. In the RangerPDPKnoxFilter class I extracted the method type from the
received ServletRequest and set it as the access type of the
RangerAccessRequest. The action type is set to '*allow*'.
4. The finally packaged jar file is copied to the following paths in the
server:
KNOX_SERVER/ext/ranger-knox-plugin-impl
RANGER_ADMIN/ews/webapp/WEB-INF/classes/ranger-plugins/knox
5. In the Ambari's KNOX service and in the advanced topology config file I
set authorization to XASecurePDPKnox and also added my service to be
authorized:
<service>
<role>MY-SERVICE</role>
<url>https://<SERVER>:8443/gateway/dsgdev/livy/v1/sessions</url>
</service>
6.In the Ranger UI and for the *dsgdev_knox* service I added the
policy *myservice
*with the topology value of *default* and knox service value of
*MY-SERVICE. *
For the *admin *user the *DELETE *permission is set.
Here are issues I faced:
ٌ
1. When creating the dsgdev_knox service I set the knox.url to
https://<server>:8443/gateway/default/api/v1/topologies
the connection test is failed:
---------------
org.apache.ranger.plugin.client.HadoopException: Exception on REST call to
KnoxUrl :
https://master01dev.sic.local:8443/gateway/default/api/v1/topologies..
Exception on REST call to KnoxUrl :
https://master01dev.sic.local:8443/gateway/default/api/v1/topologies..
java.net.SocketException: java.security.NoSuchAlgorithmException: Error
constructing implementation (algorithm: Default, provider: SunJSSE, class:
sun.security.ssl.SSLContextImpl$DefaultSSLContext).
java.security.NoSuchAlgorithmException: Error constructing implementation
(algorithm: Default, provider: SunJSSE, class:
sun.security.ssl.SSLContextImpl$DefaultSSLContext).
Error constructing implementation (algorithm: Default, provider: SunJSSE,
class: sun.security.ssl.SSLContextImpl$DefaultSSLContext).
problem accessing trust store.
Keystore was tampered with, or password was incorrect.
Password verification failed.
---------------
2. When I execute GET on the MY-SERVICE with the admin user since this
user only has DELETE permission, the authorization should be failed. BUT
authorized.
3. I also got the LookupUser error so had to comment the overrided
getDefaultRangerPolicies() method in the RangerServiceKnox class.
Sorry for this long description.
Thanks in advance for any help
Ebrahim
On Wed, Dec 9, 2020 at 2:43 PM Don Bosco Durai <bo...@apache.org> wrote:
> I reviewed the RangerPDPKnoxFilter code. Since Knox has only one resource
> (topology), you will have to the following:
>
>
>
> 1. Update the Knox servicedef to add your “model” resource type
> 2. You have to decide whether you want hierarchy. E.g. topology ->
> model, model-> topology or model and topology at the same level
> 3. Update RangerPDPKnoxFilter to create the request with what you want
> to send to model
>
>
>
> I might be missing some steps…
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
>
>
> *From: *Ebrahim Khalil Abbasi <ebrahim.khalil.abb...@gmail.com>
> *Reply-To: *<user@ranger.apache.org>
> *Date: *Tuesday, December 8, 2020 at 10:24 PM
> *To: *<user@ranger.apache.org>
> *Subject: *Re: Method Level Authorization for Knox
>
>
>
> Sorry for typos
>
>
>
> Am I on the *right *way?
>
>
>
> On Wed, Dec 9, 2020 at 9:53 AM Ebrahim Khalil Abbasi <
> ebrahim.khalil.abb...@gmail.com> wrote:
>
> Thanks Bosco.
>
>
>
> What I understand is that the only config we have in the Knox's
> authorization interface is just set it to XASecurePDPKnox, then the
> authorization is controlled by the Ranger's Knox plugin.
>
>
>
> The solution I am working on is to update the knox-agent and the
> ranger-knox-plugin-shim modules to support the model level authorization.
>
> Am I on the write way?
>
>
>
> Thanks
>
> Ebrahim
>
>
>
>
>
>
>
> On Tue, Dec 8, 2020 at 1:27 PM Don Bosco Durai <bo...@apache.org> wrote:
>
> I think, either will need you to update the Knox’s authorization
> interface. Please note, Ranger Plugin just implements the interface
> provided by the host process, in this case Knox.
>
>
>
> Have you posted the same question the Knox’s mailing list?
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
>
>
> *From: *Ebrahim Khalil Abbasi <ebrahim.khalil.abb...@gmail.com>
> *Reply-To: *<user@ranger.apache.org>
> *Date: *Tuesday, December 8, 2020 at 1:40 AM
> *To: *<user@ranger.apache.org>
> *Subject: *Re: Method Level Authorization for Knox
>
>
>
> There is no suggestion what I should do?
>
>
>
> On Wed, Dec 2, 2020 at 9:18 AM Ebrahim Khalil Abbasi <
> ebrahim.khalil.abb...@gmail.com> wrote:
>
> Hi,
>
> My problem is there. Some suggested me to change the current existing knox
> plugin and improve it to support the method level authorization, so no
> integration required. Another proposed solution is to configure the Apache
> knox so that in addition to the Ranger's knox pluging also use my HTTP
> service plugin in the chain of authorization process. I am not sure the
> second solution is easy to implement.
>
>
>
>
>
> On Wed, Dec 2, 2020 at 5:45 AM Velmurugan Periasamy <v...@apache.org>
> wrote:
>
> Hi - can you please elaborate on how you are planning to integrate with
> the existing Knox plugin?
>
>
>
> On Tue, Dec 1, 2020 at 12:16 AM Ebrahim Khalil Abbasi <
> ebrahim.khalil.abb...@gmail.com> wrote:
>
> Hi there,
>
> I am using knox to access livy to manage spark sessions. To implement
> authorization I want to provide the method level (get/post/delete/...)
> authorization. I implemented a new HTTP Service plugin in Ranger but I need
> to integrate it to the Ranger's knox plugin so that each HTTP request to
> the knox is authorized based on the method by the Ranger.
>
>
>
> Thanks for your any help!
>
> Ebrahim
>
>
>
>
>
>
>
>
>
>
