Regarding extending Ranger authorizer classes, you have two options: 1. Use Ranger dynamic policies. This will allow you to write your own java class and implement custom logic. You can use this in any Ranger permission. This is been introduced in Apache Ranger 0.5, so there is not much documentation. But we can help you here. One thing to note here is that Apache Ranger works in permissive mode, e.g. By default there no one has permission in Hive, but if you give permission to an user or group to a resource (database, table, column, etc), then you can negate that permission. So if your policy will just give ³allow², then it will fit nicely in Ranger model. But if you want to deny, then it won¹t work. In 0.6 we should introduce negative policy, but if this is your requirement now, then you can consider option #2. 2. In this option, you can extend the Ranger Hive Authorizer class. After that, you need to update the servicedef (.json) file to replace the authorizer with your class. Documentation is lacking here, but we can help. Once you have overwritten, then you can do your check first and return ³true/false² from there or fall back to Ranger by calling super.method(). If you are going by this option, you might have to call the audit method explicitly.
Let us know which way you want to go, we can help either way. Thanks Bosco From: Raghavendran Chellappa <raghavendr...@virtusa.com> Reply-To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> Date: Monday, June 8, 2015 at 12:59 PM To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> Cc: "thejas.n...@gmail.com" <thejas.n...@gmail.com> Subject: RE: Chaining 2 Ranger Plugins for Hive > Many thanks for your reply Alok. > > 2 follow up questions: > 1. In the link > http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.1.3/bk_dataintegration/con > tent/ch_using-hive-authorization.html > > the NOTE at the bottom of the pages says that ³The > hive.security.authorization.manager configuration property allows multiple > authorization managers in comma-delimited format². > > Is this applicable in the context of a Ranger Plugin? > > > > 2. About extending Ranger authorizer classes, we need to do an external > REST service lookup (as a part of custom authorization check). We need a REST > service because the authorization logic is very different from the standard > authorization provided by Ranger (has contextual information of the resource). > > With this in mind, Can we extend the extend Ranger HIVE plugin and add our > call to the REST service? Are there some samples of this? > > Or, Do we need to implement a new Ranger Plugin for Hive? > > thanks, > Raga > > > > Raghavendran Chellappa > Associate Director Technology > Virtusa Corp. > Mobile: +1-402.677.1413 > Virtusa internal VOIP: 89538 > > > From: Alok Lal [mailto:a...@hortonworks.com] > Sent: Monday, June 08, 2015 1:57 PM > To: user@ranger.incubator.apache.org > Cc: thejas.n...@gmail.com > Subject: Re: Chaining 2 Ranger Plugins for Hive > > > has confirmed that one authorizer is currently supported by that config. > Thanks @Thejas Nair (a Hiv-pmc > <https://people.apache.org/committers-by-project.html#hive-pmc> ) for > confirmation. > > @Raga since Ranger authorizer classes (RangerHiveAuthorizerFactory and > RangerHiveAuthorizer) aren¹t final an option might be to extend them. > > > > > > From: Raghavendran Chellappa <raghavendr...@virtusa.com> > Reply-To: "user@ranger.incubator.apache.org" > <user@ranger.incubator.apache.org> > Date: Monday, June 8, 2015 at 6:14 AM > To: "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org> > Subject: Chaining 2 Ranger Plugins for Hive > > > > Hi, > > We are planning to use the default HIVE authorization provider and > additionally implement a custom Authorization provider as well. > Can we chain¹ the new/customized Ranger Plugin for Hive after the existing > Ranger Plugin for Hive? > I mean, can we list them as 2 separate plugins in > ³hive.security.authorization.manager² properties in the hive-site.xml? Ideally > we will want the default HIVE authorization to pass before our custom hive > authorization provider is called. > > So, will this be possible, if we provide the values as comma separated values > in the ³hive.security.authorization.manager² property? > > Thanks, > Raga > > Raghavendran Chellappa > > ------------------------------------------------------------------------------ > ----------- > Virtusa was recently featured in Everest Group's PEAK Matrix for Banking > Application Outsourcing,Life Sciences IT Outsourcing and Healthcare Payer > Industry IT Outsourcing,Forrester Research's report on major mid-sized > offshore IT services vendors, 2013 Forbes List of 100 Best Public Companies In > America with revenue less than $1B and won the 2013 Frost & Sullivan Customer > Value Leadership Award for System Integration for CEM in Healthcare. > > ------------------------------------------------------------------------------ > ----------- > This message, including any attachments, contains confidential information > intended for a specific individual and purpose, and is intended for the > addressee only. Any unauthorized disclosure, use, dissemination, copying, or > distribution of this message or any of its attachments or the information > contained in this e-mail, or the taking of any action based on it, is strictly > prohibited. If you are not the intended recipient, please notify the sender > immediately by return e-mail and delete this message. > ------------------------------------------------------------------------------ > ----------- > > ------------------------------------------------------------------------------ > ----------- > Virtusa was recently featured in Everest Group's PEAK Matrix for Banking > Application Outsourcing,Life Sciences IT Outsourcing and Healthcare Payer > Industry IT Outsourcing,Forrester Research's report on major mid-sized > offshore IT services vendors, 2013 Forbes List of 100 Best Public Companies In > America with revenue less than $1B and won the 2013 Frost & Sullivan Customer > Value Leadership Award for System Integration for CEM in Healthcare. > > ------------------------------------------------------------------------------ > ----------- > This message, including any attachments, contains confidential information > intended for a specific individual and purpose, and is intended for the > addressee only. Any unauthorized disclosure, use, dissemination, copying, or > distribution of this message or any of its attachments or the information > contained in this e-mail, or the taking of any action based on it, is strictly > prohibited. If you are not the intended recipient, please notify the sender > immediately by return e-mail and delete this message. > ------------------------------------------------------------------------------ > ----------- >
