To add to Bosco's point, you may want to refer to this JIRA https://issues.apache.org/jira/browse/RANGER-256
Ranger plugin has context enricher class which can be modified to add in custom REST service lookup as part of the authorization. https://github.com/apache/incubator-ranger/blob/master/security-admin/src/main/java/org/apache/ranger/entity/XXContextEnricherDef.java On Mon, Jun 8, 2015 at 8:25 PM, Don Bosco Durai <[email protected]> wrote: > Regarding extending Ranger authorizer classes, you have two options: > > 1. Use Ranger dynamic policies. This will allow you to write your own > java class and implement custom logic. You can use this in any Ranger > permission. This is been introduced in Apache Ranger 0.5, so there is not > much documentation. But we can help you here. One thing to note here is > that Apache Ranger works in permissive mode, e.g. By default there no one > has permission in Hive, but if you give permission to an user or group to a > resource (database, table, column, etc), then you can negate that > permission. So if your policy will just give “allow”, then it will fit > nicely in Ranger model. But if you want to deny, then it won’t work. In 0.6 > we should introduce negative policy, but if this is your requirement now, > then you can consider option #2. > 2. In this option, you can extend the Ranger Hive Authorizer class. > After that, you need to update the servicedef (.json) file to replace the > authorizer with your class. Documentation is lacking here, but we can help. > Once you have overwritten, then you can do your check first and return > “true/false” from there or fall back to Ranger by calling super.method(). > If you are going by this option, you might have to call the audit method > explicitly. > > > Let us know which way you want to go, we can help either way. > > Thanks > > Bosco > > > From: Raghavendran Chellappa <[email protected]> > Reply-To: "[email protected]" < > [email protected]> > Date: Monday, June 8, 2015 at 12:59 PM > To: "[email protected]" <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: RE: Chaining 2 Ranger Plugins for Hive > > Many thanks for your reply Alok. > > > > 2 follow up questions: > > 1. In the link > http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.1.3/bk_dataintegration/content/ch_using-hive-authorization.html > > the NOTE at the bottom of the pages says that “The > hive.security.authorization.manager configuration property allows > multiple authorization managers in comma-delimited format”. > > Is this applicable in the context of a Ranger Plugin? > > > > 2. About extending Ranger authorizer classes, we need to do an > external REST service lookup (as a part of custom authorization check). We > need a REST service because the authorization logic is very different from > the standard authorization provided by Ranger (has contextual information > of the resource). > > With this in mind, Can we extend the extend Ranger HIVE plugin and add our > call to the REST service? Are there some samples of this? > > Or, Do we need to implement a new Ranger Plugin for Hive? > > thanks, > Raga > > > > > > *Raghavendran Chellappa* > > Associate Director – Technology > > Virtusa Corp. > > Mobile: +1-402.677.1413 > > Virtusa internal VOIP: 89538 > > > > *From:* Alok Lal [mailto:[email protected] <[email protected]>] > *Sent:* Monday, June 08, 2015 1:57 PM > *To:* [email protected] > *Cc:* [email protected] > *Subject:* Re: Chaining 2 Ranger Plugins for Hive > > > > has confirmed that one authorizer is currently supported by that config. > Thanks @Thejas Nair (a Hiv-pmc > <https://people.apache.org/committers-by-project.html#hive-pmc>) for > confirmation. > > @Raga since Ranger authorizer classes (RangerHiveAuthorizerFactory and > RangerHiveAuthorizer) aren’t final an option might be to extend them. > > > > > > *From: *Raghavendran Chellappa <[email protected]> > *Reply-To: *"[email protected]" < > [email protected]> > *Date: *Monday, June 8, 2015 at 6:14 AM > *To: *"[email protected]" <[email protected] > > > *Subject: *Chaining 2 Ranger Plugins for Hive > > > > Hi, > > > > We are planning to use the default HIVE authorization provider and > additionally implement a custom Authorization provider as well. > > Can we ‘chain’ the new/customized Ranger Plugin for Hive after the > existing Ranger Plugin for Hive? > > I mean, can we list them as 2 separate plugins in > “hive.security.authorization.manager” properties in the hive-site.xml? > Ideally we will want the default HIVE authorization to pass before our > custom hive authorization provider is called. > > > > So, will this be possible, if we provide the values as comma separated > values in the “hive.security.authorization.manager” property? > > > > Thanks, > > Raga > > > > *Raghavendran Chellappa* > > > > ----------------------------------------------------------------------------------------- > > Virtusa was recently featured in Everest Group's PEAK Matrix for Banking > Application Outsourcing,Life Sciences IT Outsourcing and Healthcare Payer > Industry IT Outsourcing,Forrester Research's report on major mid-sized > offshore IT services vendors, 2013 Forbes List of 100 Best Public Companies > In America with revenue less than $1B and won the 2013 Frost & Sullivan > Customer Value Leadership Award for System Integration for CEM in Healthcare. > > > > ----------------------------------------------------------------------------------------- > > This message, including any attachments, contains confidential information > intended for a specific individual and purpose, and is intended for the > addressee only. Any unauthorized disclosure, use, dissemination, copying, or > distribution of this message or any of its attachments or the information > contained in this e-mail, or the taking of any action based on it, is > strictly prohibited. If you are not the intended recipient, please notify the > sender immediately by return e-mail and delete this message. > > ----------------------------------------------------------------------------------------- > > > > ----------------------------------------------------------------------------------------- > Virtusa was recently featured in Everest Group's PEAK Matrix for Banking > Application Outsourcing,Life Sciences IT Outsourcing and Healthcare Payer > Industry IT Outsourcing,Forrester Research's report on major mid-sized > offshore IT services vendors, 2013 Forbes List of 100 Best Public Companies > In America with revenue less than $1B and won the 2013 Frost & Sullivan > Customer Value Leadership Award for System Integration for CEM in Healthcare. > > ----------------------------------------------------------------------------------------- > This message, including any attachments, contains confidential information > intended for a specific individual and purpose, and is intended for the > addressee only. Any unauthorized disclosure, use, dissemination, copying, or > distribution of this message or any of its attachments or the information > contained in this e-mail, or the taking of any action based on it, is > strictly prohibited. If you are not the intended recipient, please notify the > sender immediately by return e-mail and delete this message. > ----------------------------------------------------------------------------------------- > >
