Re: Queries on the developement for a new custom plugin

[Ramesh Mani]

Please find the answer below.

From: Aruna Sivaram <sivaram.ar...@gmail.com<mailto:sivaram.ar...@gmail.com>>
Reply-To: 
"user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" 
<user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>>
Date: Thursday, December 10, 2015 at 8:34 PM
To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" 
<user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>>
Subject: Re: Queries on the developement for a new custom plugin

Thanks for your quick response.Please find my queries inline.


On Fri, Dec 11, 2015 at 4:55 AM, Ramesh Mani 
<rm...@hortonworks.com<mailto:rm...@hortonworks.com>> wrote:

If you have created a CustomService, and if you want to authorize  the access 
of components/resources in your CustomService, then you need to have default 
authorizer in your CustomService to do authorization, which you will extend  in 
your Ranger custom plugin and  will be  called when your CustomService needs 
authorization check.

[Aruna] : It would be great if you could provide a snippet/example where the 
authoriser code present in the plugin is invoked by the existing services 
(hive/hdfs/storm/kafka) for authorisation. This would give me a better picture 
as to how it exactly works.
[RM] Each service  dictates how to the register the custom authorizer with it. 
So you need to refer the respective service’s authorization mechanism.


For logging, as you had seen it uses log4j you can have log4j appender in the 
log4.properties and get the log, all hadoop components have their log4j 
properties file where it specify the location it puts the log.
By default it is /var/log/hadoop/ for hadoop.

[Aruna] : there are many log4j.properties in the ranger code base and there is 
no specific log4j.properties for each of the plugins. Hence, which 
log4j.properties do i need to modify. My aim is to see all the logs generated 
by my custom plugin. This would enable me to debug the code better.
[RM] Here also each service provides it log4j.properties file and that is where 
you define appender for ranger also.

[Aruna ] : The other thing i wanted to know was how does one start the plugin 
or rather initiate the plugin which polls for the policies. I see that the 
enable-<service>-plugin.sh scripts sets the environment and copies property 
files to the right locations, but i dont see where the authoriser is 
instantiated in order to invoke the init() method of the RangerbasePlugin.
 [RM] This is already in the wiki page.


Thanks for all your help

Aruna

From: Aruna Sivaram <sivaram.ar...@gmail.com<mailto:sivaram.ar...@gmail.com>>
Reply-To: 
"user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" 
<user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>>
Date: Wednesday, December 9, 2015 at 9:45 PM
To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" 
<user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>>
Subject: Queries on the developement for a new custom plugin

I am using ranger 0.5 for the access control. We are planning to develop a 
custom plugin which we plan to integrate with the ranger framework. This custom 
plugin will be used for access control of our components. In order to explore 
this possibility, i have written a custom plugin as per the example given in 
the link 
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=53741207

Since this is a custom plugin, my authoriser class (CustomServiceAuthoriser), 
will not be extending any of the hadoop security classes (Eg in case of storm 
or hive, the RangerStormAuthoriser implements IAuthorizer and 
RangerYarnAuthorizer extends YarnAuthorizationProvider.  I have created the 
repository and policies for the same through the rest web service.


I have written the custom service authoriser as per the example and deployed 
the same on the sandbox. I have a service named CustomService. What i wanted to 
know is how the customservice will communicate with my customserviceauthoriser 
which is contained in my plugin. Currently i dont find any documentation which 
talks about the mode of communication or rather how the plugin class will be 
invoked by the service.

I am relatively new to ranger so may be I am missing something ?

Also, i would like to know the location of the log where each of the plugin 
classes would be logging. This will help us in debugging the flow. I see a lot 
of log statements in the ranger plugin code base but am unable to find the 
location of the logs.

Secondly, can ranger be used to develop custom plugins for access control of 
non hadoop components?

Any help from your end would be appreciated

--
Regards
Aruna Sivaram



--
Regards
Aruna Sivaram