Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Subtask] Extended Apache Ranger authorization by configuration #4698

Closed
Tracked by #4615
xunliu opened this issue Aug 27, 2024 · 3 comments · Fixed by #4744
Closed
Tracked by #4615

[Subtask] Extended Apache Ranger authorization by configuration #4698

xunliu opened this issue Aug 27, 2024 · 3 comments · Fixed by #4744
Assignees
@xunliu
Labels
0.7.0 Release v0.7.0 subtask Subtasks of umbrella issue
Milestone
Gravitino 0.7.0

Comments

@xunliu
Copy link
Member

xunliu commented Aug 27, 2024
edited
Loading

Describe the subtask

Currently, we are implementing AuthorizationPlugin interface class in the Ranger authorization class RangerAuthorizationPlugin,
The RangerAuthorizationPlugin supports common Ranger policy operations, for example

  1. Create a Ranger policy on a Gravitino securable object,
  2. Create a Ranger role on a Gravitino role entity
  3. And more Ranger operations ...

When we need to supports a new Ranger service(HDFS, Trino, ...), we only need initial different variable of RangerHelper.ownerPrivileges and RangerHelper.privilegesMapping and RangerHelper.policySearchKeys and RangerHelper.policyPreciseFilterKeys.

To make it easier to support different Ranger authorizations, I think we can extend the Ranger authorization by configuring the file. for example:

  1. RangerHelper read authorization-hdfs.xml file to initial RangerHelper.ownerPrivileges and privilegesMapping and policySearchKeys and policyPreciseFilterKeys to supports Ranger HDFS authorizatons.
  2. RangerHelper read authorization-trion.xml file to supports Ranger Trino authorizations.

authorization configure file

  1. Use properties format
  2. authorization-hive.properties
# Ranger Hive privileges enum RangerHivePrivilege: create, alter, drop, index, lock, select, insert, update, delete, read, write, all
# defined in the `authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/reference/RangerDefines.java`
# Case insensitive
gravitino.authorization.owner.privileges = all

# Gravitino privileges defined in the `api/src/main/java/org/apache/gravitino/authorization/Privilege.java`
# authorization.privilege.mapping.<Gravitino-Privilege> = <Ranger-Privilege>,<Ranger-Privilege>,...
gravitino.authorization.privilege.mapping.CREATE_SCHEMA = create
gravitino.authorization.privilege.mapping.CREATE_TABLE = create
gravitino.authorization.privilege.mapping.SELECT_TABLE = read,select
gravitino.authorization.privilege.mapping.MODIFY_TABLE = update,alter,write

# Ranger policy resource defines (fixed configuration, do not change)
gravitino.authorization.ranger.policy.resource.defines = database,table,column

Parent issue

#4615
@xunliu xunliu added the subtask Subtasks of umbrella issue label Aug 27, 2024
@xunliu xunliu self-assigned this Aug 27, 2024
@xunliu
Copy link
Member Author

xunliu commented Aug 27, 2024
edited
Loading

hi @lw-yang
I think use properties authorization.owner.multiple = true will support multiple users or groups, But only one of them can be supported at the same time
What's do you think?

@xunliu xunliu added this to the Gravitino 0.7.0 milestone Aug 27, 2024
@xunliu xunliu mentioned this issue Aug 27, 2024
Open
10 tasks
@lw-yang
Copy link
Contributor

lw-yang commented Aug 27, 2024

@xunliu We can set authorization.privileges.mapping.MODIFY_TABLE=ACCESS_TYPE_HIVE_DROP,... to resolve the limitation that only the owner has the delete permission.

so in my opinion, config file for ranger that supports the 'authorization.owner.multiple' is not neccessary. Our requirement is that Gravitino's owner permission model supports multiple owners having delete permissions.

xunliu added a commit to xunliu/gravitino that referenced this issue Aug 28, 2024
@xunliu
[apache#4698] feat(core): Extended Apache Ranger authorization by con…
5d097f6 
…figuration

1

1
@xunliu xunliu mentioned this issue Aug 28, 2024
Merged
@xunliu
Copy link
Member Author

xunliu commented Aug 29, 2024

@xunliu We can set authorization.privileges.mapping.MODIFY_TABLE=ACCESS_TYPE_HIVE_DROP,... to resolve the limitation that only the owner has the delete permission.

so in my opinion, config file for ranger that supports the 'authorization.owner.multiple' is not neccessary. Our requirement is that Gravitino's owner permission model supports multiple owners having delete permissions.

Thank you for your suggestion. I accepted.

xunliu added a commit to xunliu/gravitino that referenced this issue Aug 29, 2024
@xunliu
[apache#4698] feat(core): Extended Apache Ranger authorization by con…
8a3cfed 
…figuration
xunliu added a commit to xunliu/gravitino that referenced this issue Sep 10, 2024
@xunliu
[apache#4698] feat(core): Extended Apache Ranger authorization by con…
0971061 
…figuration
xunliu added a commit to xunliu/gravitino that referenced this issue Sep 18, 2024
@xunliu
[apache#4698] feat(core): Extended Apache Ranger authorization by con…
9fe3aa2 
…figuration
@jerryshao jerryshao added the 0.7.0 Release v0.7.0 label Sep 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xunliu xunliu

Labels
0.7.0 Release v0.7.0 subtask Subtasks of umbrella issue
Projects
None yet
Milestone
Gravitino 0.7.0
Development

Successfully merging a pull request may close this issue.

[#4698] feat(auth-ranger): Extended Ranger authorization by rules xunliu/gravitino
3 participants
@jerryshao @xunliu @lw-yang