-
Notifications
You must be signed in to change notification settings - Fork 59
Access Control
To control user accesses for databases/tables, use access_control configuration in 2 ways.
- Engine-wide configuration
- Authentication based configuration
Access control spec object in Shib have 2 elements: databases and default.
{
databases: {
secret: { default: "deny" },
member: { default: "deny", allow: ["users"] },
test: { default: "allow", deny: ["secretData", "userMaster"] },
},
default: "allow"
}-
default:allowordeny - The default rule that control databases which is not found in
databases -
allow: databases are visible and allowed to execute queries -
deny: databases are invisible and prohibited to execute queries -
databases: object which contains database name as keys, and rule object as values
Rule object defines rules for each databases:
{ default: "deny" }
{ default: "allow" }
{ default: "deny", allow: [ "public", "testdata" ] }
{ default: "allow", deny: [ "secret", "customers" ] }-
default:allowordeny - define default rule for non-described tables
- database specified as
default: denywithout any tables specified inallowis invisible -
allow: array object to show and to be allowed to execute queries -
deny: array object to hide and to be prohibited to execute queries
Engine-wide configuration limits accessible databases/tables for anybody. Configured Shib cannot execute any queries for forbidden databases/tables.
Engine-wide configurations are written in executer section in engines:
executer: {
name: 'presto',
host: 'coordinator.p.cluster.local',
port: 8080,
catalog: 'hive',
support_database: true,
default_database: 'default',
query_timeout: 30,
setup_queries: [],
access_control: {
databases: {
secret: { default: "deny" },
member: { default: "deny", allow: ["users"] },
test: { default: "allow", deny: ["secretData", "userMaster"] },
},
default: "allow"
}
},The object value of access_control key is an access control object.
Shib have an authentication feature to log username for each query executions.
Shib's authentication feature can do access control with its account information. Engine's access controls can delegate its ACL to authentication configurations.
/* config.js */
var servers = exports.servers = {
// many standard configurations ...
engines: [
{ label: 'mycluster1',
executer: {
name: 'hiveserver2',
host: 'hs2.mycluster1.local',
port: 10000,
usename: 'hive',
support_database: true,
access_control: { delegate: 'auth' }
},
monitor: null
},
],
auth: {
type: 'http_custom_header',
// authentication settings.
require_always: true, // or false
access_control: {
users: {
username1: $access_control_object,
username2: $access_control_object
},
/* 'groups' is supported only in 'http_custom_header' module
groups: {
groupA: $access_control_object,
groupB: $access_control_object
},
order: ["group", "user"],
*/
default: 'deny'
}
}
};Specify access_control:{ delegate: "auth" } to delegate access controls to authentication features for an engine setting.
auth section have just one access control configuration, which specify an access control object per each users (or each groups). All rules are solved by names of databases/tables, for all engines specified as delegate: "auth".
-
users(orgroups): object - user names as keys (or group names)
- access control objects as values
-
default:allowordeny - specifies to allow or deny for non-described users
-
order: array like["group", "user"] - specifies the order of priority when both of
usersandgroupsare enabled