Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#6110] doc(authz): Add document for chain authorization plugin #6115

Merged
merged 5 commits into from
Jan 10, 2025
Merged

[#6110] doc(authz): Add document for chain authorization plugin #6115

Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0fb22f6
[#6110] doc(authz): Add document for chain authorization plugin
jerqi Jan 6, 2025
65ba154
imporve
xunliu Jan 7, 2025
ce6f729
Update docs/security/authorization-pushdown.md
jerqi Jan 10, 2025
3db6e05
Update docs/security/authorization-pushdown.md
jerqi Jan 10, 2025
6034d57
format
jerqi Jan 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 51 additions & 2 deletions docs/security/authorization-pushdown.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,16 @@ In order to use the Ranger Hadoop SQL Plugin, you need to configure the followin
|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|---------------|----------|------------------|
| `authorization-provider` | Providers to use to implement authorization plugin such as `ranger`. | (none) | No | 0.6.0-incubating |
| `authorization.ranger.admin.url` | The Apache Ranger web URIs. | (none) | No | 0.6.0-incubating |
| `authorization.ranger.service.type` | The Apache Ranger service type, Currently only supports `HadoopSQL` or `HDFS` | (none) | No | 0.8.0-incubating |
| `authorization.ranger.auth.type` | The Apache Ranger authentication type `simple` or `kerberos`. | `simple` | No | 0.6.0-incubating |
| `authorization.ranger.username` | The Apache Ranger admin web login username (auth type=simple), or kerberos principal(auth type=kerberos), Need have Ranger administrator permission. | (none) | No | 0.6.0-incubating |
| `authorization.ranger.password` | The Apache Ranger admin web login user password (auth type=simple), or path of the keytab file(auth type=kerberos) | (none) | No | 0.6.0-incubating |
| `authorization.ranger.service.type` | The Apache Ranger service type. | (none) | No | 0.8.0-incubating |
| `authorization.ranger.service.name` | The Apache Ranger service name. | (none) | No | 0.6.0-incubating |

:::caution
The Gravitino Ranger authorization plugin only supports the Apache Ranger HadoopSQL Plugin and Apache Ranger HDFS Plugin.
:::

Once you have used the correct configuration, you can perform authorization operations by calling Gravitino [authorization RESTful API](https://gravitino.apache.org/docs/latest/api/rest/grant-roles-to-a-user).

Gravitino will initially create three roles in Apache Ranger:
Expand Down Expand Up @@ -55,4 +59,49 @@ authorization.ranger.service.name=hiveRepo
Gravitino 0.8.0 only supports the authorization Apache Ranger Hive service , Apache Iceberg service and Apache Paimon Service.
Spark can use Kyuubi authorization plugin to access Gravitino's catalog. But the plugin can't support to update or delete data for Paimon catalog.
More data source authorization is under development.
:::
:::

### chain authorization plugin

Gravitino supports chaining multiple authorization plugins to secure one catalog.
The authorization plugin chain is defined in the `authorization.chain.plugins` property, with the plugin names separated by commas.
When a user performs an authorization operation on data within a catalog, the chained plugin will apply the authorization rules for every plugin defined in the chain.

In order to use the chained authorization plugin, you need to configure the following properties:

| Property Name | Description | Default Value | Required | Since Version |
|-----------------------------------------------------------|-------------------------------------------------------------------------------------------|---------------|-----------------------------|------------------|
| `authorization-provider` | Providers to use to implement authorization plugin such as `chain` | (none) | No | 0.8.0-incubating |
jerqi marked this conversation as resolved.
Show resolved Hide resolved
| `authorization.chain.plugins` | The comma-separated list of plugin names, just like `${plugin-name1},${plugin-name2},...` | (none) | Yes if you use chain plugin | 0.8.0-incubating |
| `authorization.chain.${plugin-name}.ranger.admin.url` | The Ranger authorization plugin properties of the `${plugin-name}` | (none) | Yes if you use chain plugin | 0.8.0-incubating |
| `authorization.chain.${plugin-name}.ranger.service.type` | The Ranger authorization plugin properties of the `${plugin-name}` | (none) | Yes if you use chain plugin | 0.8.0-incubating |
| `authorization.chain.${plugin-name}.ranger.service.name` | The Ranger authorization plugin properties of the `${plugin-name}` | (none) | Yes if you use chain plugin | 0.8.0-incubating |
| `authorization.chain.${plugin-name}.ranger.username` | The Ranger authorization plugin properties of the `${plugin-name}` | (none) | Yes if you use chain plugin | 0.8.0-incubating |
| `authorization.chain.${plugin-name}.ranger.password` | The Ranger authorization plugin properties of the `${plugin-name}` | (none) | Yes if you use chain plugin | 0.8.0-incubating |

:::caution
The Gravitino chain authorization plugin only supports the Apache Ranger HadoopSQL Plugin and Apache Ranger HDFS Plugin.
jerqi marked this conversation as resolved.
Show resolved Hide resolved
The properties of every chained plugin in the authorization should be configured with the `authorization.chain.${plugin-name}` as the prefix.
:::

#### Example of using the chain authorization Plugin

Suppose you have an Apache Hive service in your datacenter and have created a `hiveRepo` in Apache Ranger to manage its permissions.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does "You have created" mean?
The four (sub-)sentences there are all assumptions?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, they are assumptions.

The Apache Hive service will use HDFS to store its data. You have created a `hdfsRepo` in Apache Ranger to manage HDFS's permissions.

```properties
authorization-provider=chain
authorization.chain.plugins=hive,hdfs
authorization.chain.hive.ranger.admin.url=http://ranger-service:6080
authorization.chain.hive.ranger.service.type=HadoopSQL
authorization.chain.hive.ranger.service.name=hiveRepo
authorization.chain.hive.ranger.auth.type=simple
authorization.chain.hive.ranger.username=Jack
authorization.chain.hive.ranger.password=PWD123
authorization.chain.hdfs.ranger.admin.url=http://ranger-service:6080
authorization.chain.hdfs.ranger.service.type=HDFS
authorization.chain.hdfs.ranger.service.name=hdfsRepo
authorization.chain.hdfs.ranger.auth.type=simple
authorization.chain.hdfs.ranger.username=Jack
authorization.chain.hdfs.ranger.password=PWD123
```
Loading