-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Co-authored-by: lozbrown <[email protected]> Co-authored-by: Grzegorz Kokosiński <[email protected]>
- Loading branch information
1 parent
d34e358
commit bfd77c4
Showing
30 changed files
with
3,114 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
164 changes: 164 additions & 0 deletions
164
docs/src/main/sphinx/security/apache-ranger-access-control.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,164 @@ | ||
# Apache Ranger access control | ||
|
||
The Apache Ranger access control plugin supports use of Apache Ranger policies to authorize data access in Trino on catalogs, schemas, tables, and columns. The plugin also supports column-masking, row-filtering and audit logging. | ||
|
||
## Requirements | ||
|
||
* Access to a Apache Ranger deployment with the desired authorization policies. | ||
* Access to an audit store using Solr, HDFS, Log4J, or S3 to save audit logs. | ||
* Apache Ranger 2.5.0 and greater include the required Trino service definition. Earlier versions of Apache Ranger require an update of the service definition available in the version [here]( | ||
https://github.com/apache/ranger/blob/ranger-2.5/agents-common/src/main/resources/service-defs/ranger-servicedef-trino.json). | ||
|
||
## Configuration | ||
|
||
To use only Ranger for access control, create the file `etc/access-control.properties` on the coordinator, | ||
with the following configuration, and configurations listed in the table below: | ||
|
||
```properties | ||
access-control.name=apache-ranger | ||
``` | ||
|
||
|
||
To combine Ranger access control with file-based or other access control systems, create the file | ||
`etc/access-control.properties` on the coordinator, with the following configuration that lists | ||
multiple access control configuration file paths: | ||
|
||
```properties | ||
access-control.config-files=etc/trino/file-based.properties,etc/trino/apache-ranger.properties | ||
``` | ||
|
||
Order the configuration files list in the desired order of the different systems | ||
for overall access control. Configure each access-control system in the | ||
specified files. | ||
|
||
The following table lists the configuration properties for the Ranger access control: | ||
|
||
:::{list-table} Apache Ranger access control configuration properties | ||
:widths: 30, 70 | ||
:header-rows: 1 | ||
|
||
* - Name | ||
- Description | ||
* - `apache-ranger.service.name` | ||
- Name of the service having policies to be enforced by the plugin | ||
* - `apache-ranger.plugin.config.resource` | ||
- List of Ranger plugin configuration files, comma separated. Relative paths will be resolved dynamically by searching in the classpath. | ||
* - `apache-ranger.hadoop.config.resource` | ||
- List of Hadoop configuration files, comma separated. Relative paths will be resolved dynamically by searching in the classpath. | ||
::: | ||
|
||
### ranger-trino-security.xml | ||
``` | ||
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> | ||
<configuration xmlns:xi="http://www.w3.org/2001/XInclude"> | ||
<property> | ||
<name>ranger.plugin.trino.policy.rest.url</name> | ||
<value>https://ranger-hostname:6182</value> | ||
<description>MANDATORY: a comma separated list of URLs to Apache Ranger instances in a deployment</description> | ||
</property> | ||
<property> | ||
<name>ranger.plugin.trino.access.cluster.name</name> | ||
<value></value> | ||
<description>Name to identify the cluster running the Trino instance. This is recorded in audit logs generated by the plugin</description> | ||
</property> | ||
<property> | ||
<name>ranger.plugin.trino.use.rangerGroups</name> | ||
<value>false</value> | ||
<description>Boolean flag to specify whether user-to-groups mapping should be obtained from in Apache Ranger. Default: false</description> | ||
</property> | ||
<property> | ||
<name>ranger.plugin.trino.use.only.rangerGroups</name> | ||
<value>false</value> | ||
<description>Boolean flag. true: use only user-to-groups mapping from Apache Ranger; false: use user-to-groups mappings from Apache Ranger and Trino. Default: false</description> | ||
</property> | ||
<property> | ||
<name>ranger.plugin.trino.super.users</name> | ||
<value></value> | ||
<description>Comma separated list of user names. Superusers will be authorized for all accesses, without requiring explicit policy grants.</description> | ||
</property> | ||
<property> | ||
<name>ranger.plugin.trino.super.groups</name> | ||
<value></value> | ||
<description>Comma separated list of group names. Users in supergroups will be authorized for all accesses, without requiring explicit policy grants</description> | ||
</property> | ||
</configuration> | ||
``` | ||
|
||
### ranger-trino-audit.xml | ||
``` | ||
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> | ||
<configuration xmlns:xi="http://www.w3.org/2001/XInclude"> | ||
<property> | ||
<name>xasecure.audit.is.enabled</name> | ||
<value>true</value> | ||
<description>Boolean flag to specify if the plugin should generate access audit logs. Default: true</description> | ||
</property> | ||
<property> | ||
<name>xasecure.audit.solr.is.enabled</name> | ||
<value>false</value> | ||
<description>Boolean flag to specify if audit logs should be stored in Solr. Default: false</description> | ||
</property> | ||
<property> | ||
<name>xasecure.audit.solr.solr_url</name> | ||
<value></value> | ||
<description>URL to Solr deployment where the plugin should send access audits to</description> | ||
</property> | ||
</configuration> | ||
``` | ||
|
||
### ranger-policymgr-ssl.xml | ||
``` | ||
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?> | ||
<configuration xmlns:xi="http://www.w3.org/2001/XInclude"> | ||
<!-- properties used for 2-way SSL between the Trino plugin and Apache Ranger server --> | ||
<property> | ||
<name>xasecure.policymgr.clientssl.keystore</name> | ||
<value></value> | ||
<description>Path to keystore file. Only required for two-way SSL. This property should not be included for one-way SSL</description> | ||
</property> | ||
<property> | ||
<name>xasecure.policymgr.clientssl.keystore.type</name> | ||
<value>jks</value> | ||
<description>Type of keystore. Default: jks</description> | ||
</property> | ||
<property> | ||
<name>xasecure.policymgr.clientssl.keystore.credential.file</name> | ||
<value></value> | ||
<description>Path to credential file for the keystore; the credential should be in alias sslKeyStore. Only required for two-way SSL. This property should not be included for one-way SSL</description> | ||
</property> | ||
<property> | ||
<name>xasecure.policymgr.clientssl.truststore</name> | ||
<value></value> | ||
<description>Path to truststore file</description> | ||
</property> | ||
<property> | ||
<name>xasecure.policymgr.clientssl.truststore.type</name> | ||
<value>jks</value> | ||
<description>Type of truststore. Default: jks</description> | ||
</property> | ||
<property> | ||
<name>xasecure.policymgr.clientssl.truststore.credential.file</name> | ||
<value></value> | ||
<description>Path to credential file for the truststore; the credential should be in alias sslTrustStore</description> | ||
</property> | ||
</configuration> | ||
``` | ||
|
||
## Required policies | ||
|
||
* Users will need permission to execute queries in Trino. Without a policy in Apache Ranger to grant this permission, users will not be able to execute any query. | ||
* To allow this, create a policy in Apache Ranger for `queryId` resource having value `*`, with `execute` permission for user `{USER}`. | ||
* Users will need permission to impersonate themselves in Trino. Without a policy in Apache Ranger to grant this permission, users will not be able to execute any query. | ||
* To allow this, create a policy in Apache Ranger for `trinouser` resource having value `{USER}`, with `impersonate` permission for user `{USER}`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.