Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Apache Ranger authorizer plugin #22675

Merged
merged 1 commit into from
Nov 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -881,6 +881,7 @@ jobs:
- suite-delta-lake-databricks143
mneethiraj marked this conversation as resolved.
Show resolved Hide resolved
- suite-delta-lake-databricks154
mneethiraj marked this conversation as resolved.
Show resolved Hide resolved
- suite-databricks-unity-http-hms
- suite-apache-ranger
- suite-gcs
- suite-clients
- suite-functions
Expand Down
6 changes: 6 additions & 0 deletions core/trino-server/src/main/provisio/trino.xml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,12 @@
</artifactSet>

<!-- Plugins -->
<artifactSet to="plugin/apache-ranger">
<artifact id="${project.groupId}:trino-apache-ranger:zip:${project.version}">
<unpack />
</artifact>
</artifactSet>

<artifactSet to="plugin/bigquery">
<artifact id="${project.groupId}:trino-bigquery:zip:${project.version}">
<unpack />
Expand Down
1 change: 1 addition & 0 deletions docs/src/main/sphinx/security.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ security/group-file
security/built-in-system-access-control
security/file-system-access-control
security/opa-access-control
security/apache-ranger-access-control
```

## Security inside the cluster
Expand Down
164 changes: 164 additions & 0 deletions docs/src/main/sphinx/security/apache-ranger-access-control.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,164 @@
# Apache Ranger access control

The Apache Ranger access control plugin supports use of Apache Ranger policies to authorize data access in Trino on catalogs, schemas, tables, and columns. The plugin also supports column-masking, row-filtering and audit logging.

## Requirements

* Access to a Apache Ranger deployment with the desired authorization policies.
* Access to an audit store using Solr, HDFS, Log4J, or S3 to save audit logs.
* Apache Ranger 2.5.0 and greater include the required Trino service definition. Earlier versions of Apache Ranger require an update of the service definition available in the version [here](
https://github.com/apache/ranger/blob/ranger-2.5/agents-common/src/main/resources/service-defs/ranger-servicedef-trino.json).

## Configuration

To use only Ranger for access control, create the file `etc/access-control.properties` on the coordinator,
with the following configuration, and configurations listed in the table below:

```properties
access-control.name=apache-ranger
```


To combine Ranger access control with file-based or other access control systems, create the file
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mosabua This section could be reused between access control systems documentations. It is quite generic. Or maybe it should not be documented in this place, but maybe on some higher level. WDYT?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed .. but we can do that in a follow up PR. I think we need a new page similar to authentication types but for multiple access control systems.

I will take this on.

`etc/access-control.properties` on the coordinator, with the following configuration that lists
multiple access control configuration file paths:

```properties
access-control.config-files=etc/trino/file-based.properties,etc/trino/apache-ranger.properties
```

Order the configuration files list in the desired order of the different systems
for overall access control. Configure each access-control system in the
specified files.

The following table lists the configuration properties for the Ranger access control:

:::{list-table} Apache Ranger access control configuration properties
:widths: 30, 70
:header-rows: 1

* - Name
- Description
* - `apache-ranger.service.name`
- Name of the service having policies to be enforced by the plugin
* - `apache-ranger.plugin.config.resource`
- List of Ranger plugin configuration files, comma separated. Relative paths will be resolved dynamically by searching in the classpath.
* - `apache-ranger.hadoop.config.resource`
- List of Hadoop configuration files, comma separated. Relative paths will be resolved dynamically by searching in the classpath.
:::

### ranger-trino-security.xml
```
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
<property>
<name>ranger.plugin.trino.policy.rest.url</name>
<value>https://ranger-hostname:6182</value>
<description>MANDATORY: a comma separated list of URLs to Apache Ranger instances in a deployment</description>
</property>

<property>
<name>ranger.plugin.trino.access.cluster.name</name>
<value></value>
<description>Name to identify the cluster running the Trino instance. This is recorded in audit logs generated by the plugin</description>
</property>

<property>
<name>ranger.plugin.trino.use.rangerGroups</name>
<value>false</value>
<description>Boolean flag to specify whether user-to-groups mapping should be obtained from in Apache Ranger. Default: false</description>
</property>

<property>
<name>ranger.plugin.trino.use.only.rangerGroups</name>
<value>false</value>
<description>Boolean flag. true: use only user-to-groups mapping from Apache Ranger; false: use user-to-groups mappings from Apache Ranger and Trino. Default: false</description>
</property>

<property>
<name>ranger.plugin.trino.super.users</name>
<value></value>
<description>Comma separated list of user names. Superusers will be authorized for all accesses, without requiring explicit policy grants.</description>
</property>

<property>
<name>ranger.plugin.trino.super.groups</name>
<value></value>
<description>Comma separated list of group names. Users in supergroups will be authorized for all accesses, without requiring explicit policy grants</description>
</property>
</configuration>
```

### ranger-trino-audit.xml
```
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
<property>
<name>xasecure.audit.is.enabled</name>
<value>true</value>
<description>Boolean flag to specify if the plugin should generate access audit logs. Default: true</description>
</property>

<property>
<name>xasecure.audit.solr.is.enabled</name>
<value>false</value>
<description>Boolean flag to specify if audit logs should be stored in Solr. Default: false</description>
</property>

<property>
<name>xasecure.audit.solr.solr_url</name>
<value></value>
<description>URL to Solr deployment where the plugin should send access audits to</description>
</property>
</configuration>
```

### ranger-policymgr-ssl.xml
```
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
<!-- properties used for 2-way SSL between the Trino plugin and Apache Ranger server -->
mneethiraj marked this conversation as resolved.
Show resolved Hide resolved
<property>
<name>xasecure.policymgr.clientssl.keystore</name>
<value></value>
<description>Path to keystore file. Only required for two-way SSL. This property should not be included for one-way SSL</description>
</property>

<property>
<name>xasecure.policymgr.clientssl.keystore.type</name>
<value>jks</value>
mneethiraj marked this conversation as resolved.
Show resolved Hide resolved
<description>Type of keystore. Default: jks</description>
</property>

<property>
<name>xasecure.policymgr.clientssl.keystore.credential.file</name>
<value></value>
<description>Path to credential file for the keystore; the credential should be in alias sslKeyStore. Only required for two-way SSL. This property should not be included for one-way SSL</description>
</property>

<property>
<name>xasecure.policymgr.clientssl.truststore</name>
<value></value>
<description>Path to truststore file</description>
</property>

<property>
<name>xasecure.policymgr.clientssl.truststore.type</name>
<value>jks</value>
<description>Type of truststore. Default: jks</description>
mneethiraj marked this conversation as resolved.
Show resolved Hide resolved
</property>

<property>
<name>xasecure.policymgr.clientssl.truststore.credential.file</name>
<value></value>
<description>Path to credential file for the truststore; the credential should be in alias sslTrustStore</description>

This comment was marked as resolved.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lozbrown - supporting this Trino way of handling secrets will require enhancements in Apache Ranger library. I suggest tracking this in Apache Ranger community, and update the plugin once a Apache Ranger release includes the enhancements. This shouldn't be blocker for this PR.

Copy link
Contributor

@lozbrown lozbrown Oct 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mneethiraj I'm very eager to see merged soon too...I watched the contributor call this morning hoping this would have come up but alas no. I agree that at this point I'd rather see it merged as is.

Getting that secret file into the pod without exposing the secret in source control, will be a pain in the proverbial but we'll work it out.

Is there any way not to need that if we're only using 1 way SSL and the ca certs in trust store are not secrets?

</property>
</configuration>
```

## Required policies

* Users will need permission to execute queries in Trino. Without a policy in Apache Ranger to grant this permission, users will not be able to execute any query.
* To allow this, create a policy in Apache Ranger for `queryId` resource having value `*`, with `execute` permission for user `{USER}`.
* Users will need permission to impersonate themselves in Trino. Without a policy in Apache Ranger to grant this permission, users will not be able to execute any query.
* To allow this, create a policy in Apache Ranger for `trinouser` resource having value `{USER}`, with `impersonate` permission for user `{USER}`.
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ Trino offers the following built-in system access control implementations:
* - `opa`
- Use Open Policy Agent (OPA) for authorization. See
[](/security/opa-access-control).
* - `ranger`
- Use Apache Ranger policies for authorization. See
[](/security/apache-ranger-access-control).
:::

If you want to limit access on a system level in any other way than the ones
Expand Down
3 changes: 3 additions & 0 deletions docs/src/main/sphinx/security/overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,9 @@ To implement access control, use:
the catalog, schema, or table level.
- [](opa-access-control), where you use Open Policy Agent to make access control
decisions on a fined-grained level.
- [](apache-ranger-access-control), where you use Apache Ranger to make fine-grained
access control decisions, apply dynamic row-filters and column-masking at
query execution time, and generate audit logs.

In addition, Trino {doc}`provides an API </develop/system-access-control>` that
allows you to create a custom access control method, or to extend an existing
Expand Down
Loading
Loading