You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by Ramesh Mani <rm...@hortonworks.com> on 2017/04/19 22:56:55 UTC

Re: ranger for cassandra

Earlier I have reviewed briefly  the Cassandra authorizer and it is RBAC based authorization model which is not a straight forward fit into Ranger's Attribute Based Access Control model.

Including dev list also.

Pinging Bosco / Madhan to give their thoughts.

Thanks,
Ramesh

From: anurag gujral <an...@gmail.com>>
Reply-To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Date: Wednesday, April 19, 2017 at 3:31 PM
To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Subject: ranger for cassandra

Hi All,
Can you please share if there is any plan to support apache ranger for cassandra?
Thanks,
Anurag

Re: ranger for cassandra

Posted by anurag gujral <an...@gmail.com>.

Thanks Ramesh and Bosco for chiming in and help. I will put in the tracing
as suggested by Bosco.
Thanks a lot.
Anurag

On Thu, Apr 20, 2017 at 10:08 PM, Don Bosco Durai <bo...@apache.org> wrote:

> It’s been a while. Here are 2 classes I looked at:
>
> https://github.com/apache/cassandra/blob/81f6c784ce967fadb6ed7f58de1328
> e713eaf53c/src/java/org/apache/cassandra/auth/IAuthorizer.java
>
> https://github.com/apache/cassandra/blob/81f6c784ce967fadb6ed7f58de1328
> e713eaf53c/src/java/org/apache/cassandra/auth/CassandraAuthorizer.java
>
>
>
> I have not looked into how and when this method is called “Set<Permission>
> authorize(AuthenticatedUser user, IResource resource);”
>
>
>
> Anurag, if you have bandwidth, you can put some trace statements in the
> default implementation class and see whether it is called on each resource
> access.
>
>
>
> To give you some context, HBase uses coprocessor, where you can do the
> permission check and it is called on each get/put/scan, etc. Apache
> Accumolo uses a different model, where the caller passes the security
> context/label and Accumulo server just applies it (trusts the client).
> While in some other applications, during authentication the roles are
> retrieved and the roles are applied throughout the session.
>
>
>
> Understanding the model Cassandra uses will help us come with the right
> strategy. If it follows the HBase/Hive model, then it should be pretty
> straight forward to write Ranger plugin by implementing IAuthorizer
> interface.
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
>
>
>
>
> *From: *Ramesh Mani <rm...@hortonworks.com>
> *Date: *Wednesday, April 19, 2017 at 3:56 PM
> *To: *"user@ranger.apache.org" <us...@ranger.apache.org>, "
> dev@ranger.apache.org" <de...@ranger.apache.org>
> *Cc: *Don Bosco Durai <bo...@apache.org>, Madhan Neethiraj <
> madhan@apache.org>
> *Subject: *Re: ranger for cassandra
>
>
>
>
>
> Earlier I have reviewed briefly  the Cassandra authorizer and it is RBAC
> based authorization model which is not a straight forward fit into Ranger’s
> Attribute Based Access Control model.
>
>
>
> Including dev list also.
>
>
>
> Pinging Bosco / Madhan to give their thoughts.
>
>
>
> Thanks,
>
> Ramesh
>
>
>
> *From: *anurag gujral <an...@gmail.com>
> *Reply-To: *"user@ranger.apache.org" <us...@ranger.apache.org>
> *Date: *Wednesday, April 19, 2017 at 3:31 PM
> *To: *"user@ranger.apache.org" <us...@ranger.apache.org>
> *Subject: *ranger for cassandra
>
>
>
> Hi All,
>
> Can you please share if there is any plan to support apache ranger for
> cassandra?
>
> Thanks,
>
> Anurag
>

Re: ranger for cassandra

Posted by Don Bosco Durai <bo...@apache.org>.

It’s been a while. Here are 2 classes I looked at:

https://github.com/apache/cassandra/blob/81f6c784ce967fadb6ed7f58de1328e713eaf53c/src/java/org/apache/cassandra/auth/IAuthorizer.java

https://github.com/apache/cassandra/blob/81f6c784ce967fadb6ed7f58de1328e713eaf53c/src/java/org/apache/cassandra/auth/CassandraAuthorizer.java

 

I have not looked into how and when this method is called “Set<Permission> authorize(AuthenticatedUser user, IResource resource);”

 

Anurag, if you have bandwidth, you can put some trace statements in the default implementation class and see whether it is called on each resource access.

 

To give you some context, HBase uses coprocessor, where you can do the permission check and it is called on each get/put/scan, etc. Apache Accumolo uses a different model, where the caller passes the security context/label and Accumulo server just applies it (trusts the client). While in some other applications, during authentication the roles are retrieved and the roles are applied throughout the session.

 

Understanding the model Cassandra uses will help us come with the right strategy. If it follows the HBase/Hive model, then it should be pretty straight forward to write Ranger plugin by implementing IAuthorizer interface.

 

Thanks

 

Bosco

 

 

 

From: Ramesh Mani <rm...@hortonworks.com>
Date: Wednesday, April 19, 2017 at 3:56 PM
To: "user@ranger.apache.org" <us...@ranger.apache.org>, "dev@ranger.apache.org" <de...@ranger.apache.org>
Cc: Don Bosco Durai <bo...@apache.org>, Madhan Neethiraj <ma...@apache.org>
Subject: Re: ranger for cassandra

 

 

Earlier I have reviewed briefly  the Cassandra authorizer and it is RBAC based authorization model which is not a straight forward fit into Ranger’s Attribute Based Access Control model.

 

Including dev list also.

 

Pinging Bosco / Madhan to give their thoughts. 

 

Thanks,

Ramesh

 

From: anurag gujral <an...@gmail.com>
Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
Date: Wednesday, April 19, 2017 at 3:31 PM
To: "user@ranger.apache.org" <us...@ranger.apache.org>
Subject: ranger for cassandra

 

Hi All, 

Can you please share if there is any plan to support apache ranger for cassandra?

Thanks,

Anurag

Re: ranger for cassandra

Posted by Don Bosco Durai <bo...@apache.org>.

It’s been a while. Here are 2 classes I looked at:

https://github.com/apache/cassandra/blob/81f6c784ce967fadb6ed7f58de1328e713eaf53c/src/java/org/apache/cassandra/auth/IAuthorizer.java

https://github.com/apache/cassandra/blob/81f6c784ce967fadb6ed7f58de1328e713eaf53c/src/java/org/apache/cassandra/auth/CassandraAuthorizer.java

 

I have not looked into how and when this method is called “Set<Permission> authorize(AuthenticatedUser user, IResource resource);”

 

Anurag, if you have bandwidth, you can put some trace statements in the default implementation class and see whether it is called on each resource access.

 

To give you some context, HBase uses coprocessor, where you can do the permission check and it is called on each get/put/scan, etc. Apache Accumolo uses a different model, where the caller passes the security context/label and Accumulo server just applies it (trusts the client). While in some other applications, during authentication the roles are retrieved and the roles are applied throughout the session.

 

Understanding the model Cassandra uses will help us come with the right strategy. If it follows the HBase/Hive model, then it should be pretty straight forward to write Ranger plugin by implementing IAuthorizer interface.

 

Thanks

 

Bosco

 

 

 

From: Ramesh Mani <rm...@hortonworks.com>
Date: Wednesday, April 19, 2017 at 3:56 PM
To: "user@ranger.apache.org" <us...@ranger.apache.org>, "dev@ranger.apache.org" <de...@ranger.apache.org>
Cc: Don Bosco Durai <bo...@apache.org>, Madhan Neethiraj <ma...@apache.org>
Subject: Re: ranger for cassandra

 

 

Earlier I have reviewed briefly  the Cassandra authorizer and it is RBAC based authorization model which is not a straight forward fit into Ranger’s Attribute Based Access Control model.

 

Including dev list also.

 

Pinging Bosco / Madhan to give their thoughts. 

 

Thanks,

Ramesh

 

From: anurag gujral <an...@gmail.com>
Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
Date: Wednesday, April 19, 2017 at 3:31 PM
To: "user@ranger.apache.org" <us...@ranger.apache.org>
Subject: ranger for cassandra

 

Hi All, 

Can you please share if there is any plan to support apache ranger for cassandra?

Thanks,

Anurag