You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by Ramesh Mani <rm...@hortonworks.com> on 2017/04/19 22:56:55 UTC
Re: ranger for cassandra
Earlier I have reviewed briefly the Cassandra authorizer and it is RBAC based authorization model which is not a straight forward fit into Ranger's Attribute Based Access Control model.
Including dev list also.
Pinging Bosco / Madhan to give their thoughts.
Thanks,
Ramesh
From: anurag gujral <an...@gmail.com>>
Reply-To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Date: Wednesday, April 19, 2017 at 3:31 PM
To: "user@ranger.apache.org<ma...@ranger.apache.org>" <us...@ranger.apache.org>>
Subject: ranger for cassandra
Hi All,
Can you please share if there is any plan to support apache ranger for cassandra?
Thanks,
Anurag
Re: ranger for cassandra
Posted by anurag gujral <an...@gmail.com>.
Thanks Ramesh and Bosco for chiming in and help. I will put in the tracing
as suggested by Bosco.
Thanks a lot.
Anurag
On Thu, Apr 20, 2017 at 10:08 PM, Don Bosco Durai <bo...@apache.org> wrote:
> It’s been a while. Here are 2 classes I looked at:
>
> https://github.com/apache/cassandra/blob/81f6c784ce967fadb6ed7f58de1328
> e713eaf53c/src/java/org/apache/cassandra/auth/IAuthorizer.java
>
> https://github.com/apache/cassandra/blob/81f6c784ce967fadb6ed7f58de1328
> e713eaf53c/src/java/org/apache/cassandra/auth/CassandraAuthorizer.java
>
>
>
> I have not looked into how and when this method is called “Set<Permission>
> authorize(AuthenticatedUser user, IResource resource);”
>
>
>
> Anurag, if you have bandwidth, you can put some trace statements in the
> default implementation class and see whether it is called on each resource
> access.
>
>
>
> To give you some context, HBase uses coprocessor, where you can do the
> permission check and it is called on each get/put/scan, etc. Apache
> Accumolo uses a different model, where the caller passes the security
> context/label and Accumulo server just applies it (trusts the client).
> While in some other applications, during authentication the roles are
> retrieved and the roles are applied throughout the session.
>
>
>
> Understanding the model Cassandra uses will help us come with the right
> strategy. If it follows the HBase/Hive model, then it should be pretty
> straight forward to write Ranger plugin by implementing IAuthorizer
> interface.
>
>
>
> Thanks
>
>
>
> Bosco
>
>
>
>
>
>
>
> *From: *Ramesh Mani <rm...@hortonworks.com>
> *Date: *Wednesday, April 19, 2017 at 3:56 PM
> *To: *"user@ranger.apache.org" <us...@ranger.apache.org>, "
> dev@ranger.apache.org" <de...@ranger.apache.org>
> *Cc: *Don Bosco Durai <bo...@apache.org>, Madhan Neethiraj <
> madhan@apache.org>
> *Subject: *Re: ranger for cassandra
>
>
>
>
>
> Earlier I have reviewed briefly the Cassandra authorizer and it is RBAC
> based authorization model which is not a straight forward fit into Ranger’s
> Attribute Based Access Control model.
>
>
>
> Including dev list also.
>
>
>
> Pinging Bosco / Madhan to give their thoughts.
>
>
>
> Thanks,
>
> Ramesh
>
>
>
> *From: *anurag gujral <an...@gmail.com>
> *Reply-To: *"user@ranger.apache.org" <us...@ranger.apache.org>
> *Date: *Wednesday, April 19, 2017 at 3:31 PM
> *To: *"user@ranger.apache.org" <us...@ranger.apache.org>
> *Subject: *ranger for cassandra
>
>
>
> Hi All,
>
> Can you please share if there is any plan to support apache ranger for
> cassandra?
>
> Thanks,
>
> Anurag
>
Re: ranger for cassandra
Posted by Don Bosco Durai <bo...@apache.org>.
It’s been a while. Here are 2 classes I looked at:
https://github.com/apache/cassandra/blob/81f6c784ce967fadb6ed7f58de1328e713eaf53c/src/java/org/apache/cassandra/auth/IAuthorizer.java
https://github.com/apache/cassandra/blob/81f6c784ce967fadb6ed7f58de1328e713eaf53c/src/java/org/apache/cassandra/auth/CassandraAuthorizer.java
I have not looked into how and when this method is called “Set<Permission> authorize(AuthenticatedUser user, IResource resource);”
Anurag, if you have bandwidth, you can put some trace statements in the default implementation class and see whether it is called on each resource access.
To give you some context, HBase uses coprocessor, where you can do the permission check and it is called on each get/put/scan, etc. Apache Accumolo uses a different model, where the caller passes the security context/label and Accumulo server just applies it (trusts the client). While in some other applications, during authentication the roles are retrieved and the roles are applied throughout the session.
Understanding the model Cassandra uses will help us come with the right strategy. If it follows the HBase/Hive model, then it should be pretty straight forward to write Ranger plugin by implementing IAuthorizer interface.
Thanks
Bosco
From: Ramesh Mani <rm...@hortonworks.com>
Date: Wednesday, April 19, 2017 at 3:56 PM
To: "user@ranger.apache.org" <us...@ranger.apache.org>, "dev@ranger.apache.org" <de...@ranger.apache.org>
Cc: Don Bosco Durai <bo...@apache.org>, Madhan Neethiraj <ma...@apache.org>
Subject: Re: ranger for cassandra
Earlier I have reviewed briefly the Cassandra authorizer and it is RBAC based authorization model which is not a straight forward fit into Ranger’s Attribute Based Access Control model.
Including dev list also.
Pinging Bosco / Madhan to give their thoughts.
Thanks,
Ramesh
From: anurag gujral <an...@gmail.com>
Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
Date: Wednesday, April 19, 2017 at 3:31 PM
To: "user@ranger.apache.org" <us...@ranger.apache.org>
Subject: ranger for cassandra
Hi All,
Can you please share if there is any plan to support apache ranger for cassandra?
Thanks,
Anurag
Re: ranger for cassandra
Posted by Don Bosco Durai <bo...@apache.org>.
It’s been a while. Here are 2 classes I looked at:
https://github.com/apache/cassandra/blob/81f6c784ce967fadb6ed7f58de1328e713eaf53c/src/java/org/apache/cassandra/auth/IAuthorizer.java
https://github.com/apache/cassandra/blob/81f6c784ce967fadb6ed7f58de1328e713eaf53c/src/java/org/apache/cassandra/auth/CassandraAuthorizer.java
I have not looked into how and when this method is called “Set<Permission> authorize(AuthenticatedUser user, IResource resource);”
Anurag, if you have bandwidth, you can put some trace statements in the default implementation class and see whether it is called on each resource access.
To give you some context, HBase uses coprocessor, where you can do the permission check and it is called on each get/put/scan, etc. Apache Accumolo uses a different model, where the caller passes the security context/label and Accumulo server just applies it (trusts the client). While in some other applications, during authentication the roles are retrieved and the roles are applied throughout the session.
Understanding the model Cassandra uses will help us come with the right strategy. If it follows the HBase/Hive model, then it should be pretty straight forward to write Ranger plugin by implementing IAuthorizer interface.
Thanks
Bosco
From: Ramesh Mani <rm...@hortonworks.com>
Date: Wednesday, April 19, 2017 at 3:56 PM
To: "user@ranger.apache.org" <us...@ranger.apache.org>, "dev@ranger.apache.org" <de...@ranger.apache.org>
Cc: Don Bosco Durai <bo...@apache.org>, Madhan Neethiraj <ma...@apache.org>
Subject: Re: ranger for cassandra
Earlier I have reviewed briefly the Cassandra authorizer and it is RBAC based authorization model which is not a straight forward fit into Ranger’s Attribute Based Access Control model.
Including dev list also.
Pinging Bosco / Madhan to give their thoughts.
Thanks,
Ramesh
From: anurag gujral <an...@gmail.com>
Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
Date: Wednesday, April 19, 2017 at 3:31 PM
To: "user@ranger.apache.org" <us...@ranger.apache.org>
Subject: ranger for cassandra
Hi All,
Can you please share if there is any plan to support apache ranger for cassandra?
Thanks,
Anurag