You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by pe...@apache.org on 2018/03/11 00:18:17 UTC
[1/2] ranger git commit: RANGER-1672:Ranger supports plugin to enable,
monitor and manage apache kylin
Repository: ranger
Updated Branches:
refs/heads/master 8888b6285 -> 2b1143aba
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/src/main/assembly/plugin-kylin.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/plugin-kylin.xml b/src/main/assembly/plugin-kylin.xml
new file mode 100644
index 0000000..f4e0820
--- /dev/null
+++ b/src/main/assembly/plugin-kylin.xml
@@ -0,0 +1,159 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<assembly>
+ <id>kylin-plugin</id>
+ <formats>
+ <format>tar.gz</format>
+ <format>zip</format>
+ </formats>
+ <baseDirectory>${project.name}-${project.version}-kylin-plugin</baseDirectory>
+ <includeBaseDirectory>true</includeBaseDirectory>
+ <moduleSets>
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <outputDirectory>/lib</outputDirectory>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger-kylin-plugin-shim</include>
+ <include>org.apache.ranger:ranger-plugin-classloader</include>
+ </includes>
+ </moduleSet>
+
+ <moduleSet>
+ <binaries>
+ <includeDependencies>false</includeDependencies>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <dependencySets>
+ <dependencySet>
+ <outputDirectory>/lib/ranger-kylin-plugin-impl</outputDirectory>
+ <unpack>false</unpack>
+ <includes>
+ <include>org.eclipse.persistence:eclipselink</include>
+ <include>org.eclipse.persistence:javax.persistence</include>
+ <include>org.apache.httpcomponents:httpmime:jar:${httpcomponents.httpmime.version}</include>
+ <include>org.apache.httpcomponents:httpclient:jar:${httpcomponents.httpclient.version}</include>
+ <include>org.apache.httpcomponents:httpcore:jar:${httpcomponents.httpcore.version}</include>
+ <include>org.noggit:noggit:jar:${noggit.version}</include>
+ <include>org.apache.solr:solr-solrj</include>
+ </includes>
+ </dependencySet>
+ <dependencySet>
+ <outputDirectory>/install/lib</outputDirectory>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <includes>
+ <include>commons-cli:commons-cli</include>
+ <include>commons-collections:commons-collections</include>
+ <include>commons-configuration:commons-configuration:jar:${commons.configuration.version}</include>
+ <include>commons-io:commons-io:jar:${commons.io.version}</include>
+ <include>commons-lang:commons-lang:jar:${commons.lang.version}</include>
+ <include>commons-logging:commons-logging:jar:${commons.logging.version}</include>
+ <include>com.google.guava:guava:jar:${google.guava.version}</include>
+ <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include>
+ <include>org.apache.hadoop:hadoop-common:jar:${hadoop.version}</include>
+ <include>org.apache.hadoop:hadoop-auth:jar:${hadoop.version}</include>
+ <include>org.apache.ranger:ranger-plugins-cred</include>
+ <include>org.apache.ranger:credentialbuilder</include>
+ </includes>
+ </dependencySet>
+ </dependencySets>
+ <outputDirectory>/lib/ranger-kylin-plugin-impl</outputDirectory>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger-plugins-audit</include>
+ <include>org.apache.ranger:ranger-plugins-cred</include>
+ <include>org.apache.ranger:ranger-plugins-common</include>
+ <include>org.apache.ranger:ranger-kylin-plugin</include>
+ </includes>
+ </moduleSet>
+ <moduleSet>
+ <binaries>
+ <includeDependencies>true</includeDependencies>
+ <outputDirectory>/install/lib</outputDirectory>
+ <unpack>false</unpack>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger-plugins-installer</include>
+ <include>org.apache.ranger:credentialbuilder</include>
+ </includes>
+ </moduleSet>
+ </moduleSets>
+ <fileSets>
+ <!-- conf.templates for enable -->
+ <fileSet>
+ <outputDirectory>/install/conf.templates/enable</outputDirectory>
+ <directory>plugin-kylin/conf</directory>
+ <excludes>
+ <exclude>*.sh</exclude>
+ </excludes>
+ <fileMode>700</fileMode>
+ </fileSet>
+ <fileSet>
+ <outputDirectory>/install/conf.templates/disable</outputDirectory>
+ <directory>plugin-kylin/disable-conf</directory>
+ <fileMode>700</fileMode>
+ </fileSet>
+ <fileSet>
+ <outputDirectory>/install/conf.templates/default</outputDirectory>
+ <directory>plugin-kylin/template</directory>
+ <fileMode>700</fileMode>
+ </fileSet>
+ <!-- version file -->
+ <fileSet>
+ <outputDirectory>/</outputDirectory>
+ <directory>${project.build.outputDirectory}</directory>
+ <includes>
+ <include>version</include>
+ </includes>
+ <fileMode>444</fileMode>
+ </fileSet>
+ </fileSets>
+ <!-- enable/disable script for Plugin -->
+ <files>
+ <file>
+ <source>agents-common/scripts/enable-agent.sh</source>
+ <outputDirectory>/</outputDirectory>
+ <destName>enable-kylin-plugin.sh</destName>
+ <fileMode>755</fileMode>
+ </file>
+ <file>
+ <source>agents-common/scripts/enable-agent.sh</source>
+ <outputDirectory>/</outputDirectory>
+ <destName>disable-kylin-plugin.sh</destName>
+ <fileMode>755</fileMode>
+ </file>
+ <file>
+ <source>plugin-kylin/scripts/install.properties</source>
+ <outputDirectory>/</outputDirectory>
+ <destName>install.properties</destName>
+ <fileMode>755</fileMode>
+ </file>
+ <file>
+ <source>security-admin/scripts/ranger_credential_helper.py</source>
+ <outputDirectory>/</outputDirectory>
+ <fileMode>755</fileMode>
+ </file>
+ </files>
+</assembly>
[2/2] ranger git commit: RANGER-1672:Ranger supports plugin to enable,
monitor and manage apache kylin
Posted by pe...@apache.org.
RANGER-1672:Ranger supports plugin to enable, monitor and manage apache kylin
Signed-off-by: peng.jianhua <pe...@zte.com.cn>
Project: http://git-wip-us.apache.org/repos/asf/ranger/repo
Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/2b1143ab
Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/2b1143ab
Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/2b1143ab
Branch: refs/heads/master
Commit: 2b1143abac2a665bbefbbfcd17b57390094a7a2b
Parents: 8888b62
Author: zhangqiang2 <zh...@zte.com.cn>
Authored: Mon Mar 5 16:07:34 2018 +0800
Committer: peng.jianhua <pe...@zte.com.cn>
Committed: Sun Mar 11 08:17:47 2018 +0800
----------------------------------------------------------------------
agents-common/scripts/enable-agent.sh | 32 ++-
.../plugin/store/EmbeddedServiceDefsUtil.java | 9 +-
.../ranger/plugin/util/PasswordUtils.java | 15 +
.../service-defs/ranger-servicedef-kylin.json | 110 ++++++++
plugin-kylin/.gitignore | 1 +
.../conf/ranger-kylin-audit-changes.cfg | 65 +++++
plugin-kylin/conf/ranger-kylin-audit.xml | 271 ++++++++++++++++++
.../conf/ranger-kylin-security-changes.cfg | 28 ++
plugin-kylin/conf/ranger-kylin-security.xml | 83 ++++++
.../conf/ranger-policymgr-ssl-changes.cfg | 21 ++
plugin-kylin/conf/ranger-policymgr-ssl.xml | 49 ++++
plugin-kylin/pom.xml | 77 +++++
plugin-kylin/scripts/install.properties | 140 +++++++++
.../kylin/authorizer/RangerKylinAuthorizer.java | 182 ++++++++++++
.../services/kylin/RangerServiceKylin.java | 89 ++++++
.../services/kylin/client/KylinClient.java | 282 +++++++++++++++++++
.../services/kylin/client/KylinResourceMgr.java | 97 +++++++
.../client/json/model/KylinProjectResponse.java | 109 +++++++
pom.xml | 4 +
ranger-kylin-plugin-shim/.gitignore | 1 +
ranger-kylin-plugin-shim/pom.xml | 72 +++++
.../kylin/authorizer/RangerKylinAuthorizer.java | 121 ++++++++
src/main/assembly/admin-web.xml | 13 +
src/main/assembly/plugin-kylin.xml | 159 +++++++++++
24 files changed, 2026 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/agents-common/scripts/enable-agent.sh
----------------------------------------------------------------------
diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh
index 7033f79..ce0dc8c 100755
--- a/agents-common/scripts/enable-agent.sh
+++ b/agents-common/scripts/enable-agent.sh
@@ -208,6 +208,8 @@ elif [ "${HCOMPONENT_NAME}" = "hadoop" ] ||
HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/share/hadoop/hdfs/lib
elif [ "${HCOMPONENT_NAME}" = "sqoop" ]; then
HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/server/lib
+elif [ "${HCOMPONENT_NAME}" = "kylin" ]; then
+ HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/tomcat/webapps/kylin/WEB-INF/lib
fi
HCOMPONENT_CONF_DIR=${HCOMPONENT_INSTALL_DIR}/conf
@@ -714,9 +716,6 @@ then
updatePropertyToFile atlas.authorizer.impl $authName ${fn}
fi
fi
-#
-# Set notice to restart the ${HCOMPONENT_NAME}
-#
if [ "${HCOMPONENT_NAME}" = "sqoop" ]
then
@@ -741,6 +740,33 @@ then
fi
fi
+if [ "${HCOMPONENT_NAME}" = "kylin" ]
+then
+ if [ "${action}" = "enable" ]
+ then
+ authName="org.apache.ranger.authorization.kylin.authorizer.RangerKylinAuthorizer"
+ else
+ authName=""
+ fi
+
+ dt=`date '+%Y%m%d%H%M%S'`
+ fn=`ls ${HCOMPONENT_CONF_DIR}/kylin.properties 2> /dev/null`
+ if [ -f "${fn}" ]
+ then
+ dn=`dirname ${fn}`
+ bn=`basename ${fn}`
+ bf=${dn}/.${bn}.${dt}
+ echo "backup of ${fn} to ${bf} ..."
+ cp ${fn} ${bf}
+ echo "Add or Update properties file: [${fn}] ... "
+ addOrUpdatePropertyToFile kylin.server.external-acl-provider $authName ${fn}
+ fi
+fi
+
+#
+# Set notice to restart the ${HCOMPONENT_NAME}
+#
+
echo "Ranger Plugin for ${HCOMPONENT_NAME} has been ${action}d. Please restart ${HCOMPONENT_NAME} to ensure that changes are effective."
exit 0
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
index 899bcac..5e74da8 100755
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
@@ -48,7 +48,7 @@ public class EmbeddedServiceDefsUtil {
// following servicedef list should be reviewed/updated whenever a new embedded service-def is added
- private static final String DEFAULT_BOOTSTRAP_SERVICEDEF_LIST = "tag,hdfs,hbase,hive,kms,knox,storm,yarn,kafka,solr,atlas,nifi,sqoop";
+ private static final String DEFAULT_BOOTSTRAP_SERVICEDEF_LIST = "tag,hdfs,hbase,hive,kms,knox,storm,yarn,kafka,solr,atlas,nifi,sqoop,kylin";
private static final String PROPERTY_SUPPORTED_SERVICE_DEFS = "ranger.supportedcomponents";
private Set<String> supportedServiceDefs;
public static final String EMBEDDED_SERVICEDEF_TAG_NAME = "tag";
@@ -65,6 +65,7 @@ public class EmbeddedServiceDefsUtil {
public static final String EMBEDDED_SERVICEDEF_ATLAS_NAME = "atlas";
public static final String EMBEDDED_SERVICEDEF_WASB_NAME = "wasb";
public static final String EMBEDDED_SERVICEDEF_SQOOP_NAME = "sqoop";
+ public static final String EMBEDDED_SERVICEDEF_KYLIN_NAME = "kylin";
public static final String PROPERTY_CREATE_EMBEDDED_SERVICE_DEFS = "ranger.service.store.create.embedded.service-defs";
@@ -96,6 +97,7 @@ public class EmbeddedServiceDefsUtil {
private RangerServiceDef atlasServiceDef;
private RangerServiceDef wasbServiceDef;
private RangerServiceDef sqoopServiceDef;
+ private RangerServiceDef kylinServiceDef;
private RangerServiceDef tagServiceDef;
@@ -136,6 +138,7 @@ public class EmbeddedServiceDefsUtil {
tagServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_TAG_NAME);
wasbServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_WASB_NAME);
sqoopServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_SQOOP_NAME);
+ kylinServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_KYLIN_NAME);
// Ensure that tag service def is updated with access types of all service defs
store.updateTagServiceDefForAccessTypes();
@@ -194,6 +197,10 @@ public class EmbeddedServiceDefsUtil {
return getId(sqoopServiceDef);
}
+ public long getKylinServiceDefId() {
+ return getId(kylinServiceDef);
+ }
+
public long getTagServiceDefId() { return getId(tagServiceDef); }
public long getWasbServiceDefId() { return getId(wasbServiceDef); }
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java
----------------------------------------------------------------------
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java
index 6ba42d4..6480b17 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java
@@ -149,4 +149,19 @@ public class PasswordUtils {
}
return ret;
}
+
+ public static String getDecryptPassword(String password) {
+ String decryptedPwd = null;
+ try {
+ decryptedPwd = decryptPassword(password);
+ } catch (Exception ex) {
+ LOG.warn("Password decryption failed, trying original password string.");
+ decryptedPwd = null;
+ } finally {
+ if (decryptedPwd == null) {
+ decryptedPwd = password;
+ }
+ }
+ return decryptedPwd;
+ }
}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json
----------------------------------------------------------------------
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json
new file mode 100644
index 0000000..cda3526
--- /dev/null
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-kylin.json
@@ -0,0 +1,110 @@
+{
+ "id":12,
+ "name": "kylin",
+ "implClass": "org.apache.ranger.services.kylin.RangerServiceKylin",
+ "label": "KYLIN",
+ "description": "KYLIN",
+ "guid": "88ab8471-3e27-40c2-8bd8-458b5b1a9b25",
+ "resources":
+ [
+ {
+ "itemId": 1,
+ "name": "project",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard":true, "ignoreCase":true},
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Kylin Project",
+ "description": "Kylin Project"
+ }
+ ],
+
+ "accessTypes":
+ [
+ {
+ "itemId": 1,
+ "name": "QUERY",
+ "label": "QUERY"
+ },
+
+ {
+ "itemId": 2,
+ "name": "OPERATION",
+ "label": "OPERATION"
+ },
+
+ {
+ "itemId": 3,
+ "name": "MANAGEMENT",
+ "label": "MANAGEMENT"
+ },
+
+ {
+ "itemId": 4,
+ "name": "ADMIN",
+ "label": "ADMIN"
+ }
+ ],
+
+ "configs":
+ [
+ {
+ "itemId": 1,
+ "name": "username",
+ "type": "string",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Username"
+ },
+
+ {
+ "itemId": 2,
+ "name": "password",
+ "type": "password",
+ "mandatory": true,
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"",
+ "label": "Password"
+ },
+
+ {
+ "itemId": 3,
+ "name": "kylin.url",
+ "type": "string",
+ "mandatory": true,
+ "defaultValue": "",
+ "validationRegEx":"",
+ "validationMessage": "",
+ "uiHint":"{\"TextFieldWithIcon\":true, \"info\": \"eg. 'http://<ipaddr>:7070'\"}",
+ "label": "Kylin URL"
+ }
+
+ ],
+ "options": { "enableDenyAndExceptionsInPolicies": "false" },
+
+ "enums":
+ [
+
+ ],
+
+ "contextEnrichers":
+ [
+
+ ],
+
+ "policyConditions":
+ [
+
+ ]
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/.gitignore
----------------------------------------------------------------------
diff --git a/plugin-kylin/.gitignore b/plugin-kylin/.gitignore
new file mode 100644
index 0000000..b83d222
--- /dev/null
+++ b/plugin-kylin/.gitignore
@@ -0,0 +1 @@
+/target/
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/conf/ranger-kylin-audit-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-kylin/conf/ranger-kylin-audit-changes.cfg b/plugin-kylin/conf/ranger-kylin-audit-changes.cfg
new file mode 100644
index 0000000..8071e7b
--- /dev/null
+++ b/plugin-kylin/conf/ranger-kylin-audit-changes.cfg
@@ -0,0 +1,65 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#xasecure.audit.db.is.enabled %XAAUDIT.DB.IS_ENABLED% mod create-if-not-exists
+#xasecure.audit.jpa.javax.persistence.jdbc.url %XAAUDIT_DB_JDBC_URL% mod create-if-not-exists
+#xasecure.audit.jpa.javax.persistence.jdbc.user %XAAUDIT.DB.USER_NAME% mod create-if-not-exists
+#xasecure.audit.jpa.javax.persistence.jdbc.password crypted mod create-if-not-exists
+#xasecure.audit.credential.provider.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists
+#xasecure.audit.jpa.javax.persistence.jdbc.driver %XAAUDIT_DB_JDBC_DRIVER% mod create-if-not-exists
+
+xasecure.audit.hdfs.is.enabled %XAAUDIT.HDFS.IS_ENABLED% mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.directory %XAAUDIT.HDFS.DESTINATION_DIRECTORY% mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.file %XAAUDIT.HDFS.DESTINTATION_FILE% mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.flush.interval.seconds %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.rollover.interval.seconds %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.directory %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.file %XAAUDIT.HDFS.LOCAL_BUFFER_FILE% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.archive.directory %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.archive.max.file.count %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT% mod create-if-not-exists
+
+#xasecure.audit.kafka.is.enabled %XAAUDIT.KAFKA.IS_ENABLED% mod create-if-not-exists
+#xasecure.audit.kafka.is.async %XAAUDIT.KAFKA.IS_ASYNC% mod create-if-not-exists
+#xasecure.audit.kafka.async.max.queue.size %XAAUDIT.KAFKA.MAX_QUEUE_SIZE% mod create-if-not-exists
+#xasecure.audit.kafka.async.max.flush.interval.ms %XAAUDIT.KAFKA.MAX_FLUSH_INTERVAL_MS% mod create-if-not-exists
+#xasecure.audit.kafka.broker_list %XAAUDIT.KAFKA.BROKER_LIST% mod create-if-not-exists
+#xasecure.audit.kafka.topic_name %XAAUDIT.KAFKA.TOPIC_NAME% mod create-if-not-exists
+
+xasecure.audit.solr.is.enabled %XAAUDIT.SOLR.IS_ENABLED% mod create-if-not-exists
+xasecure.audit.solr.async.max.queue.size %XAAUDIT.SOLR.MAX_QUEUE_SIZE% mod create-if-not-exists
+xasecure.audit.solr.async.max.flush.interval.ms %XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS% mod create-if-not-exists
+xasecure.audit.solr.solr_url %XAAUDIT.SOLR.SOLR_URL% mod create-if-not-exists
+
+#V3 configuration
+xasecure.audit.destination.solr %XAAUDIT.SOLR.ENABLE% mod create-if-not-exists
+xasecure.audit.destination.solr.urls %XAAUDIT.SOLR.URL% mod create-if-not-exists
+xasecure.audit.destination.solr.user %XAAUDIT.SOLR.USER% mod create-if-not-exists
+xasecure.audit.destination.solr.password %XAAUDIT.SOLR.PASSWORD% mod create-if-not-exists
+xasecure.audit.destination.solr.zookeepers %XAAUDIT.SOLR.ZOOKEEPER% mod create-if-not-exists
+xasecure.audit.destination.solr.batch.filespool.dir %XAAUDIT.SOLR.FILE_SPOOL_DIR% mod create-if-not-exists
+
+xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% mod create-if-not-exists
+xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists
+xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists
+
+AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var
+xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists
+
+#xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists
+#xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/conf/ranger-kylin-audit.xml
----------------------------------------------------------------------
diff --git a/plugin-kylin/conf/ranger-kylin-audit.xml b/plugin-kylin/conf/ranger-kylin-audit.xml
new file mode 100644
index 0000000..94fba58
--- /dev/null
+++ b/plugin-kylin/conf/ranger-kylin-audit.xml
@@ -0,0 +1,271 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+ <property>
+ <name>xasecure.audit.is.enabled</name>
+ <value>true</value>
+ </property>
+
+
+ <!-- DB audit provider configuration -->
+ <property>
+ <name>xasecure.audit.db.is.enabled</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.db.is.async</name>
+ <value>true</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.db.async.max.queue.size</name>
+ <value>10240</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.db.async.max.flush.interval.ms</name>
+ <value>30000</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.db.batch.size</name>
+ <value>100</value>
+ </property>
+
+ <!-- Properties whose name begin with "xasecure.audit.jpa." are used to configure JPA -->
+ <property>
+ <name>xasecure.audit.jpa.javax.persistence.jdbc.url</name>
+ <value>jdbc:mysql://localhost:3306/ranger_audit</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.jpa.javax.persistence.jdbc.user</name>
+ <value>rangerlogger</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.jpa.javax.persistence.jdbc.password</name>
+ <value>none</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.jpa.javax.persistence.jdbc.driver</name>
+ <value>com.mysql.jdbc.Driver</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.credential.provider.file</name>
+ <value>jceks://file/etc/ranger/kylindev/auditcred.jceks</value>
+ </property>
+
+
+
+ <!-- HDFS audit provider configuration -->
+ <property>
+ <name>xasecure.audit.hdfs.is.enabled</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.is.async</name>
+ <value>true</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.async.max.queue.size</name>
+ <value>1048576</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.async.max.flush.interval.ms</name>
+ <value>30000</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.encoding</name>
+ <value></value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.destination.directory</name>
+ <value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.destination.file</name>
+ <value>%hostname%-audit.log</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name>
+ <value>900</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name>
+ <value>86400</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name>
+ <value>60</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.buffer.directory</name>
+ <value>/var/log/kylin/audit</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.buffer.file</name>
+ <value>%time:yyyyMMdd-HHmm.ss%.log</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name>
+ <value>8192</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name>
+ <value>60</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name>
+ <value>600</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.archive.directory</name>
+ <value>/var/log/kylin/audit/archive</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.archive.max.file.count</name>
+ <value>10</value>
+ </property>
+
+ <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the
+ following to audit to Azure Blob Datastore via hdfs' WASB schema.
+
+ NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style
+ ====
+
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>enabled</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>wasb://ranger-audit1@youraccount.blob.core.windows.net</value>
+ </property>
+
+ the following 3 correspond to the properties with similar name in core-site.xml, i.e.
+ - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and
+ - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net,
+ - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script,
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name>
+ <value>YOUR ENCRYPTED ACCESS KEY</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name>
+ <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name>
+ <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value>
+ </property>
+ -->
+
+ <!-- Log4j audit provider configuration -->
+ <property>
+ <name>xasecure.audit.log4j.is.enabled</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.log4j.is.async</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.log4j.async.max.queue.size</name>
+ <value>10240</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.log4j.async.max.flush.interval.ms</name>
+ <value>30000</value>
+ </property>
+
+ <!-- Kafka audit provider configuration -->
+ <property>
+ <name>xasecure.audit.kafka.is.enabled</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.kafka.async.max.queue.size</name>
+ <value>1</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.kafka.async.max.flush.interval.ms</name>
+ <value>1000</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.kafka.broker_list</name>
+ <value>localhost:9092</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.kafka.topic_name</name>
+ <value>ranger_audits</value>
+ </property>
+
+ <!-- Ranger audit provider configuration -->
+ <property>
+ <name>xasecure.audit.solr.is.enabled</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.solr.async.max.queue.size</name>
+ <value>1</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.solr.async.max.flush.interval.ms</name>
+ <value>1000</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.solr.solr_url</name>
+ <value>http://localhost:6083/solr/ranger_audits</value>
+ </property>
+
+</configuration>
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/conf/ranger-kylin-security-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-kylin/conf/ranger-kylin-security-changes.cfg b/plugin-kylin/conf/ranger-kylin-security-changes.cfg
new file mode 100644
index 0000000..e6cc1f9
--- /dev/null
+++ b/plugin-kylin/conf/ranger-kylin-security-changes.cfg
@@ -0,0 +1,28 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Change the original policy parameter to work with policy manager based.
+#
+#
+ranger.plugin.kylin.service.name %REPOSITORY_NAME% mod create-if-not-exists
+
+ranger.plugin.kylin.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists
+
+ranger.plugin.kylin.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists
+ranger.plugin.kylin.policy.rest.ssl.config.file /etc/hadoop/conf/ranger-policymgr-ssl.xml mod create-if-not-exists
+ranger.plugin.kylin.policy.pollIntervalMs 30000 mod create-if-not-exists
+ranger.plugin.kylin.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists
+ranger.plugin.kylin.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists
+ranger.plugin.kylin.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/conf/ranger-kylin-security.xml
----------------------------------------------------------------------
diff --git a/plugin-kylin/conf/ranger-kylin-security.xml b/plugin-kylin/conf/ranger-kylin-security.xml
new file mode 100644
index 0000000..7b383fc
--- /dev/null
+++ b/plugin-kylin/conf/ranger-kylin-security.xml
@@ -0,0 +1,83 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+ <property>
+ <name>ranger.plugin.kylin.service.name</name>
+ <value>kylindev</value>
+ <description>
+ Name of the Ranger service containing policies for this kylin instance
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.kylin.policy.source.impl</name>
+ <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
+ <description>
+ Class to retrieve policies from the source
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.kylin.policy.rest.url</name>
+ <value>http://policymanagerhost:port</value>
+ <description>
+ URL to Ranger Admin
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.kylin.policy.rest.ssl.config.file</name>
+ <value>/etc/hadoop/conf/ranger-policymgr-ssl.xml</value>
+ <description>
+ Path to the file containing SSL details to contact Ranger Admin
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.kylin.policy.pollIntervalMs</name>
+ <value>30000</value>
+ <description>
+ How often to poll for changes in policies?
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.kylin.policy.cache.dir</name>
+ <value>/etc/ranger/hadoopdev/policycache</value>
+ <description>
+ Directory where Ranger policies are cached after successful retrieval from the source
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.kylin.policy.rest.client.connection.timeoutMs</name>
+ <value>120000</value>
+ <description>
+ RangerRestClient Connection Timeout in Milli Seconds
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.kylin.policy.rest.client.read.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ RangerRestClient read Timeout in Milli Seconds
+ </description>
+ </property>
+</configuration>
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg
----------------------------------------------------------------------
diff --git a/plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg b/plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg
new file mode 100644
index 0000000..ae347e8
--- /dev/null
+++ b/plugin-kylin/conf/ranger-policymgr-ssl-changes.cfg
@@ -0,0 +1,21 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SSL Params
+#
+xasecure.policymgr.clientssl.keystore %SSL_KEYSTORE_FILE_PATH% mod create-if-not-exists
+xasecure.policymgr.clientssl.keystore.credential.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists
+xasecure.policymgr.clientssl.truststore %SSL_TRUSTSTORE_FILE_PATH% mod create-if-not-exists
+xasecure.policymgr.clientssl.truststore.credential.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/conf/ranger-policymgr-ssl.xml
----------------------------------------------------------------------
diff --git a/plugin-kylin/conf/ranger-policymgr-ssl.xml b/plugin-kylin/conf/ranger-policymgr-ssl.xml
new file mode 100644
index 0000000..1f9acf0
--- /dev/null
+++ b/plugin-kylin/conf/ranger-policymgr-ssl.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+ <!-- The following properties are used for 2-way SSL client server validation -->
+ <property>
+ <name>xasecure.policymgr.clientssl.keystore</name>
+ <value>kylindev-clientcert.jks</value>
+ <description>
+ java keystore files
+ </description>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.truststore</name>
+ <value>cacerts-xasecure.jks</value>
+ <description>
+ java truststore file
+ </description>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
+ <value>jceks://file/tmp/keystore-kylindev-ssl.jceks</value>
+ <description>
+ java keystore credential file
+ </description>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
+ <value>jceks://file/tmp/truststore-kylindev-ssl.jceks</value>
+ <description>
+ java truststore credential file
+ </description>
+ </property>
+</configuration>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/pom.xml
----------------------------------------------------------------------
diff --git a/plugin-kylin/pom.xml b/plugin-kylin/pom.xml
new file mode 100644
index 0000000..bfce4c1
--- /dev/null
+++ b/plugin-kylin/pom.xml
@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>ranger-kylin-plugin</artifactId>
+ <name>Kylin Security Plugin</name>
+ <description>Kylin Security Plugin</description>
+ <packaging>jar</packaging>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+ <parent>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger</artifactId>
+ <version>1.1.0-SNAPSHOT</version>
+ <relativePath>..</relativePath>
+ </parent>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.kylin</groupId>
+ <artifactId>kylin-server-base</artifactId>
+ <version>${kylin.version}</version>
+ <scope>provided</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>org.apache.kylin</groupId>
+ <artifactId>kylin-external-htrace</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.calcite</groupId>
+ <artifactId>calcite-core</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-audit</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>credentialbuilder</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.solr</groupId>
+ <artifactId>solr-solrj</artifactId>
+ <version>${solr.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpcore</artifactId>
+ <version>${httpcomponents.httpcore.version}</version>
+ </dependency>
+ </dependencies>
+</project>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/scripts/install.properties
----------------------------------------------------------------------
diff --git a/plugin-kylin/scripts/install.properties b/plugin-kylin/scripts/install.properties
new file mode 100644
index 0000000..126eeba
--- /dev/null
+++ b/plugin-kylin/scripts/install.properties
@@ -0,0 +1,140 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# Location of Policy Manager URL
+#
+# Example:
+# POLICY_MGR_URL=http://policymanager.xasecure.net:6080
+#
+POLICY_MGR_URL=
+
+#
+# This is the repository name created within policy manager
+#
+# Example:
+# REPOSITORY_NAME=kylindev
+#
+REPOSITORY_NAME=
+
+#
+# Name of the directory where the component's lib and conf directory exist.
+# This location should be relative to the parent of the directory containing
+# the plugin installation files.
+#
+COMPONENT_INSTALL_DIR_NAME=../kylin
+
+# Enable audit logs to Solr
+#Example
+#XAAUDIT.SOLR.ENABLE=true
+#XAAUDIT.SOLR.URL=http://localhost:6083/solr/ranger_audits
+#XAAUDIT.SOLR.ZOOKEEPER=
+#XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/kylin/audit/solr/spool
+
+XAAUDIT.SOLR.ENABLE=false
+XAAUDIT.SOLR.URL=NONE
+XAAUDIT.SOLR.USER=NONE
+XAAUDIT.SOLR.PASSWORD=NONE
+XAAUDIT.SOLR.ZOOKEEPER=NONE
+XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/kylin/audit/solr/spool
+
+# Enable audit logs to HDFS
+#Example
+#XAAUDIT.HDFS.ENABLE=true
+#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
+# If using Azure Blob Storage
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
+#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/kylin/audit/hdfs/spool
+
+XAAUDIT.HDFS.ENABLE=false
+XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
+XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/kylin/audit/hdfs/spool
+
+# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
+# Get these values from your /etc/hadoop/conf/core-site.xml
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
+# End of V3 properties
+
+
+#
+# Audit to HDFS Configuration
+#
+# If XAAUDIT.HDFS.IS_ENABLED is set to true, please replace tokens
+# that start with __REPLACE__ with appropriate values
+# XAAUDIT.HDFS.IS_ENABLED=true
+# XAAUDIT.HDFS.DESTINATION_DIRECTORY=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
+# XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=__REPLACE__LOG_DIR/kylin/audit
+# XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=__REPLACE__LOG_DIR/kylin/audit/archive
+#
+# Example:
+# XAAUDIT.HDFS.IS_ENABLED=true
+# XAAUDIT.HDFS.DESTINATION_DIRECTORY=hdfs://namenode.example.com:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
+# XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=/var/log/kylin/audit
+# XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=/var/log/kylin/audit/archive
+#
+XAAUDIT.HDFS.IS_ENABLED=false
+XAAUDIT.HDFS.DESTINATION_DIRECTORY=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
+XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=__REPLACE__LOG_DIR/kylin/audit
+XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=__REPLACE__LOG_DIR/kylin/audit/archive
+
+XAAUDIT.HDFS.DESTINTATION_FILE=%hostname%-audit.log
+XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS=900
+XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS=86400
+XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS=60
+XAAUDIT.HDFS.LOCAL_BUFFER_FILE=%time:yyyyMMdd-HHmm.ss%.log
+XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS=60
+XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS=600
+XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT=10
+
+#Solr Audit Provder
+XAAUDIT.SOLR.IS_ENABLED=false
+XAAUDIT.SOLR.MAX_QUEUE_SIZE=1
+XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000
+XAAUDIT.SOLR.SOLR_URL=http://localhost:6083/solr/ranger_audits
+
+#
+# SSL Client Certificate Information
+#
+# Example:
+# SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
+# SSL_KEYSTORE_PASSWORD=none
+# SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
+# SSL_TRUSTSTORE_PASSWORD=none
+#
+# You do not need use SSL between agent and security admin tool, please leave these sample value as it is.
+#
+SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
+SSL_KEYSTORE_PASSWORD=myKeyFilePassword
+SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
+SSL_TRUSTSTORE_PASSWORD=changeit
+
+#
+# Custom component user
+# CUSTOM_COMPONENT_USER=<custom-user>
+# keep blank if component user is default
+CUSTOM_USER=kylin
+
+
+#
+# Custom component group
+# CUSTOM_COMPONENT_GROUP=<custom-group>
+# keep blank if component group is default
+CUSTOM_GROUP=hadoop
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
----------------------------------------------------------------------
diff --git a/plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java b/plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
new file mode 100644
index 0000000..a745b87
--- /dev/null
+++ b/plugin-kylin/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
@@ -0,0 +1,182 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.authorization.kylin.authorizer;
+
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.Date;
+import java.util.List;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.kylin.common.KylinConfig;
+import org.apache.kylin.common.util.Pair;
+import org.apache.kylin.metadata.project.ProjectInstance;
+import org.apache.kylin.metadata.project.ProjectManager;
+import org.apache.kylin.rest.security.AclEntityType;
+import org.apache.kylin.rest.security.AclPermission;
+import org.apache.kylin.rest.security.ExternalAclProvider;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+import org.apache.ranger.services.kylin.client.KylinResourceMgr;
+import org.springframework.security.acls.model.Permission;
+
+import com.google.common.collect.Sets;
+
+public class RangerKylinAuthorizer extends ExternalAclProvider {
+ private static final Log LOG = LogFactory.getLog(RangerKylinAuthorizer.class);
+
+ private static volatile RangerKylinPlugin kylinPlugin = null;
+
+ private static String clientIPAddress = null;
+
+ @Override
+ public void init() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerKylinAuthorizer.init()");
+ }
+
+ RangerKylinPlugin plugin = kylinPlugin;
+
+ if (plugin == null) {
+ synchronized (RangerKylinAuthorizer.class) {
+ plugin = kylinPlugin;
+
+ if (plugin == null) {
+ plugin = new RangerKylinPlugin();
+ plugin.init();
+ kylinPlugin = plugin;
+
+ clientIPAddress = getClientIPAddress();
+ }
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerKylinAuthorizer.init()");
+ }
+ }
+
+ @Override
+ public boolean checkPermission(String user, List<String> groups, String entityType, String entityUuid,
+ Permission permission) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerKylinAuthorizer.checkPermission( user=" + user + ", groups=" + groups
+ + ", entityType=" + entityType + ", entityUuid=" + entityUuid + ", permission=" + permission + ")");
+ }
+
+ boolean ret = false;
+
+ if (kylinPlugin != null) {
+ String projectName = null;
+ KylinConfig kylinConfig = KylinConfig.getInstanceFromEnv();
+ if (AclEntityType.PROJECT_INSTANCE.equals(entityType)) {
+ ProjectInstance projectInstance = ProjectManager.getInstance(kylinConfig).getPrjByUuid(entityUuid);
+ if (projectInstance != null) {
+ projectName = projectInstance.getName();
+ } else {
+ if (LOG.isWarnEnabled()) {
+ LOG.warn("Could not find kylin project for given uuid=" + entityUuid);
+ }
+ }
+ }
+
+ String accessType = ExternalAclProvider.transformPermission(permission);
+ String clusterName = kylinPlugin.getClusterName();
+ RangerKylinAccessRequest request = new RangerKylinAccessRequest(projectName, user, groups, accessType,
+ clusterName, clientIPAddress);
+
+ RangerAccessResult result = kylinPlugin.isAccessAllowed(request);
+ if (result != null && result.getIsAllowed()) {
+ ret = true;
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerKylinAuthorizer.checkPermission(): result=" + ret);
+ }
+
+ return ret;
+ }
+
+ private String getClientIPAddress() {
+ InetAddress ip = null;
+ try {
+ ip = InetAddress.getLocalHost();
+ } catch (UnknownHostException e) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Failed to get client IP address." + e);
+ }
+ }
+
+ String ret = null;
+ if (ip != null) {
+ ret = ip.getHostAddress();
+ }
+ return ret;
+ }
+
+ @Override
+ public List<Pair<String, AclPermission>> getAcl(String entityType, String entityUuid) {
+ // No need to implement
+ return null;
+ }
+}
+
+class RangerKylinPlugin extends RangerBasePlugin {
+ public RangerKylinPlugin() {
+ super("kylin", "kylin");
+ }
+
+ @Override
+ public void init() {
+ super.init();
+
+ RangerDefaultAuditHandler auditHandler = new RangerDefaultAuditHandler();
+
+ super.setResultProcessor(auditHandler);
+ }
+}
+
+class RangerKylinResource extends RangerAccessResourceImpl {
+ public RangerKylinResource(String projectName) {
+ if (StringUtils.isEmpty(projectName)) {
+ projectName = "*";
+ }
+
+ setValue(KylinResourceMgr.PROJECT, projectName);
+ }
+}
+
+class RangerKylinAccessRequest extends RangerAccessRequestImpl {
+ public RangerKylinAccessRequest(String projectName, String user, List<String> groups, String accessType,
+ String clusterName, String clientIPAddress) {
+ super.setResource(new RangerKylinResource(projectName));
+ super.setAccessType(accessType);
+ super.setUser(user);
+ super.setUserGroups(Sets.newHashSet(groups));
+ super.setAccessTime(new Date());
+ super.setClientIPAddress(clientIPAddress);
+ super.setAction(accessType);
+ super.setClusterName(clusterName);
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java
----------------------------------------------------------------------
diff --git a/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java b/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java
new file mode 100644
index 0000000..7dc7d74
--- /dev/null
+++ b/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/RangerServiceKylin.java
@@ -0,0 +1,89 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.services.kylin;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ranger.plugin.model.RangerService;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.service.RangerBaseService;
+import org.apache.ranger.plugin.service.ResourceLookupContext;
+import org.apache.ranger.services.kylin.client.KylinResourceMgr;
+
+public class RangerServiceKylin extends RangerBaseService {
+
+ private static final Log LOG = LogFactory.getLog(RangerServiceKylin.class);
+
+ public RangerServiceKylin() {
+ super();
+ }
+
+ @Override
+ public void init(RangerServiceDef serviceDef, RangerService service) {
+ super.init(serviceDef, service);
+ }
+
+ @Override
+ public Map<String, Object> validateConfig() throws Exception {
+ Map<String, Object> ret = new HashMap<String, Object>();
+ String serviceName = getServiceName();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceKylin.validateConfig Service: (" + serviceName + " )");
+ }
+ if (configs != null) {
+ try {
+ ret = KylinResourceMgr.validateConfig(serviceName, configs);
+ } catch (Exception e) {
+ LOG.error("<== RangerServiceKylin.validateConfig Error:" + e);
+ throw e;
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceKylin.validateConfig Response : (" + ret + " )");
+ }
+ return ret;
+ }
+
+ @Override
+ public List<String> lookupResource(ResourceLookupContext context) throws Exception {
+
+ List<String> ret = new ArrayList<String>();
+ String serviceName = getServiceName();
+ Map<String, String> configs = getConfigs();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceKylin.lookupResource Context: (" + context + ")");
+ }
+ if (context != null) {
+ try {
+ ret = KylinResourceMgr.getKylinResources(serviceName, configs, context);
+ } catch (Exception e) {
+ LOG.error("<==RangerServiceKylin.lookupResource Error : " + e);
+ throw e;
+ }
+ }
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceKylin.lookupResource Response: (" + ret + ")");
+ }
+ return ret;
+ }
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java
----------------------------------------------------------------------
diff --git a/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java b/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java
new file mode 100644
index 0000000..9cf21aa
--- /dev/null
+++ b/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinClient.java
@@ -0,0 +1,282 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.services.kylin.client;
+
+import java.security.PrivilegedAction;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.security.auth.Subject;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.http.HttpStatus;
+import org.apache.log4j.Logger;
+import org.apache.ranger.plugin.client.BaseClient;
+import org.apache.ranger.plugin.client.HadoopException;
+import org.apache.ranger.plugin.util.PasswordUtils;
+import org.apache.ranger.services.kylin.client.json.model.KylinProjectResponse;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import com.google.gson.reflect.TypeToken;
+import com.sun.jersey.api.client.Client;
+import com.sun.jersey.api.client.ClientResponse;
+import com.sun.jersey.api.client.WebResource;
+import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter;
+
+public class KylinClient extends BaseClient {
+
+ private static final Logger LOG = Logger.getLogger(KylinClient.class);
+
+ private static final String EXPECTED_MIME_TYPE = "application/json";
+
+ private static final String KYLIN_LIST_API_ENDPOINT = "/kylin/api/projects";
+
+ private static final String ERROR_MESSAGE = " You can still save the repository and start creating "
+ + "policies, but you would not be able to use autocomplete for "
+ + "resource names. Check ranger_admin.log for more info.";
+
+ private String kylinUrl;
+ private String userName;
+ private String password;
+
+ public KylinClient(String serviceName, Map<String, String> configs) {
+
+ super(serviceName, configs, "kylin-client");
+
+ this.kylinUrl = configs.get("kylin.url");
+ this.userName = configs.get("username");
+ this.password = configs.get("password");
+
+ if (StringUtils.isEmpty(this.kylinUrl)) {
+ LOG.error("No value found for configuration 'kylin.url'. Kylin resource lookup will fail.");
+ }
+ if (StringUtils.isEmpty(this.userName)) {
+ LOG.error("No value found for configuration 'username'. Kylin resource lookup will fail.");
+ }
+ if (StringUtils.isEmpty(this.password)) {
+ LOG.error("No value found for configuration 'password'. Kylin resource lookup will fail.");
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Kylin client is build with url [" + this.kylinUrl + "], user: [" + this.userName
+ + "], password: [" + "*********" + "].");
+ }
+ }
+
+ public List<String> getProjectList(final String projectMatching, final List<String> existingProjects) {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Getting kylin project list for projectMatching: " + projectMatching + ", existingProjects: "
+ + existingProjects);
+ }
+ Subject subj = getLoginSubject();
+ if (subj == null) {
+ return Collections.emptyList();
+ }
+
+ List<String> ret = Subject.doAs(subj, new PrivilegedAction<List<String>>() {
+
+ @Override
+ public List<String> run() {
+
+ ClientResponse response = getClientResponse(kylinUrl, userName, password);
+
+ List<KylinProjectResponse> projectResponses = getKylinProjectResponse(response);
+
+ if (CollectionUtils.isEmpty(projectResponses)) {
+ return Collections.emptyList();
+ }
+
+ List<String> projects = getProjectFromResponse(projectMatching, existingProjects, projectResponses);
+
+ return projects;
+ }
+ });
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Getting kylin project list result: " + ret);
+ }
+ return ret;
+ }
+
+ private static ClientResponse getClientResponse(String kylinUrl, String userName, String password) {
+ ClientResponse response = null;
+ String[] kylinUrls = kylinUrl.trim().split("[,;]");
+ if (ArrayUtils.isEmpty(kylinUrls)) {
+ return null;
+ }
+
+ Client client = Client.create();
+ String decryptedPwd = PasswordUtils.getDecryptPassword(password);
+ client.addFilter(new HTTPBasicAuthFilter(userName, decryptedPwd));
+
+ for (String currentUrl : kylinUrls) {
+ if (StringUtils.isBlank(currentUrl)) {
+ continue;
+ }
+
+ String url = currentUrl.trim() + KYLIN_LIST_API_ENDPOINT;
+ try {
+ response = getProjectResponse(url, client);
+
+ if (response != null) {
+ if (response.getStatus() == HttpStatus.SC_OK) {
+ break;
+ } else {
+ response.close();
+ }
+ }
+ } catch (Throwable t) {
+ String msgDesc = "Exception while getting kylin response, kylinUrl: " + url;
+ LOG.error(msgDesc, t);
+ }
+ }
+ client.destroy();
+
+ return response;
+ }
+
+ private List<KylinProjectResponse> getKylinProjectResponse(ClientResponse response) {
+ List<KylinProjectResponse> projectResponses = null;
+ try {
+ if (response != null && response.getStatus() == HttpStatus.SC_OK) {
+ String jsonString = response.getEntity(String.class);
+ Gson gson = new GsonBuilder().setPrettyPrinting().create();
+
+ projectResponses = gson.fromJson(jsonString, new TypeToken<List<KylinProjectResponse>>() {
+ }.getType());
+ } else {
+ String msgDesc = "Unable to get a valid response for " + "expected mime type : [" + EXPECTED_MIME_TYPE
+ + "], kylinUrl: " + kylinUrl + " - got null response.";
+ LOG.error(msgDesc);
+ HadoopException hdpException = new HadoopException(msgDesc);
+ hdpException.generateResponseDataMap(false, msgDesc, msgDesc + ERROR_MESSAGE, null, null);
+ throw hdpException;
+ }
+ } catch (HadoopException he) {
+ throw he;
+ } catch (Throwable t) {
+ String msgDesc = "Exception while getting kylin project response, kylinUrl: " + kylinUrl;
+ HadoopException hdpException = new HadoopException(msgDesc, t);
+
+ LOG.error(msgDesc, t);
+
+ hdpException.generateResponseDataMap(false, BaseClient.getMessage(t), msgDesc + ERROR_MESSAGE, null, null);
+ throw hdpException;
+
+ } finally {
+ if (response != null) {
+ response.close();
+ }
+ }
+ return projectResponses;
+ }
+
+ private static ClientResponse getProjectResponse(String url, Client client) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getProjectResponse():calling " + url);
+ }
+
+ WebResource webResource = client.resource(url);
+
+ ClientResponse response = webResource.accept(EXPECTED_MIME_TYPE).get(ClientResponse.class);
+
+ if (response != null) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getProjectResponse():response.getStatus()= " + response.getStatus());
+ }
+ if (response.getStatus() != HttpStatus.SC_OK) {
+ LOG.warn("getProjectResponse():response.getStatus()= " + response.getStatus() + " for URL " + url
+ + ", failed to get kylin project list.");
+ String jsonString = response.getEntity(String.class);
+ LOG.warn(jsonString);
+ }
+ }
+ return response;
+ }
+
+ private static List<String> getProjectFromResponse(String projectMatching, List<String> existingProjects,
+ List<KylinProjectResponse> projectResponses) {
+ List<String> projcetNames = new ArrayList<String>();
+ for (KylinProjectResponse project : projectResponses) {
+ String projectName = project.getName();
+ if (CollectionUtils.isNotEmpty(existingProjects) && existingProjects.contains(projectName)) {
+ continue;
+ }
+ if (StringUtils.isEmpty(projectMatching) || projectMatching.startsWith("*")
+ || projectName.toLowerCase().startsWith(projectMatching.toLowerCase())) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getProjectFromResponse(): Adding kylin project " + projectName);
+ }
+ projcetNames.add(projectName);
+ }
+ }
+ return projcetNames;
+ }
+
+ public static Map<String, Object> connectionTest(String serviceName, Map<String, String> configs) {
+ KylinClient kylinClient = getKylinClient(serviceName, configs);
+ List<String> strList = kylinClient.getProjectList(null, null);
+
+ boolean connectivityStatus = false;
+ if (CollectionUtils.isNotEmpty(strList)) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("ConnectionTest list size" + strList.size() + " kylin projects");
+ }
+ connectivityStatus = true;
+ }
+
+ Map<String, Object> responseData = new HashMap<String, Object>();
+ if (connectivityStatus) {
+ String successMsg = "ConnectionTest Successful";
+ BaseClient.generateResponseDataMap(connectivityStatus, successMsg, successMsg, null, null, responseData);
+ } else {
+ String failureMsg = "Unable to retrieve any kylin projects using given parameters.";
+ BaseClient.generateResponseDataMap(connectivityStatus, failureMsg, failureMsg + ERROR_MESSAGE, null, null,
+ responseData);
+ }
+
+ return responseData;
+ }
+
+ public static KylinClient getKylinClient(String serviceName, Map<String, String> configs) {
+ KylinClient kylinClient = null;
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Getting KylinClient for datasource: " + serviceName);
+ }
+ if (MapUtils.isEmpty(configs)) {
+ String msgDesc = "Could not connect kylin as connection configMap is empty.";
+ LOG.error(msgDesc);
+ HadoopException hdpException = new HadoopException(msgDesc);
+ hdpException.generateResponseDataMap(false, msgDesc, msgDesc + ERROR_MESSAGE, null, null);
+ throw hdpException;
+ } else {
+ kylinClient = new KylinClient(serviceName, configs);
+ }
+ return kylinClient;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java
----------------------------------------------------------------------
diff --git a/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java b/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java
new file mode 100644
index 0000000..ae96a20
--- /dev/null
+++ b/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/KylinResourceMgr.java
@@ -0,0 +1,97 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.services.kylin.client;
+
+import java.util.List;
+import java.util.Map;
+
+import org.apache.commons.collections.MapUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.log4j.Logger;
+import org.apache.ranger.plugin.service.ResourceLookupContext;
+
+public class KylinResourceMgr {
+
+ public static final String PROJECT = "project";
+
+ private static final Logger LOG = Logger.getLogger(KylinResourceMgr.class);
+
+ public static Map<String, Object> validateConfig(String serviceName, Map<String, String> configs) throws Exception {
+ Map<String, Object> ret = null;
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> KylinResourceMgr.validateConfig ServiceName: " + serviceName + "Configs" + configs);
+ }
+
+ try {
+ ret = KylinClient.connectionTest(serviceName, configs);
+ } catch (Exception e) {
+ LOG.error("<== KylinResourceMgr.validateConfig Error: " + e);
+ throw e;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== KylinResourceMgr.validateConfig Result: " + ret);
+ }
+ return ret;
+ }
+
+ public static List<String> getKylinResources(String serviceName, Map<String, String> configs,
+ ResourceLookupContext context) {
+ String userInput = context.getUserInput();
+ String resource = context.getResourceName();
+ Map<String, List<String>> resourceMap = context.getResources();
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> KylinResourceMgr.getKylinResources() userInput: " + userInput + ", resource: " + resource
+ + ", resourceMap: " + resourceMap);
+ }
+
+ if (MapUtils.isEmpty(configs)) {
+ LOG.error("Connection Config is empty!");
+ return null;
+ }
+
+ if (StringUtils.isEmpty(userInput)) {
+ LOG.warn("User input is empty, set default value : *");
+ userInput = "*";
+ }
+
+ List<String> projectList = null;
+ if (MapUtils.isNotEmpty(resourceMap)) {
+ projectList = resourceMap.get(PROJECT);
+ }
+
+ final KylinClient kylinClient = KylinClient.getKylinClient(serviceName, configs);
+ if (kylinClient == null) {
+ LOG.error("Failed to getKylinClient!");
+ return null;
+ }
+
+ List<String> resultList = null;
+
+ resultList = kylinClient.getProjectList(userInput, projectList);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== KylinResourceMgr.getKylinResources() result: " + resultList);
+ }
+ return resultList;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java
----------------------------------------------------------------------
diff --git a/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java b/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java
new file mode 100644
index 0000000..efed6bc
--- /dev/null
+++ b/plugin-kylin/src/main/java/org/apache/ranger/services/kylin/client/json/model/KylinProjectResponse.java
@@ -0,0 +1,109 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.services.kylin.client.json.model;
+
+import java.util.List;
+
+public class KylinProjectResponse {
+ private String uuid;
+
+ private String version;
+
+ private String name;
+
+ private String owner;
+
+ private String status;
+
+ private String description;
+
+ private List<String> tables;
+
+ private List<String> models;
+
+ public String getUuid() {
+ return uuid;
+ }
+
+ public void setUuid(String uuid) {
+ this.uuid = uuid;
+ }
+
+ public String getVersion() {
+ return version;
+ }
+
+ public void setVersion(String version) {
+ this.version = version;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public String getOwner() {
+ return owner;
+ }
+
+ public void setOwner(String owner) {
+ this.owner = owner;
+ }
+
+ public String getStatus() {
+ return status;
+ }
+
+ public void setStatus(String status) {
+ this.status = status;
+ }
+
+ public String getDescription() {
+ return description;
+ }
+
+ public void setDescription(String description) {
+ this.description = description;
+ }
+
+ public List<String> getTables() {
+ return tables;
+ }
+
+ public void setTables(List<String> tables) {
+ this.tables = tables;
+ }
+
+ public List<String> getModels() {
+ return models;
+ }
+
+ public void setModels(List<String> models) {
+ this.models = models;
+ }
+
+ @Override
+ public String toString() {
+ return "KylinProjectResponse [uuid=" + uuid + ", version=" + version + ", name=" + name + ", owner=" + owner
+ + ", status=" + status + ", description=" + description + ", tables=" + tables + ", models=" + models
+ + "]";
+ }
+}
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index d6f98b4..1df5f2c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -110,6 +110,8 @@
<module>plugin-atlas</module>
<module>plugin-sqoop</module>
<module>ranger-sqoop-plugin-shim</module>
+ <module>plugin-kylin</module>
+ <module>ranger-kylin-plugin-shim</module>
</modules>
<properties>
<maven.version.required>3.3.3</maven.version.required>
@@ -183,6 +185,7 @@
<kafka.version>1.0.0</kafka.version>
<kerby.version>1.0.0</kerby.version>
<knox.gateway.version>1.0.0</knox.gateway.version>
+ <kylin.version>2.3.0</kylin.version>
<libpam4j.version>1.8</libpam4j.version>
<local.lib.dir>${project.basedir}/../lib/local</local.lib.dir>
<log4j.version>1.2.17</log4j.version>
@@ -420,6 +423,7 @@
<descriptor>src/main/assembly/ranger-src.xml</descriptor>
<descriptor>src/main/assembly/plugin-atlas.xml</descriptor>
<descriptor>src/main/assembly/plugin-sqoop.xml</descriptor>
+ <descriptor>src/main/assembly/plugin-kylin.xml</descriptor>
</descriptors>
</configuration>
</plugin>
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/ranger-kylin-plugin-shim/.gitignore
----------------------------------------------------------------------
diff --git a/ranger-kylin-plugin-shim/.gitignore b/ranger-kylin-plugin-shim/.gitignore
new file mode 100644
index 0000000..b83d222
--- /dev/null
+++ b/ranger-kylin-plugin-shim/.gitignore
@@ -0,0 +1 @@
+/target/
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/ranger-kylin-plugin-shim/pom.xml
----------------------------------------------------------------------
diff --git a/ranger-kylin-plugin-shim/pom.xml b/ranger-kylin-plugin-shim/pom.xml
new file mode 100644
index 0000000..fd040bb
--- /dev/null
+++ b/ranger-kylin-plugin-shim/pom.xml
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>ranger-kylin-plugin-shim</artifactId>
+ <name>Kylin Security Plugin Shim</name>
+ <description>Kylin Security Plugin Shim</description>
+ <packaging>jar</packaging>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+ <parent>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger</artifactId>
+ <version>1.1.0-SNAPSHOT</version>
+ <relativePath>..</relativePath>
+ </parent>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.kylin</groupId>
+ <artifactId>kylin-server-base</artifactId>
+ <version>${kylin.version}</version>
+ <scope>provided</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>org.apache.kylin</groupId>
+ <artifactId>kylin-external-htrace</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.apache.calcite</groupId>
+ <artifactId>calcite-core</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-audit</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>credentialbuilder</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugin-classloader</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ </dependencies>
+</project>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
----------------------------------------------------------------------
diff --git a/ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java b/ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
new file mode 100644
index 0000000..a12dfb1
--- /dev/null
+++ b/ranger-kylin-plugin-shim/src/main/java/org/apache/ranger/authorization/kylin/authorizer/RangerKylinAuthorizer.java
@@ -0,0 +1,121 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.authorization.kylin.authorizer;
+
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.kylin.common.util.Pair;
+import org.apache.kylin.rest.security.AclPermission;
+import org.apache.kylin.rest.security.ExternalAclProvider;
+import org.apache.ranger.plugin.classloader.RangerPluginClassLoader;
+import org.springframework.security.acls.model.Permission;
+
+public class RangerKylinAuthorizer extends ExternalAclProvider {
+ private static final Log LOG = LogFactory.getLog(RangerKylinAuthorizer.class);
+
+ private static final String RANGER_PLUGIN_TYPE = "kylin";
+ private static final String RANGER_KYLIN_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.kylin.authorizer.RangerKylinAuthorizer";
+
+ private ExternalAclProvider externalAclProvider = null;
+ private static RangerPluginClassLoader rangerPluginClassLoader = null;
+
+ public RangerKylinAuthorizer() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerKylinAuthorizer.RangerKylinAuthorizer()");
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerKylinAuthorizer.RangerKylinAuthorizer()");
+ }
+ }
+
+ @Override
+ public void init() {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerKylinAuthorizer.init()");
+ }
+
+ try {
+
+ rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass());
+
+ @SuppressWarnings("unchecked")
+ Class<ExternalAclProvider> cls = (Class<ExternalAclProvider>) Class.forName(
+ RANGER_KYLIN_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader);
+
+ activatePluginClassLoader();
+
+ externalAclProvider = cls.newInstance();
+ externalAclProvider.init();
+ } catch (Exception e) {
+ LOG.error("Error Enabling RangerKylinPlugin", e);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerKylinAuthorizer.init()");
+ }
+ }
+
+ @Override
+ public boolean checkPermission(String user, List<String> groups, String entityType, String entityUuid,
+ Permission permission) {
+ boolean ret = false;
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerKylinAuthorizer.checkPermission()");
+ }
+
+ try {
+ activatePluginClassLoader();
+
+ ret = externalAclProvider.checkPermission(user, groups, entityType, entityUuid, permission);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerKylinAuthorizer.checkPermission()");
+ }
+
+ return ret;
+ }
+
+ private void activatePluginClassLoader() {
+ if (rangerPluginClassLoader != null) {
+ rangerPluginClassLoader.activate();
+ }
+ }
+
+ private void deactivatePluginClassLoader() {
+ if (rangerPluginClassLoader != null) {
+ rangerPluginClassLoader.deactivate();
+ }
+ }
+
+ @Override
+ public List<Pair<String, AclPermission>> getAcl(String entityType, String entityUuid) {
+ // No need to implement
+ return null;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/ranger/blob/2b1143ab/src/main/assembly/admin-web.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/admin-web.xml b/src/main/assembly/admin-web.xml
index 29d728a..960c994 100644
--- a/src/main/assembly/admin-web.xml
+++ b/src/main/assembly/admin-web.xml
@@ -342,6 +342,19 @@
</includes>
</moduleSet>
+ <moduleSet>
+ <binaries>
+ <includeDependencies>true</includeDependencies>
+ <outputDirectory>/ews/webapp/WEB-INF/classes/ranger-plugins/kylin</outputDirectory>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ </binaries>
+ <includes>
+ <include>org.apache.ranger:ranger-kylin-plugin</include>
+ </includes>
+ </moduleSet>
+
</moduleSets>
<fileSets>