You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pegasus.apache.org by "WHBANG (via GitHub)" <gi...@apache.org> on 2023/02/22 03:45:19 UTC
[GitHub] [incubator-pegasus] WHBANG commented on issue #1054: Feature: Integrate with Apache Ranger
WHBANG commented on issue #1054:
URL: https://github.com/apache/incubator-pegasus/issues/1054#issuecomment-1439398491
Introduce the implementation and how to use:
1. The class diagram
First, you need to add ACL related configurations. The client configuration has not changed, the server has added new configurations:
```
enable_ranger_acl: indicates whether to use ranger for acl
ranger_service_url: ranger server url
ranger_service_name: use ranger policy name
mandatory_enable_acl: mandatory use range policy, currently used for testing
```
The details are as follows:
```
server
[security]
update_ranger_policy_interval_sec
[ranger]
ranger_service_url
ranger_service_name
ranger_legacy_table_database_mapping_rule
mandatory_enable_acl
[security]
enable_auth = true
krb5_keytab = /root/apache/pegasus.keytab
krb5_config = /etc/krb5.conf
krb5_principal = XXXXX
sasl_plugin_path = /root/apache/incubator-pegasus/thirdparty/output/lib/sasl2
service_fqdn = XXXXX
service_name = XXXXX
mandatory_auth = true
enable_acl = true
super_users =
meta_acl_rpc_allow_list =
enable_ranger_acl = true
```
```
java client
java
meta_servers = 127.0.0.1:34601,127.0.0.1:34602,127.0.0.1:34603
operation_timeout = 5000
async_workers = 4
enable_perf_counter = false
perf_counter_tags = cluster=onebox,app=unit_test
push_counter_interval_secs = 10
meta_query_timeout = 5000
auth_protocol = kerberos
kerberos_service_name = XXXXX
kerberos_service_fqdn = XXXXX
kerberos_keytab = /root/apache/pegasus.keytab
kerberos_principal = XXXXX
```
```
shell
[security]
enable_auth = true
krb5_keytab = /root/apache/pegasus.keytab
krb5_config = /etc/krb5.conf
krb5_principal = XXXXX
sasl_plugin_path = /root/apache/incubator-pegasus/thirdparty/output/lib/sasl2
service_fqdn = XXXXX
service_name = XXXXX
```
Second compatibility:
Retained the old ACL mode
1. Use the old ACL
```
enable_acl = true
enable_ranger_acl = false
```
2. user ranger for ACL
```
enable_acl = true
enable_ranger_acl = true
```
3. Third, define the ranger policy
- Pegasus resources can be divided into multiple types, and the operation types of each resource can also be divided. One operation type corresponds to one ACL symbol
<img width="773" alt="image" src="https://user-images.githubusercontent.com/38547944/204430376-17e8ae9a-bdac-466c-a2a7-d4f27cae09e0.png">
- ACLs on each type of resource correspond to specific rpc_code
<img width="646" alt="image" src="https://user-images.githubusercontent.com/38547944/204430797-5b45e079-84c5-4f3e-a470-db063d6d87d5.png">
<img width="846" alt="image" src="https://user-images.githubusercontent.com/38547944/204430865-ffc16771-90ca-43c7-903a-5451cb58c86c.png">
<img width="629" alt="image" src="https://user-images.githubusercontent.com/38547944/204430917-febf6ba1-eddc-4db0-b428-a00e7e651828.png">
4. pegasus+ranger
After completing the integration of ranger with pegasus, you can set permissions on the ranger web page according to your own needs
<img width="444" alt="image" src="https://user-images.githubusercontent.com/38547944/204432012-230db07c-47d0-4960-9c10-04340c19b2ff.png">
<img width="1382" alt="image" src="https://user-images.githubusercontent.com/38547944/204432186-344267c5-d966-4b21-99f5-cc6d4ade55db.png">
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@pegasus.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pegasus.apache.org
For additional commands, e-mail: dev-help@pegasus.apache.org