[jira] [Commented] (RANGER-1672) Ranger supports plugin to enable, monitor and manage apache kylin

["Srikanth Venkat (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/RANGER-1672?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16073995#comment-16073995 ] 

Srikanth Venkat commented on RANGER-1672:
-----------------------------------------

This is a great feature to add, thanks Qiang for the contribution.
Few questions:
1) Where are the OLAP cubes and project information associated with Kylin stored? In HDFS or externally?
2) A Ranger plugin without auditing feature is not very useful for the community from a security perspective, so this plugin should support writing audits using Ranger's audit framework (writing raw audits to HDFS and indexing in Solr for querying). Kylin Ranger plugin should support auditing to capture the same level of audit event metadata that other services in Hadoop provide. 
3) Does Kylin have a server side component (such as HiveServer2) or is only a client set of libraries? How will this plugin be deployed if it is client side only? Does Kylin support doAs (impersonation) if there is a server side component? 
4) Is there a need to support dynamic policies for authorizing OLAP cubes and projects?
5) Does Kylin already have any LDAP/AD authentication integration and support the Hadoop user-group mapping facility? Without this group resolution will need to be thought through carefully for the plugin implementation.

> Ranger supports plugin to enable, monitor and manage apache kylin
> -----------------------------------------------------------------
>
>                 Key: RANGER-1672
>                 URL: https://issues.apache.org/jira/browse/RANGER-1672
>             Project: Ranger
>          Issue Type: New Feature
>          Components: plugins
>            Reporter: Qiang Zhang
>            Assignee: Qiang Zhang
>              Labels: newbie, patch
>
> Apache Kylin is an open source Distributed Analytics Engine designed to provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop supporting extremely large datasets, original contributed from eBay Inc. Apache Kylin lets user query massive data set at sub-second latency in 3 steps.
> 1. Identify a Star Schema on Hadoop.
> 2. Build Cube from the identified tables.
> 3. Query with ANSI-SQL and get results in sub-second, via ODBC, JDBC or RESTful API.
> We should support that using Ranger to control kylin's access rights for project and cube.
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user access to projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the ranger plugin. kylin instantiates ranger plugin’s implementation class when starting(this class extends the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the local, and updates project and cube access rights based on policy information.
> In the Kylin side：
> 1. Kylin provides an abstract class that enables the ranger plugin's implementation class to extend.
> 2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin implementation class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's authorization management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's existing permissions functions and logic.
> In the Ranger side：
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin to updates the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/KYLIN-2703



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)