You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kylin.apache.org by pengjianhua <pe...@zte.com.cn> on 2017/07/21 09:36:09 UTC
Review Request 61022: KYLIN-2703 kylin supports managing access
rights for project and cube through apache ranger.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61022/
-----------------------------------------------------------
Review request for kylin, Dayue Gao, Dong Li, hongbin ma, and Wang Xiaoyu.
Bugs: KYLIN-2703
https://issues.apache.org/jira/browse/KYLIN-2703
Repository: kylin
Description
-------
Ranger is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform. Apache Ranger has the following goals:
1. Centralized security administration to manage all security related tasks in a central UI or using REST APIs.
2. Fine grained authorization to do a specific action and/or operation with Hadoop component/tool and managed through a central administration tool
3. Standardize authorization method across all Hadoop components.
4. Enhanced support for different authorization methods - Role based access control, attribute based access control etc.
5. Centralize auditing of user access and administrative actions (security related) within all the components of Hadoop.
Ranger has supported enable, monitor and manage following components:
1. HDFS
2. HIVE
3. HBASE
4. KNOX
5. YARN
6. STORM
7. SOLR
8. KAFKA
9. ATLAS
In order to improve the flexibility of kylin privilege control and enhance value of kylin in the Apache Hadoop ecosystem, like hdfs, yarn, hive, hbase, Kylin should also support that using Ranger to control access rights for project and cube.
Specific implementation plan is as following:
On the ranger website, administrators can configure policies to control user access to projects and cube permissions.
Kylin provides an abstract class and authorization interfaces for use by the ranger plugin. kylin instantiates ranger plugin’s implementation class when starting(this class extends the abstract class provided by kylin).
Ranger plugin periodically polls ranger admin, updates the policy to the local, and updates project and cube access rights based on policy information.
In the Kylin side?
1. Kylin provides an abstract class that enables the ranger plugin's implementation class to extend.
2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin implementation class's name.
3. Instantiate the ranger plugin implementation class when starting kylin.
4. kylin provides authorization interfaces for ranger plugin calls.
5. According to the ranger authorization configuration item, hide kylin's authorization management page.
6. Using ranger manager access rights of the kylin does not affect kylin's existing permissions functions and logic.
In the Ranger side?
1. Ranger plugin will periodically polls ranger admin, updates the policy to the local.
2. The ranger plugin invoking the authorization interfaces provided by kylin to updates the project and cube access rights based on the policy information.
reference link:https://issues.apache.org/jira/browse/RANGER-1672
Diffs
-----
build/deploy/context.xml 38c6ec833
core-common/src/main/java/org/apache/kylin/common/KylinConfigBase.java f9c3adb75
core-common/src/main/java/org/apache/kylin/common/security/KylinAuthorizationProvider.java PRE-CREATION
server-base/src/main/java/org/apache/kylin/rest/constant/Constant.java 5d326e9a5
server-base/src/main/java/org/apache/kylin/rest/controller/AccessController.java a88c34233
server-base/src/main/java/org/apache/kylin/rest/controller/UserController.java c07c0cb06
server-base/src/main/java/org/apache/kylin/rest/security/KylinAclPermissionEvaluator.java PRE-CREATION
server-base/src/main/java/org/apache/kylin/rest/security/KylinAuthorization.java PRE-CREATION
server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java ae7ac6e04
server-base/src/main/java/org/apache/kylin/rest/service/JobService.java 5bf684a4a
server/src/main/resources/kylinSecurity.xml ce068d7ac
server/src/test/java/org/apache/kylin/rest/controller/AccessControllerTest.java 18fbd06af
webapp/app/js/controllers/page.js 575f45511
webapp/app/js/listeners.js e5c40fb89
webapp/app/js/services/kylinProperties.js 645ed2f3d
webapp/app/partials/cubes/cube_detail.html 4319b94e2
webapp/app/partials/projects/project_detail.html 5cfc091ab
Diff: https://reviews.apache.org/r/61022/diff/1/
Testing
-------
Thanks,
pengjianhua
Re: Review Request 61022: KYLIN-2703 kylin supports managing access
rights for project and cube through apache ranger.
Posted by pengjianhua <pe...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61022/
-----------------------------------------------------------
(Updated 九月 4, 2017, 7:52 a.m.)
Review request for kylin, Dayue Gao, Dong Li, hongbin ma, and Wang Xiaoyu.
Bugs: KYLIN-2703
https://issues.apache.org/jira/browse/KYLIN-2703
Repository: kylin
Description
-------
Ranger is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform. Apache Ranger has the following goals:
1. Centralized security administration to manage all security related tasks in a central UI or using REST APIs.
2. Fine grained authorization to do a specific action and/or operation with Hadoop component/tool and managed through a central administration tool
3. Standardize authorization method across all Hadoop components.
4. Enhanced support for different authorization methods - Role based access control, attribute based access control etc.
5. Centralize auditing of user access and administrative actions (security related) within all the components of Hadoop.
Ranger has supported enable, monitor and manage following components:
1. HDFS
2. HIVE
3. HBASE
4. KNOX
5. YARN
6. STORM
7. SOLR
8. KAFKA
9. ATLAS
In order to improve the flexibility of kylin privilege control and enhance value of kylin in the Apache Hadoop ecosystem, like hdfs, yarn, hive, hbase, Kylin should also support that using Ranger to control access rights for project and cube.
Specific implementation plan is as following:
On the ranger website, administrators can configure policies to control user access to projects and cube permissions.
Kylin provides an abstract class and authorization interfaces for use by the ranger plugin. kylin instantiates ranger plugin’s implementation class when starting(this class extends the abstract class provided by kylin).
Ranger plugin periodically polls ranger admin, updates the policy to the local, and updates project and cube access rights based on policy information.
In the Kylin side?
1. Kylin provides an abstract class that enables the ranger plugin's implementation class to extend.
2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin implementation class's name.
3. Instantiate the ranger plugin implementation class when starting kylin.
4. kylin provides authorization interfaces for ranger plugin calls.
5. According to the ranger authorization configuration item, hide kylin's authorization management page.
6. Using ranger manager access rights of the kylin does not affect kylin's existing permissions functions and logic.
In the Ranger side?
1. Ranger plugin will periodically polls ranger admin, updates the policy to the local.
2. The ranger plugin invoking the authorization interfaces provided by kylin to updates the project and cube access rights based on the policy information.
reference link:https://issues.apache.org/jira/browse/RANGER-1672
Diffs (updated)
-----
build/deploy/context.xml 38c6ec833
core-common/src/main/java/org/apache/kylin/common/KylinConfigBase.java 749b515c3
core-common/src/main/java/org/apache/kylin/common/security/KylinAuthorizationProvider.java PRE-CREATION
core-metadata/src/main/java/org/apache/kylin/metadata/project/ProjectManager.java df5450cf8
server-base/src/main/java/org/apache/kylin/rest/constant/Constant.java 697a660b5
server-base/src/main/java/org/apache/kylin/rest/controller/AccessController.java a88c34233
server-base/src/main/java/org/apache/kylin/rest/security/KylinAclPermissionEvaluator.java PRE-CREATION
server-base/src/main/java/org/apache/kylin/rest/security/KylinAuthorization.java PRE-CREATION
server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java a46b86679
server-base/src/main/java/org/apache/kylin/rest/service/JobService.java d2180a76d
server/src/main/resources/kylinSecurity.xml ce068d7ac
webapp/app/js/services/kylinProperties.js 645ed2f3d
webapp/app/partials/cubes/cube_detail.html 0113c126d
webapp/app/partials/projects/project_detail.html 5cfc091ab
Diff: https://reviews.apache.org/r/61022/diff/6/
Changes: https://reviews.apache.org/r/61022/diff/5-6/
Testing
-------
Thanks,
pengjianhua
Re: Review Request 61022: KYLIN-2703 kylin supports managing access
rights for project and cube through apache ranger.
Posted by pengjianhua <pe...@zte.com.cn>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61022/
-----------------------------------------------------------
(Updated 七月 24, 2017, 7:27 a.m.)
Review request for kylin, Dayue Gao, Dong Li, hongbin ma, and Wang Xiaoyu.
Bugs: KYLIN-2703
https://issues.apache.org/jira/browse/KYLIN-2703
Repository: kylin
Description
-------
Ranger is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform. Apache Ranger has the following goals:
1. Centralized security administration to manage all security related tasks in a central UI or using REST APIs.
2. Fine grained authorization to do a specific action and/or operation with Hadoop component/tool and managed through a central administration tool
3. Standardize authorization method across all Hadoop components.
4. Enhanced support for different authorization methods - Role based access control, attribute based access control etc.
5. Centralize auditing of user access and administrative actions (security related) within all the components of Hadoop.
Ranger has supported enable, monitor and manage following components:
1. HDFS
2. HIVE
3. HBASE
4. KNOX
5. YARN
6. STORM
7. SOLR
8. KAFKA
9. ATLAS
In order to improve the flexibility of kylin privilege control and enhance value of kylin in the Apache Hadoop ecosystem, like hdfs, yarn, hive, hbase, Kylin should also support that using Ranger to control access rights for project and cube.
Specific implementation plan is as following:
On the ranger website, administrators can configure policies to control user access to projects and cube permissions.
Kylin provides an abstract class and authorization interfaces for use by the ranger plugin. kylin instantiates ranger plugin’s implementation class when starting(this class extends the abstract class provided by kylin).
Ranger plugin periodically polls ranger admin, updates the policy to the local, and updates project and cube access rights based on policy information.
In the Kylin side?
1. Kylin provides an abstract class that enables the ranger plugin's implementation class to extend.
2. Add configuration item. 1) ranger authorization switch, 2) ranger plugin implementation class's name.
3. Instantiate the ranger plugin implementation class when starting kylin.
4. kylin provides authorization interfaces for ranger plugin calls.
5. According to the ranger authorization configuration item, hide kylin's authorization management page.
6. Using ranger manager access rights of the kylin does not affect kylin's existing permissions functions and logic.
In the Ranger side?
1. Ranger plugin will periodically polls ranger admin, updates the policy to the local.
2. The ranger plugin invoking the authorization interfaces provided by kylin to updates the project and cube access rights based on the policy information.
reference link:https://issues.apache.org/jira/browse/RANGER-1672
Diffs (updated)
-----
build/deploy/context.xml 38c6ec833
core-common/src/main/java/org/apache/kylin/common/KylinConfigBase.java f9c3adb75
core-common/src/main/java/org/apache/kylin/common/security/KylinAuthorizationProvider.java PRE-CREATION
server-base/src/main/java/org/apache/kylin/rest/constant/Constant.java 5d326e9a5
server-base/src/main/java/org/apache/kylin/rest/controller/AccessController.java a88c34233
server-base/src/main/java/org/apache/kylin/rest/controller/UserController.java c07c0cb06
server-base/src/main/java/org/apache/kylin/rest/security/KylinAclPermissionEvaluator.java PRE-CREATION
server-base/src/main/java/org/apache/kylin/rest/security/KylinAuthorization.java PRE-CREATION
server-base/src/main/java/org/apache/kylin/rest/service/AccessService.java ae7ac6e04
server-base/src/main/java/org/apache/kylin/rest/service/JobService.java 5bf684a4a
server/src/main/resources/kylinSecurity.xml ce068d7ac
server/src/test/java/org/apache/kylin/rest/controller/AccessControllerTest.java 18fbd06af
webapp/app/js/controllers/page.js 575f45511
webapp/app/js/listeners.js e5c40fb89
webapp/app/js/services/kylinProperties.js 645ed2f3d
webapp/app/partials/cubes/cube_detail.html 4319b94e2
webapp/app/partials/projects/project_detail.html 5cfc091ab
Diff: https://reviews.apache.org/r/61022/diff/2/
Changes: https://reviews.apache.org/r/61022/diff/1-2/
Testing
-------
Thanks,
pengjianhua