You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@knox.apache.org by Ebrahim Khalil Abbasi <eb...@gmail.com> on 2020/12/08 19:59:38 UTC
Method Level Authorization for Knox
Hi there,
I am using knox to access livy to manage spark sessions. To implement
authorization I want to provide the method level (get/post/delete/...)
authorization. I implemented a new HTTP Service plugin in Ranger but I need
to integrate it to the knox or the Ranger's knox plugin so that each HTTP
request to the knox is authorized based on the method.
It seems there are two possibilities, one is to update the Knox's
authorization interface and another is to update the Ranger's Knox plugin.
Would you please suggest a better solution?
Thanks
Ebrahim
Re: Method Level Authorization for Knox
Posted by Ebrahim Khalil Abbasi <eb...@gmail.com>.
Hello Larry,
Thanks for your reply and help.
I believe too that Ranger's Knox plugin code is where we need to change and
I already did it. I was looking for a way of somehow extending the Ranger's
Knox plugin or integrating my plug-in with it, not directly changing the
Ranger's Knox plugin.
Thanks
Ebrhim
On Tue, Dec 8, 2020 at 11:36 PM larry mccay <la...@gmail.com> wrote:
> Hi Ebrahim -
>
> I tried replying to the Ranger thread but my subscription seems messed up.
>
> I believe that Bosco was referring to the interface within the Ranger Knox
> Plugin code that would need to change ALONG with the Ranger side changes
> you already made.
> Based on what I see in [1], there is no change needed in the Knox code
> base as this is all in Ranger.
> You would want to push the HTTP verb from the request that is acquired in
> the filter into the authorization interface which is in the same package in
> Ranger.
>
> Of course, you could also either extend or create a new Authorization
> Provider in Knox as well but that will not give you the central access
> policy authoring and management that Ranger provides.
>
> thanks,
>
> --larry
>
>
> 1.
> https://github.com/apache/ranger/blob/master/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java#L146
>
> On Tue, Dec 8, 2020 at 2:59 PM Ebrahim Khalil Abbasi <
> ebrahim.khalil.abbasi@gmail.com> wrote:
>
>> Hi there,
>> I am using knox to access livy to manage spark sessions. To implement
>> authorization I want to provide the method level (get/post/delete/...)
>> authorization. I implemented a new HTTP Service plugin in Ranger but I need
>> to integrate it to the knox or the Ranger's knox plugin so that each HTTP
>> request to the knox is authorized based on the method.
>>
>> It seems there are two possibilities, one is to update the Knox's
>> authorization interface and another is to update the Ranger's Knox plugin.
>>
>> Would you please suggest a better solution?
>> Thanks
>> Ebrahim
>>
>
Re: Method Level Authorization for Knox
Posted by larry mccay <la...@gmail.com>.
Hi Ebrahim -
I tried replying to the Ranger thread but my subscription seems messed up.
I believe that Bosco was referring to the interface within the Ranger Knox
Plugin code that would need to change ALONG with the Ranger side changes
you already made.
Based on what I see in [1], there is no change needed in the Knox code base
as this is all in Ranger.
You would want to push the HTTP verb from the request that is acquired in
the filter into the authorization interface which is in the same package in
Ranger.
Of course, you could also either extend or create a new Authorization
Provider in Knox as well but that will not give you the central access
policy authoring and management that Ranger provides.
thanks,
--larry
1.
https://github.com/apache/ranger/blob/master/knox-agent/src/main/java/org/apache/ranger/authorization/knox/RangerPDPKnoxFilter.java#L146
On Tue, Dec 8, 2020 at 2:59 PM Ebrahim Khalil Abbasi <
ebrahim.khalil.abbasi@gmail.com> wrote:
> Hi there,
> I am using knox to access livy to manage spark sessions. To implement
> authorization I want to provide the method level (get/post/delete/...)
> authorization. I implemented a new HTTP Service plugin in Ranger but I need
> to integrate it to the knox or the Ranger's knox plugin so that each HTTP
> request to the knox is authorized based on the method.
>
> It seems there are two possibilities, one is to update the Knox's
> authorization interface and another is to update the Ranger's Knox plugin.
>
> Would you please suggest a better solution?
> Thanks
> Ebrahim
>