You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kudu.apache.org by aw...@apache.org on 2020/03/30 18:53:34 UTC
[kudu] 01/04: [ranger] add more comments for Ranger privilege model
This is an automated email from the ASF dual-hosted git repository.
awong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
commit b9faf6c23ac1499bddf7b32b6433268d12df642b
Author: Hao Hao <ha...@cloudera.com>
AuthorDate: Thu Mar 26 15:57:52 2020 -0700
[ranger] add more comments for Ranger privilege model
Change-Id: I1b827d06c7657e450903333d820dc9ef9313dcd6
Reviewed-on: http://gerrit.cloudera.org:8080/15566
Tested-by: Kudu Jenkins
Reviewed-by: Andrew Wong <aw...@cloudera.com>
---
src/kudu/master/ranger_authz_provider.h | 8 -------
src/kudu/ranger/ranger.proto | 37 +++++++++++++++++++++++----------
src/kudu/ranger/ranger_client.h | 7 ++++++-
3 files changed, 32 insertions(+), 20 deletions(-)
diff --git a/src/kudu/master/ranger_authz_provider.h b/src/kudu/master/ranger_authz_provider.h
index a97ad12..bdfb11a 100644
--- a/src/kudu/master/ranger_authz_provider.h
+++ b/src/kudu/master/ranger_authz_provider.h
@@ -40,14 +40,6 @@ namespace master {
// An implementation of AuthzProvider that connects to Ranger and translates
// authorization requests to Ranger and allows or denies the actions based on
// the received responses.
-//
-// The privilege model for Kudu operations with Ranger follows the existing
-// one enforced with Sentry (see sentry_authz_provider.cc). However note that
-// in terms of policy evaluation, Ranger is different than Sentry that a policy
-// with a higher scope in the hierarchy cannot imply a lower scope its hierarchy
-// tree. e.g. 'METADATA on db=a' cannot imply 'METADATA on db=a->table=tbl'.
-// Therefore, in Ranger world one can grant 'METADATA on db=a->table=*->column=*'
-// to match with Sentry policy 'METADATA on db=a'.
class RangerAuthzProvider : public AuthzProvider {
public:
diff --git a/src/kudu/ranger/ranger.proto b/src/kudu/ranger/ranger.proto
index 939f3b0..1f9169a 100644
--- a/src/kudu/ranger/ranger.proto
+++ b/src/kudu/ranger/ranger.proto
@@ -18,17 +18,32 @@ syntax = "proto2";
package kudu.ranger;
option java_package = "org.apache.kudu.ranger";
-// Describes the type of action that can be performed in Ranger.
-//
-// SQL-like action types used by Ranger. ALL implies all other privilege types
-// and all privilege types imply METADATA. METADATA is used for discovery
-// (listing tables).
-//
-// The action type mapping is similar to the one in Sentry which was implemented
-// before Ranger and the same privileges have to be enforced with both
-// authorization providers.
-//
-// For more information on fine grained authz check out docs/security.adoc
+// Similar to Sentry, in Ranger, an action is an operation taken on an
+// authorizable, an authorizable is a linear hierarchically structured
+// resource (database -> table -> column), and 'privileges' are composed
+// of an authorizable and an action, e.g. CREATE ON DATABASE a (db=a).
+
+// SQL-like action types are used in Ranger. All actions are independent,
+// except that ALL subsumes every other action, and every action subsumes
+// METADATA.
+
+// In term of privilege evaluation, unlike Sentry, (where authorizables higher
+// up on the hierarchy can imply authorizables lower on the hierarchy, e.g.
+// database implies table), Ranger doesn't have the concept of hierarchical
+// implication. To be more specific, privilege 'METADATA ON DATABASE a (db=a)'
+// does not imply 'METADATA ON TABLE a.tbl (db=a->table=tbl)'. Thus, in Ranger
+// users granted with 'METADATA ON DATABASE a' cannot perform an action that
+// requires 'METADATA ON TABLE a.tbl'. On the other hand, Ranger supports
+// wildcard matching on authorizables, e.g. 'db=a->table=*' matches all the
+// tables that belong to DATABASE a. Therefore, in Ranger users actually need
+// 'METADATA ON db=a->table=*->column=*' privilege to match the semantics of
+// 'METADATA ON db=a' in Sentry.
+
+// Nevertheless, the same set of privileges are enforced/required for Kudu
+// operations with both Sentry and Ranger. For the detailed privilege
+// enforcement information see 'Policy for Kudu Masters/Tablet Servers'
+// section in docs/security.adoc.
+
enum ActionPB {
SELECT = 0;
INSERT = 1;
diff --git a/src/kudu/ranger/ranger_client.h b/src/kudu/ranger/ranger_client.h
index 2b1bbe1..cdfb8ed 100644
--- a/src/kudu/ranger/ranger_client.h
+++ b/src/kudu/ranger/ranger_client.h
@@ -52,7 +52,12 @@ typedef subprocess::SubprocessProxy<RangerRequestListPB, RangerResponseListPB,
class RangerClient {
public:
// Similar to SentryAuthorizableScope scope which indicates the
- // hierarchy of authorizables (database → table).
+ // hierarchy of authorizables (database -> table -> column). For
+ // example, authorizable 'db=a' has database level scope, while
+ // authorizable 'db=a->table=b' has table level scope. Note that
+ // COLUMN level scope is not defined in the enum as it is not
+ // used yet in the code (although the concept still apply when
+ // authorizing column level privileges).
enum Scope {
DATABASE,
TABLE