You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pegasus.apache.org by "kirbyzhou (via GitHub)" <gi...@apache.org> on 2023/02/22 08:30:22 UTC
[GitHub] [incubator-pegasus] kirbyzhou commented on issue #1054: Feature: Integrate with Apache Ranger

kirbyzhou commented on issue #1054:
URL: https://github.com/apache/incubator-pegasus/issues/1054#issuecomment-1439617065

   See https://issues.apache.org/jira/browse/RANGER-3831
   You have to import the service definition into RANGER at first.
   
   Using the REST API of ranger:
   
   curl -X 'POST' \
   'http://rangerhost:6080/service/public/v2/api/servicedef' \  -H
   'Accept: application/json' \  -H 'Content-Type: application/json' \
   -u 'admin:adminpassword' \
     -d ***@***.***'
   
   
   
   WHBANG ***@***.***> 于2023年2月22日周三 11:45写道：
   
   > Introduce the implementation and how to use:
   >
   >    1. The class diagram
   >    [image: image]
   >    <https://user-images.githubusercontent.com/38547944/218993763-91a7072b-086b-44fa-9041-636c5ea1d089.png>
   >
   > First, you need to add ACL related configurations. The client
   > configuration has not changed, the server has added new configurations:
   >
   > enable_ranger_acl: indicates whether to use ranger for acl
   >
   > ranger_service_url： ranger server url
   >
   > ranger_service_name: use ranger policy name
   >
   > mandatory_enable_acl: mandatory use range policy, currently used for testing
   >
   >
   > The details are as follows:
   >
   > server
   >
   > [security]
   >
   >   update_ranger_policy_interval_sec
   >
   > [ranger]
   >
   >   ranger_service_url
   >
   >   ranger_service_name
   >
   >   ranger_legacy_table_database_mapping_rule
   >
   >   mandatory_enable_acl
   >
   > [security]
   >
   >   enable_auth = true
   >
   >   krb5_keytab = /root/apache/pegasus.keytab
   >
   >   krb5_config = /etc/krb5.conf
   >
   >   krb5_principal = XXXXX
   >
   >   sasl_plugin_path = /root/apache/incubator-pegasus/thirdparty/output/lib/sasl2
   >
   >   service_fqdn = XXXXX
   >
   >   service_name = XXXXX
   >
   >   mandatory_auth = true
   >
   >   enable_acl = true
   >
   >   super_users =
   >
   >   meta_acl_rpc_allow_list =
   >
   >   enable_ranger_acl = true
   >
   >
   > java client
   >
   > java
   >
   > meta_servers = 127.0.0.1:34601,127.0.0.1:34602,127.0.0.1:34603
   >
   > operation_timeout = 5000
   >
   > async_workers = 4
   >
   > enable_perf_counter = false
   >
   > perf_counter_tags = cluster=onebox,app=unit_test
   >
   > push_counter_interval_secs = 10
   >
   > meta_query_timeout = 5000
   >
   > auth_protocol = kerberos
   >
   > kerberos_service_name = XXXXX
   >
   > kerberos_service_fqdn = XXXXX
   >
   > kerberos_keytab = /root/apache/pegasus.keytab
   >
   > kerberos_principal = XXXXX
   >
   >
   > shell
   >
   > [security]
   >
   >   enable_auth = true
   >
   >   krb5_keytab = /root/apache/pegasus.keytab
   >
   >   krb5_config = /etc/krb5.conf
   >
   >   krb5_principal = XXXXX
   >
   >   sasl_plugin_path = /root/apache/incubator-pegasus/thirdparty/output/lib/sasl2
   >
   >   service_fqdn = XXXXX
   >
   >   service_name = XXXXX
   >
   >
   > Second compatibility:
   > Retained the old ACL mode
   >
   >    1. Use the old ACL
   >
   > enable_acl = true
   >
   > enable_ranger_acl = false
   >
   >
   >
   >    1. user ranger for ACL
   >
   > enable_acl = true
   >
   > enable_ranger_acl = true
   >
   >
   >
   >    1. Third, define the ranger policy
   >
   >
   >    - Pegasus resources can be divided into multiple types, and the
   >    operation types of each resource can also be divided. One operation type
   >    corresponds to one ACL symbol
   >
   > [image: image]
   > <https://user-images.githubusercontent.com/38547944/204430376-17e8ae9a-bdac-466c-a2a7-d4f27cae09e0.png>
   >
   >    - ACLs on each type of resource correspond to specific rpc_code
   >
   > [image: image]
   > <https://user-images.githubusercontent.com/38547944/204430797-5b45e079-84c5-4f3e-a470-db063d6d87d5.png>
   >
   > [image: image]
   > <https://user-images.githubusercontent.com/38547944/204430865-ffc16771-90ca-43c7-903a-5451cb58c86c.png>
   >
   > [image: image]
   > <https://user-images.githubusercontent.com/38547944/204430917-febf6ba1-eddc-4db0-b428-a00e7e651828.png>
   >
   >    1. pegasus+ranger
   >
   > After completing the integration of ranger with pegasus, you can set
   > permissions on the ranger web page according to your own needs
   > [image: image]
   > <https://user-images.githubusercontent.com/38547944/204432012-230db07c-47d0-4960-9c10-04340c19b2ff.png>
   > [image: image]
   > <https://user-images.githubusercontent.com/38547944/204432186-344267c5-d966-4b21-99f5-cc6d4ade55db.png>
   >
   > —
   > Reply to this email directly, view it on GitHub
   > <https://github.com/apache/incubator-pegasus/issues/1054#issuecomment-1439398491>,
   > or unsubscribe
   > <https://github.com/notifications/unsubscribe-auth/AAZ6PHW5QXYPU2GTDNQM55LWYWDVRANCNFSM533BJVLA>
   > .
   > You are receiving this because you commented.Message ID:
   > ***@***.***>
   >
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@pegasus.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pegasus.apache.org
For additional commands, e-mail: dev-help@pegasus.apache.org