You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2020/03/28 12:37:57 UTC
[GitHub] [druid] bolkedebruin opened a new pull request #9579: Add Apache
Ranger Authorization
bolkedebruin opened a new pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579
### Description
This adds support for Apache Ranger authorization. Apache Ranger provides comprehensive support for authorization.
Documentation to be added after agreeing upon design. I would like to add this to the "core extensions" as this is a feature for enterprises and Apache Ranger is part of CDH/HDP (merged) distribution.
<hr>
This PR has:
- [X] been self-reviewed.
- [X] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.)
- [ ] added documentation for new or modified features or behaviors.
- [X] added unit tests or modified existing tests to cover new code paths.
- [ ] added integration tests.
- [ ] been tested in a test Druid cluster.
cc @Fokko
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] Fokko commented on a change in pull request #9579: Add
Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
Fokko commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399772774
##########
File path: extensions-core/druid-ranger-security/src/main/java/org/apache/druid/security/ranger/authorizer/RangerAuthorizer.java
##########
@@ -0,0 +1,153 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.security.ranger.authorizer;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeName;
+import org.apache.druid.java.util.common.IAE;
+import org.apache.druid.java.util.common.logger.Logger;
+import org.apache.druid.server.security.Access;
+import org.apache.druid.server.security.Action;
+import org.apache.druid.server.security.AuthenticationResult;
+import org.apache.druid.server.security.Authorizer;
+import org.apache.druid.server.security.Resource;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
+
+@JsonTypeName("ranger")
+public class RangerAuthorizer implements Authorizer
+{
+ private static final Logger LOG = new Logger(RangerAuthorizer.class);
+
+ public static final String RANGER_DRUID_SERVICETYPE = "druid";
+ public static final String RANGER_DRUID_APPID = "druid";
+
+ public static final String RANGER_DRUID_DEFAULT_HADOOP_CONF = "druid-ranger-site.xml";
+
+ private RangerBasePlugin rangerPlugin;
+ private boolean useUgi;
+
+ @JsonCreator
+ public RangerAuthorizer(
+ @JsonProperty("keytab") String keytab,
+ @JsonProperty("principal") String principal,
+ @JsonProperty("use_ugi") boolean useUgi,
+ @JsonProperty("hadoop_config") String hadoopConfig)
+ {
+ Configuration configuration = new Configuration();
+
+ this.useUgi = useUgi;
+
+ if (hadoopConfig != null) {
+ URL url = configuration.getResource(hadoopConfig);
+ if (url == null) {
+ LOG.warn("Hadoop config " + hadoopConfig + " not found");
+ } else {
+ configuration.addResource(url);
+ }
+ } else {
+ URL url = configuration.getResource(RANGER_DRUID_DEFAULT_HADOOP_CONF);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Trying to load Hadoop config from " + url + " (can be null)");
Review comment:
```suggestion
LOG.debug("Trying to load Hadoop config from %s (can be null) from %s", url, RANGER_DRUID_DEFAULT_HADOOP_CONF);
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] Fokko commented on a change in pull request #9579: Add
Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
Fokko commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399774453
##########
File path: extensions-core/druid-ranger-security/src/test/java/org/apache/druid/security/ranger/authorizer/RangerAuthorizerTest.java
##########
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.security.ranger.authorizer;
+
+import org.apache.druid.server.security.Action;
+import org.apache.druid.server.security.AuthenticationResult;
+import org.apache.druid.server.security.Resource;
+import org.apache.druid.server.security.ResourceType;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class RangerAuthorizerTest
+{
+ static RangerAuthorizer rangerAuthorizer = null;
+
+ private static final AuthenticationResult alice = new AuthenticationResult("alice", null, null, null);
+ private static final AuthenticationResult bob = new AuthenticationResult("bob", null, null, null);
+
+ private static final Resource aliceDatasource = new Resource("alice-datasource", ResourceType.DATASOURCE);
+ private static final Resource aliceConfig = new Resource("config", ResourceType.CONFIG);
+ private static final Resource aliceState = new Resource("state", ResourceType.STATE);
+
+ @BeforeClass
+ public static void setupBeforeClass()
+ {
+ Map<String, String> config = new HashMap<>();
+ rangerAuthorizer = new RangerAuthorizer(null, null, false, null);
+ }
+
+ @Test
+ public void testOperations()
Review comment:
Can we also check if something isn't allowed? :)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] Fokko commented on a change in pull request #9579: Add
Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
Fokko commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399774391
##########
File path: extensions-core/druid-ranger-security/src/test/java/org/apache/druid/security/ranger/authorizer/RangerAuthorizerTest.java
##########
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.security.ranger.authorizer;
+
+import org.apache.druid.server.security.Action;
+import org.apache.druid.server.security.AuthenticationResult;
+import org.apache.druid.server.security.Resource;
+import org.apache.druid.server.security.ResourceType;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class RangerAuthorizerTest
+{
+ static RangerAuthorizer rangerAuthorizer = null;
+
+ private static final AuthenticationResult alice = new AuthenticationResult("alice", null, null, null);
+ private static final AuthenticationResult bob = new AuthenticationResult("bob", null, null, null);
+
+ private static final Resource aliceDatasource = new Resource("alice-datasource", ResourceType.DATASOURCE);
+ private static final Resource aliceConfig = new Resource("config", ResourceType.CONFIG);
+ private static final Resource aliceState = new Resource("state", ResourceType.STATE);
+
+ @BeforeClass
+ public static void setupBeforeClass()
+ {
+ Map<String, String> config = new HashMap<>();
Review comment:
I think we can remove this line.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] lgtm-com[bot] commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
lgtm-com[bot] commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-609002927
This pull request **introduces 1 alert** when merging a536044c4081e7030a312596d6da4fff6a331360 into 4d277dbf9901a592789fbcc6b1dff1ebebb5e00e - [view on LGTM.com](https://lgtm.com/projects/g/apache/druid/rev/pr-c08e1fa7151bf562082e3ffd8cde7d5c000ee685)
**new alerts:**
* 1 for Dereferenced variable may be null
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] jihoonson commented on a change in pull request #9579: Add
Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
jihoonson commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r400554467
##########
File path: extensions-core/druid-ranger-security/pom.xml
##########
@@ -0,0 +1,389 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <groupId>org.apache.druid.extensions</groupId>
+ <artifactId>druid-ranger-security</artifactId>
+ <name>druid-ranger-security</name>
+ <description>druid-ranger-security</description>
+
+ <parent>
+ <groupId>org.apache.druid</groupId>
+ <artifactId>druid</artifactId>
+ <version>0.18.0-SNAPSHOT</version>
Review comment:
Would you please update the version to 0.19.0-SNAPSHOT?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] Fokko commented on a change in pull request #9579: Add
Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
Fokko commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399772615
##########
File path: extensions-core/druid-ranger-security/src/main/java/org/apache/druid/security/ranger/authorizer/RangerAuthorizer.java
##########
@@ -0,0 +1,153 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.security.ranger.authorizer;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeName;
+import org.apache.druid.java.util.common.IAE;
+import org.apache.druid.java.util.common.logger.Logger;
+import org.apache.druid.server.security.Access;
+import org.apache.druid.server.security.Action;
+import org.apache.druid.server.security.AuthenticationResult;
+import org.apache.druid.server.security.Authorizer;
+import org.apache.druid.server.security.Resource;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
+
+@JsonTypeName("ranger")
+public class RangerAuthorizer implements Authorizer
+{
+ private static final Logger LOG = new Logger(RangerAuthorizer.class);
Review comment:
```suggestion
private static final Logger log = new Logger(RangerAuthorizer.class);
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] bolkedebruin commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
bolkedebruin commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-605976965
Ready for re-review @Fokko
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] bolkedebruin edited a comment on issue #9579: Add Apache
Ranger Authorization
Posted by GitBox <gi...@apache.org>.
bolkedebruin edited a comment on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-606549501
> The CI is failing. One is a wrong dependency which is fixed in #9578. Another is the license name "Apache 2.0 License" is not registered. You could probably fix it by adding it [here](https://github.com/apache/druid/blob/master/distribution/bin/check-licenses.py#L226).
Done. I left the wrong dependency to #9578. Let's see what the CI does @jihoonson @Fokko
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-610115237
yeah, but people forget and not all reviewers are up-to-date with all new developments :)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] ccaominh commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
ccaominh commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-609957819
@bolkedebruin Yeah, the security scan runs as a daily job instead of on PR validation as we were having issues where PRs that did not modify dependencies would get blocked incorrectly. You can run the security vulnerability scan manually via: `mvn dependency-check:check`. Thanks!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] Fokko commented on a change in pull request #9579: Add
Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
Fokko commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399774184
##########
File path: docs/development/extensions-core/druid-ranger-security.md
##########
@@ -0,0 +1,86 @@
+---
+id: druid-ranger-security
+title: "Apache Ranger Security"
+---
+
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+
+This Apache Druid extension adds:
+
+- an Authorizer which implements access control for the Druid metastore against Apache Ranger
+
+Make sure to [include](../../development/extensions.md#loading-extensions) `druid-ranger-security` as an extension.
+
+Please see [Authentication and Authorization](../../design/auth.md) for more information on the extension interfaces being implemented.
+
+## Configuration
+
+Support for Apache Ranger authorization consists of three elements: configuration of the extension
+in Apache Druid, configuring the connection the Apache Ranger and providing the service definition for Druid to Apache Ranger.
+
+### Properties to configure the extension in Apache Druid
+|Property|Description|Default|required|
+|--------|-----------|-------|--------|
+|`druid.auth.ranger.keytab`|Defines the keytab to be used while authenticating against Apache Ranger to obtain policies and provide auditing|null|No|
+|`druid.auth.ranger.principal`|Defines the principal to be used while authenticating against Apache Ranger to obtain policies and provide auditing|null|No|
+|`druid.auth.ranger.use_ugi`|Determines if groups that the authenticated user belongs to should be obtained from Hadoop's UserGroupInformation|null|No|
+|`druid.auth.ranger.hadoop_config`|If defined, loads extra configuration for Hadoop's UserGroupInformation from this file|ranger-druid-site.xml|No|
+
+### Configuring the connection to Apache Ranger
+
+The Apache Ranger authorization extension will read several configuration files. Discussing the
+the contents of those files is beyond the scope of this document. Depending your needs you will
Review comment:
```suggestion
the contents of those files are beyond the scope of this document. Depending on your needs you will
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] Fokko commented on a change in pull request #9579: Add
Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
Fokko commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399772685
##########
File path: extensions-core/druid-ranger-security/src/main/java/org/apache/druid/security/ranger/authorizer/RangerAuthorizer.java
##########
@@ -0,0 +1,153 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.security.ranger.authorizer;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeName;
+import org.apache.druid.java.util.common.IAE;
+import org.apache.druid.java.util.common.logger.Logger;
+import org.apache.druid.server.security.Access;
+import org.apache.druid.server.security.Action;
+import org.apache.druid.server.security.AuthenticationResult;
+import org.apache.druid.server.security.Authorizer;
+import org.apache.druid.server.security.Resource;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
+
+@JsonTypeName("ranger")
+public class RangerAuthorizer implements Authorizer
+{
+ private static final Logger LOG = new Logger(RangerAuthorizer.class);
+
+ public static final String RANGER_DRUID_SERVICETYPE = "druid";
+ public static final String RANGER_DRUID_APPID = "druid";
+
+ public static final String RANGER_DRUID_DEFAULT_HADOOP_CONF = "druid-ranger-site.xml";
+
+ private RangerBasePlugin rangerPlugin;
+ private boolean useUgi;
+
+ @JsonCreator
+ public RangerAuthorizer(
+ @JsonProperty("keytab") String keytab,
+ @JsonProperty("principal") String principal,
+ @JsonProperty("use_ugi") boolean useUgi,
+ @JsonProperty("hadoop_config") String hadoopConfig)
+ {
+ Configuration configuration = new Configuration();
+
+ this.useUgi = useUgi;
+
+ if (hadoopConfig != null) {
+ URL url = configuration.getResource(hadoopConfig);
+ if (url == null) {
+ LOG.warn("Hadoop config " + hadoopConfig + " not found");
Review comment:
```suggestion
LOG.warn("Hadoop config %s not found", hadoopConfig);
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] Fokko commented on a change in pull request #9579: Add
Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
Fokko commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399772938
##########
File path: extensions-core/druid-ranger-security/src/main/java/org/apache/druid/security/ranger/authorizer/RangerAuthorizer.java
##########
@@ -0,0 +1,153 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.security.ranger.authorizer;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeName;
+import org.apache.druid.java.util.common.IAE;
+import org.apache.druid.java.util.common.logger.Logger;
+import org.apache.druid.server.security.Access;
+import org.apache.druid.server.security.Action;
+import org.apache.druid.server.security.AuthenticationResult;
+import org.apache.druid.server.security.Authorizer;
+import org.apache.druid.server.security.Resource;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
+
+@JsonTypeName("ranger")
+public class RangerAuthorizer implements Authorizer
+{
+ private static final Logger LOG = new Logger(RangerAuthorizer.class);
+
+ public static final String RANGER_DRUID_SERVICETYPE = "druid";
+ public static final String RANGER_DRUID_APPID = "druid";
+
+ public static final String RANGER_DRUID_DEFAULT_HADOOP_CONF = "druid-ranger-site.xml";
+
+ private RangerBasePlugin rangerPlugin;
+ private boolean useUgi;
+
+ @JsonCreator
+ public RangerAuthorizer(
+ @JsonProperty("keytab") String keytab,
+ @JsonProperty("principal") String principal,
+ @JsonProperty("use_ugi") boolean useUgi,
+ @JsonProperty("hadoop_config") String hadoopConfig)
+ {
+ Configuration configuration = new Configuration();
+
+ this.useUgi = useUgi;
+
+ if (hadoopConfig != null) {
Review comment:
I would structure it a bit differently:
```java
final URL url;
if (hadoopConfig != null) {
url = configuration.getResource(hadoopConfig);
if (url == null) {
LOG.warn("Hadoop config %s not found", hadoopConfig);
}
} else {
url = configuration.getResource(RANGER_DRUID_DEFAULT_HADOOP_CONF);
if (LOG.isDebugEnabled()) {
LOG.debug("Trying to load Hadoop config from %s (can be null) from %s", url, RANGER_DRUID_DEFAULT_HADOOP_CONF);
}
}
if (url != null) {
configuration.addResource(url);
}
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] bolkedebruin commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
bolkedebruin commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-610108509
An alternative could be to ask to run it manually and add the report to the PR. @himanshug.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] Fokko commented on a change in pull request #9579: Add
Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
Fokko commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399774111
##########
File path: docs/development/extensions-core/druid-ranger-security.md
##########
@@ -0,0 +1,86 @@
+---
+id: druid-ranger-security
+title: "Apache Ranger Security"
+---
+
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+
+This Apache Druid extension adds:
+
+- an Authorizer which implements access control for the Druid metastore against Apache Ranger
+
+Make sure to [include](../../development/extensions.md#loading-extensions) `druid-ranger-security` as an extension.
+
+Please see [Authentication and Authorization](../../design/auth.md) for more information on the extension interfaces being implemented.
+
+## Configuration
+
+Support for Apache Ranger authorization consists of three elements: configuration of the extension
+in Apache Druid, configuring the connection the Apache Ranger and providing the service definition for Druid to Apache Ranger.
Review comment:
```suggestion
in Apache Druid, configuring the connection to Apache Ranger and providing the service definition for Druid to Apache Ranger.
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] bolkedebruin commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
bolkedebruin commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-610899468
@himanshug both vulnerabilities are only exposed when you configure them to do so. It is not a default config. Log4j requires the SocketAppender to be configured which is not (overly) typical to do and Kafka needs to be enabled for Ranger which is also not very typical to do. I can removed the dependency on Kafka from Ranger without any adverse effects.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] bolkedebruin commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
bolkedebruin commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-610358321
@ccaominh @himanshug my suggestion to fix this is 1) replace log4j with a recent version for this dependency - I just built Ranger with the latest log4j and it's a drop in 2) remove kafka. This requires a patch which is in a unreleased version of Ranger. It also not often used
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] Fokko commented on a change in pull request #9579: Add
Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
Fokko commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399773640
##########
File path: extensions-core/druid-ranger-security/src/main/java/org/apache/druid/security/ranger/authorizer/RangerAuthorizer.java
##########
@@ -0,0 +1,153 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.security.ranger.authorizer;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeName;
+import org.apache.druid.java.util.common.IAE;
+import org.apache.druid.java.util.common.logger.Logger;
+import org.apache.druid.server.security.Access;
+import org.apache.druid.server.security.Action;
+import org.apache.druid.server.security.AuthenticationResult;
+import org.apache.druid.server.security.Authorizer;
+import org.apache.druid.server.security.Resource;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
+
+@JsonTypeName("ranger")
+public class RangerAuthorizer implements Authorizer
+{
+ private static final Logger LOG = new Logger(RangerAuthorizer.class);
+
+ public static final String RANGER_DRUID_SERVICETYPE = "druid";
+ public static final String RANGER_DRUID_APPID = "druid";
+
+ public static final String RANGER_DRUID_DEFAULT_HADOOP_CONF = "druid-ranger-site.xml";
+
+ private RangerBasePlugin rangerPlugin;
Review comment:
```suggestion
private final RangerBasePlugin rangerPlugin;
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] Fokko commented on a change in pull request #9579: Add
Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
Fokko commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399774215
##########
File path: docs/development/extensions-core/druid-ranger-security.md
##########
@@ -0,0 +1,86 @@
+---
+id: druid-ranger-security
+title: "Apache Ranger Security"
+---
+
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+
+This Apache Druid extension adds:
+
+- an Authorizer which implements access control for the Druid metastore against Apache Ranger
+
+Make sure to [include](../../development/extensions.md#loading-extensions) `druid-ranger-security` as an extension.
+
+Please see [Authentication and Authorization](../../design/auth.md) for more information on the extension interfaces being implemented.
+
+## Configuration
+
+Support for Apache Ranger authorization consists of three elements: configuration of the extension
+in Apache Druid, configuring the connection the Apache Ranger and providing the service definition for Druid to Apache Ranger.
+
+### Properties to configure the extension in Apache Druid
+|Property|Description|Default|required|
+|--------|-----------|-------|--------|
+|`druid.auth.ranger.keytab`|Defines the keytab to be used while authenticating against Apache Ranger to obtain policies and provide auditing|null|No|
+|`druid.auth.ranger.principal`|Defines the principal to be used while authenticating against Apache Ranger to obtain policies and provide auditing|null|No|
+|`druid.auth.ranger.use_ugi`|Determines if groups that the authenticated user belongs to should be obtained from Hadoop's UserGroupInformation|null|No|
+|`druid.auth.ranger.hadoop_config`|If defined, loads extra configuration for Hadoop's UserGroupInformation from this file|ranger-druid-site.xml|No|
+
+### Configuring the connection to Apache Ranger
+
+The Apache Ranger authorization extension will read several configuration files. Discussing the
+the contents of those files is beyond the scope of this document. Depending your needs you will
+need to create them. The minimum you will need to have is a `ranger-druid-security.xml` file
+that you will need to put in the classpath. For auditing the configuration is in `ranger-druid-audit.xml`.
Review comment:
```suggestion
that you will need to put in the classpath. For auditing, the configuration is in `ranger-druid-audit.xml`.
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-609983019
@ccaominh we should try to enable the check in PR builds or else this situation would re-occur , also it might take extra work figuring out exactly which PR merge broke things if multiple PRs were merged in a day.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-610536889
(1) sounds good to me
(2) sounds good as well but seems not doable unless that version of Ranger is released ? In that can probably leave that as known issue for now and include it in docs for this extension so that users can make an informed decision. I am not yet sure what is the impact of this, so documenting that would be nice.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] Fokko merged pull request #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
Fokko merged pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] bolkedebruin commented on a change in pull request #9579:
Add Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
bolkedebruin commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399786959
##########
File path: extensions-core/druid-ranger-security/src/test/java/org/apache/druid/security/ranger/authorizer/RangerAuthorizerTest.java
##########
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.security.ranger.authorizer;
+
+import org.apache.druid.server.security.Action;
+import org.apache.druid.server.security.AuthenticationResult;
+import org.apache.druid.server.security.Resource;
+import org.apache.druid.server.security.ResourceType;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class RangerAuthorizerTest
+{
+ static RangerAuthorizer rangerAuthorizer = null;
+
+ private static final AuthenticationResult alice = new AuthenticationResult("alice", null, null, null);
+ private static final AuthenticationResult bob = new AuthenticationResult("bob", null, null, null);
+
+ private static final Resource aliceDatasource = new Resource("alice-datasource", ResourceType.DATASOURCE);
+ private static final Resource aliceConfig = new Resource("config", ResourceType.CONFIG);
+ private static final Resource aliceState = new Resource("state", ResourceType.STATE);
+
+ @BeforeClass
+ public static void setupBeforeClass()
+ {
+ Map<String, String> config = new HashMap<>();
+ rangerAuthorizer = new RangerAuthorizer(null, null, false, null);
+ }
+
+ @Test
+ public void testOperations()
Review comment:
It isn't really required (there is one however), as we would be testing the logic of Apache Ranger rather than the extension. Deny is the default.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] bolkedebruin commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
bolkedebruin commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-607815251
@jihoonson @Fokko all green now!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] bolkedebruin commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
bolkedebruin commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-609949580
@ccaominh saw that too. During the pr this wasn't flagged. I'll check it and verify with upstream.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] bolkedebruin commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
bolkedebruin commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-606549501
> The CI is failing. One is a wrong dependency which is fixed in #9578. Another is the license name "Apache 2.0 License" is not registered. You could probably fix it by adding it [here](https://github.com/apache/druid/blob/master/distribution/bin/check-licenses.py#L226).
Done. I left the wrong dependency to #9578. Let's see what the CI does
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] Fokko commented on a change in pull request #9579: Add
Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
Fokko commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399773658
##########
File path: extensions-core/druid-ranger-security/src/main/java/org/apache/druid/security/ranger/authorizer/RangerAuthorizer.java
##########
@@ -0,0 +1,153 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.security.ranger.authorizer;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeName;
+import org.apache.druid.java.util.common.IAE;
+import org.apache.druid.java.util.common.logger.Logger;
+import org.apache.druid.server.security.Access;
+import org.apache.druid.server.security.Action;
+import org.apache.druid.server.security.AuthenticationResult;
+import org.apache.druid.server.security.Authorizer;
+import org.apache.druid.server.security.Resource;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Locale;
+import java.util.Set;
+
+@JsonTypeName("ranger")
+public class RangerAuthorizer implements Authorizer
+{
+ private static final Logger LOG = new Logger(RangerAuthorizer.class);
+
+ public static final String RANGER_DRUID_SERVICETYPE = "druid";
+ public static final String RANGER_DRUID_APPID = "druid";
+
+ public static final String RANGER_DRUID_DEFAULT_HADOOP_CONF = "druid-ranger-site.xml";
+
+ private RangerBasePlugin rangerPlugin;
+ private boolean useUgi;
Review comment:
```suggestion
private final boolean useUgi;
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] ccaominh commented on issue #9579: Add Apache Ranger
Authorization
Posted by GitBox <gi...@apache.org>.
ccaominh commented on issue #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#issuecomment-609946919
Looks like the security vulnerability scan is flagging dependencies added by this PR:
https://travis-ci.org/github/apache/druid/builds/671080994#L1792
> [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:check (default-cli) on project druid-ranger-security:
>
> [ERROR]
> [ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
> [ERROR]
> [ERROR] log4j-1.2.17.jar: CVE-2019-17571
> [ERROR] kafka_2.11-2.0.0.jar: CVE-2019-12399, CVE-2018-17196
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] bolkedebruin commented on a change in pull request #9579:
Add Apache Ranger Authorization
Posted by GitBox <gi...@apache.org>.
bolkedebruin commented on a change in pull request #9579: Add Apache Ranger Authorization
URL: https://github.com/apache/druid/pull/9579#discussion_r399786959
##########
File path: extensions-core/druid-ranger-security/src/test/java/org/apache/druid/security/ranger/authorizer/RangerAuthorizerTest.java
##########
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.security.ranger.authorizer;
+
+import org.apache.druid.server.security.Action;
+import org.apache.druid.server.security.AuthenticationResult;
+import org.apache.druid.server.security.Resource;
+import org.apache.druid.server.security.ResourceType;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class RangerAuthorizerTest
+{
+ static RangerAuthorizer rangerAuthorizer = null;
+
+ private static final AuthenticationResult alice = new AuthenticationResult("alice", null, null, null);
+ private static final AuthenticationResult bob = new AuthenticationResult("bob", null, null, null);
+
+ private static final Resource aliceDatasource = new Resource("alice-datasource", ResourceType.DATASOURCE);
+ private static final Resource aliceConfig = new Resource("config", ResourceType.CONFIG);
+ private static final Resource aliceState = new Resource("state", ResourceType.STATE);
+
+ @BeforeClass
+ public static void setupBeforeClass()
+ {
+ Map<String, String> config = new HashMap<>();
+ rangerAuthorizer = new RangerAuthorizer(null, null, false, null);
+ }
+
+ @Test
+ public void testOperations()
Review comment:
It isn't really required (there is one however), as we would be testing the logic of Apache Ranger rather than the extension. Deny is the default. The test coverage for this function is complete.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org