You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Raghavendran Chellappa <ra...@virtusa.com> on 2015/06/08 15:14:20 UTC
Chaining 2 Ranger Plugins for Hive
Hi,
We are planning to use the default HIVE authorization provider and additionally implement a custom Authorization provider as well.
Can we 'chain' the new/customized Ranger Plugin for Hive after the existing Ranger Plugin for Hive?
I mean, can we list them as 2 separate plugins in "hive.security.authorization.manager" properties in the hive-site.xml? Ideally we will want the default HIVE authorization to pass before our custom hive authorization provider is called.
So, will this be possible, if we provide the values as comma separated values in the "hive.security.authorization.manager" property?
Thanks,
Raga
Raghavendran Chellappa
-----------------------------------------------------------------------------------------
Virtusa was recently featured in Everest Group's PEAK Matrix for Banking Application Outsourcing,Life Sciences IT Outsourcing and Healthcare Payer Industry IT Outsourcing,Forrester Research's report on major mid-sized offshore IT services vendors, 2013 Forbes List of 100 Best Public Companies In America with revenue less than $1B and won the 2013 Frost & Sullivan Customer Value Leadership Award for System Integration for CEM in Healthcare.
-----------------------------------------------------------------------------------------
This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.
-----------------------------------------------------------------------------------------
Re: Chaining 2 Ranger Plugins for Hive
Posted by Balaji Ganesan <ba...@gmail.com>.
To add to Bosco's point, you may want to refer to this JIRA
https://issues.apache.org/jira/browse/RANGER-256
Ranger plugin has context enricher class which can be modified to add in
custom REST service lookup as part of the authorization.
https://github.com/apache/incubator-ranger/blob/master/security-admin/src/main/java/org/apache/ranger/entity/XXContextEnricherDef.java
On Mon, Jun 8, 2015 at 8:25 PM, Don Bosco Durai <bo...@apache.org> wrote:
> Regarding extending Ranger authorizer classes, you have two options:
>
> 1. Use Ranger dynamic policies. This will allow you to write your own
> java class and implement custom logic. You can use this in any Ranger
> permission. This is been introduced in Apache Ranger 0.5, so there is not
> much documentation. But we can help you here. One thing to note here is
> that Apache Ranger works in permissive mode, e.g. By default there no one
> has permission in Hive, but if you give permission to an user or group to a
> resource (database, table, column, etc), then you can negate that
> permission. So if your policy will just give “allow”, then it will fit
> nicely in Ranger model. But if you want to deny, then it won’t work. In 0.6
> we should introduce negative policy, but if this is your requirement now,
> then you can consider option #2.
> 2. In this option, you can extend the Ranger Hive Authorizer class.
> After that, you need to update the servicedef (.json) file to replace the
> authorizer with your class. Documentation is lacking here, but we can help.
> Once you have overwritten, then you can do your check first and return
> “true/false” from there or fall back to Ranger by calling super.method().
> If you are going by this option, you might have to call the audit method
> explicitly.
>
>
> Let us know which way you want to go, we can help either way.
>
> Thanks
>
> Bosco
>
>
> From: Raghavendran Chellappa <ra...@virtusa.com>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Monday, June 8, 2015 at 12:59 PM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Cc: "thejas.nair@gmail.com" <th...@gmail.com>
> Subject: RE: Chaining 2 Ranger Plugins for Hive
>
> Many thanks for your reply Alok.
>
>
>
> 2 follow up questions:
>
> 1. In the link
> http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.1.3/bk_dataintegration/content/ch_using-hive-authorization.html
>
> the NOTE at the bottom of the pages says that “The
> hive.security.authorization.manager configuration property allows
> multiple authorization managers in comma-delimited format”.
>
> Is this applicable in the context of a Ranger Plugin?
>
>
>
> 2. About extending Ranger authorizer classes, we need to do an
> external REST service lookup (as a part of custom authorization check). We
> need a REST service because the authorization logic is very different from
> the standard authorization provided by Ranger (has contextual information
> of the resource).
>
> With this in mind, Can we extend the extend Ranger HIVE plugin and add our
> call to the REST service? Are there some samples of this?
>
> Or, Do we need to implement a new Ranger Plugin for Hive?
>
> thanks,
> Raga
>
>
>
>
>
> *Raghavendran Chellappa*
>
> Associate Director – Technology
>
> Virtusa Corp.
>
> Mobile: +1-402.677.1413
>
> Virtusa internal VOIP: 89538
>
>
>
> *From:* Alok Lal [mailto:alal@hortonworks.com <al...@hortonworks.com>]
> *Sent:* Monday, June 08, 2015 1:57 PM
> *To:* user@ranger.incubator.apache.org
> *Cc:* thejas.nair@gmail.com
> *Subject:* Re: Chaining 2 Ranger Plugins for Hive
>
>
>
> has confirmed that one authorizer is currently supported by that config.
> Thanks @Thejas Nair (a Hiv-pmc
> <https://people.apache.org/committers-by-project.html#hive-pmc>) for
> confirmation.
>
> @Raga since Ranger authorizer classes (RangerHiveAuthorizerFactory and
> RangerHiveAuthorizer) aren’t final an option might be to extend them.
>
>
>
>
>
> *From: *Raghavendran Chellappa <ra...@virtusa.com>
> *Reply-To: *"user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> *Date: *Monday, June 8, 2015 at 6:14 AM
> *To: *"user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org
> >
> *Subject: *Chaining 2 Ranger Plugins for Hive
>
>
>
> Hi,
>
>
>
> We are planning to use the default HIVE authorization provider and
> additionally implement a custom Authorization provider as well.
>
> Can we ‘chain’ the new/customized Ranger Plugin for Hive after the
> existing Ranger Plugin for Hive?
>
> I mean, can we list them as 2 separate plugins in
> “hive.security.authorization.manager” properties in the hive-site.xml?
> Ideally we will want the default HIVE authorization to pass before our
> custom hive authorization provider is called.
>
>
>
> So, will this be possible, if we provide the values as comma separated
> values in the “hive.security.authorization.manager” property?
>
>
>
> Thanks,
>
> Raga
>
>
>
> *Raghavendran Chellappa*
>
>
>
> -----------------------------------------------------------------------------------------
>
> Virtusa was recently featured in Everest Group's PEAK Matrix for Banking Application Outsourcing,Life Sciences IT Outsourcing and Healthcare Payer Industry IT Outsourcing,Forrester Research's report on major mid-sized offshore IT services vendors, 2013 Forbes List of 100 Best Public Companies In America with revenue less than $1B and won the 2013 Frost & Sullivan Customer Value Leadership Award for System Integration for CEM in Healthcare.
>
>
>
> -----------------------------------------------------------------------------------------
>
> This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.
>
> -----------------------------------------------------------------------------------------
>
>
>
> -----------------------------------------------------------------------------------------
> Virtusa was recently featured in Everest Group's PEAK Matrix for Banking Application Outsourcing,Life Sciences IT Outsourcing and Healthcare Payer Industry IT Outsourcing,Forrester Research's report on major mid-sized offshore IT services vendors, 2013 Forbes List of 100 Best Public Companies In America with revenue less than $1B and won the 2013 Frost & Sullivan Customer Value Leadership Award for System Integration for CEM in Healthcare.
>
> -----------------------------------------------------------------------------------------
> This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.
> -----------------------------------------------------------------------------------------
>
>
Re: Chaining 2 Ranger Plugins for Hive
Posted by Don Bosco Durai <bo...@apache.org>.
Regarding extending Ranger authorizer classes, you have two options:
1. Use Ranger dynamic policies. This will allow you to write your own java
class and implement custom logic. You can use this in any Ranger permission.
This is been introduced in Apache Ranger 0.5, so there is not much
documentation. But we can help you here. One thing to note here is that
Apache Ranger works in permissive mode, e.g. By default there no one has
permission in Hive, but if you give permission to an user or group to a
resource (database, table, column, etc), then you can negate that
permission. So if your policy will just give ³allow², then it will fit
nicely in Ranger model. But if you want to deny, then it won¹t work. In 0.6
we should introduce negative policy, but if this is your requirement now,
then you can consider option #2.
2. In this option, you can extend the Ranger Hive Authorizer class. After
that, you need to update the servicedef (.json) file to replace the
authorizer with your class. Documentation is lacking here, but we can help.
Once you have overwritten, then you can do your check first and return
³true/false² from there or fall back to Ranger by calling super.method(). If
you are going by this option, you might have to call the audit method
explicitly.
Let us know which way you want to go, we can help either way.
Thanks
Bosco
From: Raghavendran Chellappa <ra...@virtusa.com>
Reply-To: "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date: Monday, June 8, 2015 at 12:59 PM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Cc: "thejas.nair@gmail.com" <th...@gmail.com>
Subject: RE: Chaining 2 Ranger Plugins for Hive
> Many thanks for your reply Alok.
>
> 2 follow up questions:
> 1. In the link
> http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.1.3/bk_dataintegration/con
> tent/ch_using-hive-authorization.html
>
> the NOTE at the bottom of the pages says that ³The
> hive.security.authorization.manager configuration property allows multiple
> authorization managers in comma-delimited format².
>
> Is this applicable in the context of a Ranger Plugin?
>
>
>
> 2. About extending Ranger authorizer classes, we need to do an external
> REST service lookup (as a part of custom authorization check). We need a REST
> service because the authorization logic is very different from the standard
> authorization provided by Ranger (has contextual information of the resource).
>
> With this in mind, Can we extend the extend Ranger HIVE plugin and add our
> call to the REST service? Are there some samples of this?
>
> Or, Do we need to implement a new Ranger Plugin for Hive?
>
> thanks,
> Raga
>
>
>
> Raghavendran Chellappa
> Associate Director Technology
> Virtusa Corp.
> Mobile: +1-402.677.1413
> Virtusa internal VOIP: 89538
>
>
> From: Alok Lal [mailto:alal@hortonworks.com]
> Sent: Monday, June 08, 2015 1:57 PM
> To: user@ranger.incubator.apache.org
> Cc: thejas.nair@gmail.com
> Subject: Re: Chaining 2 Ranger Plugins for Hive
>
>
> has confirmed that one authorizer is currently supported by that config.
> Thanks @Thejas Nair (a Hiv-pmc
> <https://people.apache.org/committers-by-project.html#hive-pmc> ) for
> confirmation.
>
> @Raga since Ranger authorizer classes (RangerHiveAuthorizerFactory and
> RangerHiveAuthorizer) aren¹t final an option might be to extend them.
>
>
>
>
>
> From: Raghavendran Chellappa <ra...@virtusa.com>
> Reply-To: "user@ranger.incubator.apache.org"
> <us...@ranger.incubator.apache.org>
> Date: Monday, June 8, 2015 at 6:14 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Chaining 2 Ranger Plugins for Hive
>
>
>
> Hi,
>
> We are planning to use the default HIVE authorization provider and
> additionally implement a custom Authorization provider as well.
> Can we chain¹ the new/customized Ranger Plugin for Hive after the existing
> Ranger Plugin for Hive?
> I mean, can we list them as 2 separate plugins in
> ³hive.security.authorization.manager² properties in the hive-site.xml? Ideally
> we will want the default HIVE authorization to pass before our custom hive
> authorization provider is called.
>
> So, will this be possible, if we provide the values as comma separated values
> in the ³hive.security.authorization.manager² property?
>
> Thanks,
> Raga
>
> Raghavendran Chellappa
>
> ------------------------------------------------------------------------------
> -----------
> Virtusa was recently featured in Everest Group's PEAK Matrix for Banking
> Application Outsourcing,Life Sciences IT Outsourcing and Healthcare Payer
> Industry IT Outsourcing,Forrester Research's report on major mid-sized
> offshore IT services vendors, 2013 Forbes List of 100 Best Public Companies In
> America with revenue less than $1B and won the 2013 Frost & Sullivan Customer
> Value Leadership Award for System Integration for CEM in Healthcare.
>
> ------------------------------------------------------------------------------
> -----------
> This message, including any attachments, contains confidential information
> intended for a specific individual and purpose, and is intended for the
> addressee only. Any unauthorized disclosure, use, dissemination, copying, or
> distribution of this message or any of its attachments or the information
> contained in this e-mail, or the taking of any action based on it, is strictly
> prohibited. If you are not the intended recipient, please notify the sender
> immediately by return e-mail and delete this message.
> ------------------------------------------------------------------------------
> -----------
>
> ------------------------------------------------------------------------------
> -----------
> Virtusa was recently featured in Everest Group's PEAK Matrix for Banking
> Application Outsourcing,Life Sciences IT Outsourcing and Healthcare Payer
> Industry IT Outsourcing,Forrester Research's report on major mid-sized
> offshore IT services vendors, 2013 Forbes List of 100 Best Public Companies In
> America with revenue less than $1B and won the 2013 Frost & Sullivan Customer
> Value Leadership Award for System Integration for CEM in Healthcare.
>
> ------------------------------------------------------------------------------
> -----------
> This message, including any attachments, contains confidential information
> intended for a specific individual and purpose, and is intended for the
> addressee only. Any unauthorized disclosure, use, dissemination, copying, or
> distribution of this message or any of its attachments or the information
> contained in this e-mail, or the taking of any action based on it, is strictly
> prohibited. If you are not the intended recipient, please notify the sender
> immediately by return e-mail and delete this message.
> ------------------------------------------------------------------------------
> -----------
>
RE: Chaining 2 Ranger Plugins for Hive
Posted by Raghavendran Chellappa <ra...@virtusa.com>.
Many thanks for your reply Alok.
2 follow up questions:
1. In the link http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.1.3/bk_dataintegration/content/ch_using-hive-authorization.html
the NOTE at the bottom of the pages says that "The hive.security.authorization.manager configuration property allows multiple authorization managers in comma-delimited format".
Is this applicable in the context of a Ranger Plugin?
2. About extending Ranger authorizer classes, we need to do an external REST service lookup (as a part of custom authorization check). We need a REST service because the authorization logic is very different from the standard authorization provided by Ranger (has contextual information of the resource).
With this in mind, Can we extend the extend Ranger HIVE plugin and add our call to the REST service? Are there some samples of this?
Or, Do we need to implement a new Ranger Plugin for Hive?
thanks,
Raga
Raghavendran Chellappa
Associate Director - Technology
Virtusa Corp.
Mobile: +1-402.677.1413
Virtusa internal VOIP: 89538
From: Alok Lal [mailto:alal@hortonworks.com]
Sent: Monday, June 08, 2015 1:57 PM
To: user@ranger.incubator.apache.org
Cc: thejas.nair@gmail.com
Subject: Re: Chaining 2 Ranger Plugins for Hive
has confirmed that one authorizer is currently supported by that config. Thanks @Thejas Nair (a Hiv-pmc<https://people.apache.org/committers-by-project.html#hive-pmc>) for confirmation.
@Raga since Ranger authorizer classes (RangerHiveAuthorizerFactory and RangerHiveAuthorizer) aren't final an option might be to extend them.
From: Raghavendran Chellappa <ra...@virtusa.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Monday, June 8, 2015 at 6:14 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Chaining 2 Ranger Plugins for Hive
Hi,
We are planning to use the default HIVE authorization provider and additionally implement a custom Authorization provider as well.
Can we 'chain' the new/customized Ranger Plugin for Hive after the existing Ranger Plugin for Hive?
I mean, can we list them as 2 separate plugins in "hive.security.authorization.manager" properties in the hive-site.xml? Ideally we will want the default HIVE authorization to pass before our custom hive authorization provider is called.
So, will this be possible, if we provide the values as comma separated values in the "hive.security.authorization.manager" property?
Thanks,
Raga
Raghavendran Chellappa
-----------------------------------------------------------------------------------------
Virtusa was recently featured in Everest Group's PEAK Matrix for Banking Application Outsourcing,Life Sciences IT Outsourcing and Healthcare Payer Industry IT Outsourcing,Forrester Research's report on major mid-sized offshore IT services vendors, 2013 Forbes List of 100 Best Public Companies In America with revenue less than $1B and won the 2013 Frost & Sullivan Customer Value Leadership Award for System Integration for CEM in Healthcare.
-----------------------------------------------------------------------------------------
This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.
-----------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------
Virtusa was recently featured in Everest Group's PEAK Matrix for Banking Application Outsourcing,Life Sciences IT Outsourcing and Healthcare Payer Industry IT Outsourcing,Forrester Research's report on major mid-sized offshore IT services vendors, 2013 Forbes List of 100 Best Public Companies In America with revenue less than $1B and won the 2013 Frost & Sullivan Customer Value Leadership Award for System Integration for CEM in Healthcare.
-----------------------------------------------------------------------------------------
This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.
-----------------------------------------------------------------------------------------
Re: Chaining 2 Ranger Plugins for Hive
Posted by Alok Lal <al...@hortonworks.com>.
has confirmed that one authorizer is currently supported by that config. Thanks @Thejas Nair (a Hiv-pmc<https://people.apache.org/committers-by-project.html#hive-pmc>) for confirmation.
@Raga since Ranger authorizer classes (RangerHiveAuthorizerFactory and RangerHiveAuthorizer) aren't final an option might be to extend them.
From: Raghavendran Chellappa <ra...@virtusa.com>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Monday, June 8, 2015 at 6:14 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Chaining 2 Ranger Plugins for Hive
Hi,
We are planning to use the default HIVE authorization provider and additionally implement a custom Authorization provider as well.
Can we 'chain' the new/customized Ranger Plugin for Hive after the existing Ranger Plugin for Hive?
I mean, can we list them as 2 separate plugins in "hive.security.authorization.manager" properties in the hive-site.xml? Ideally we will want the default HIVE authorization to pass before our custom hive authorization provider is called.
So, will this be possible, if we provide the values as comma separated values in the "hive.security.authorization.manager" property?
Thanks,
Raga
Raghavendran Chellappa
-----------------------------------------------------------------------------------------
Virtusa was recently featured in Everest Group's PEAK Matrix for Banking Application Outsourcing,Life Sciences IT Outsourcing and Healthcare Payer Industry IT Outsourcing,Forrester Research's report on major mid-sized offshore IT services vendors, 2013 Forbes List of 100 Best Public Companies In America with revenue less than $1B and won the 2013 Frost & Sullivan Customer Value Leadership Award for System Integration for CEM in Healthcare.
-----------------------------------------------------------------------------------------
This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is intended for the addressee only. Any unauthorized disclosure, use, dissemination, copying, or distribution of this message or any of its attachments or the information contained in this e-mail, or the taking of any action based on it, is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this message.
-----------------------------------------------------------------------------------------