ranger-examples
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||
# Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. 1. Introduction 2. SampleApp A simple application to demonstrate use of pluggable authorization. - IAuthorizer: the authorization interface. Authorizes read/write/execute access to a given file - DefaultAuthorizer: default authorizer implementation, authorizes all accesses - SampleApp: - main application that prompts the user to enter access to authorize in the following format: read filePath user1 userGroup1 userGroup2 userGroup3 write filePath user1 userGroup1 userGroup2 userGroup3 execute filePath user1 userGroup1 userGroup2 userGroup3 3. SampleApp Plugin - RangerAuthorizer implements IAuthorizer interface and performs authorization using Ranger policies. - For simplicity, uses policies in a HDFS service instance (like cl1_hadoop): which uses 'path' as the resource and supports 'read', 'write' and 'execute' accessTypes - conf/ranger-sampleapp-security.xml: has configurations for plugin, like Ranger Admin URL, name of the service containing policies - conf/ranger-sampleapp-audit.xml: has configurations for plugin audit, like log4j logger name, HDFS folder, DB connection details 4. Build $ mvn clean compile package assembly:assembly $ cd ranger-examples $ mvn clean compile package assembly:assembly # Following files created by the build will be required to setup SampleApp: target/ranger-examples-<version>-sampleapp.tar.gz target/ranger-examples-<version>-sampleapp-plugin.tar.gz 5. Setup SampleApp # Create a empty directory to setup the application $ mkdir /tmp/sampleapp $ cd /tmp/sampleapp $ tar xvfz ranger-examples-<version>-sampleapp.tar.gz # add Ranger authorizer bits $ tar xvfz ranger-examples-<version>-sampleapp-plugin.tar.gz # Review and update properties in conf/ranger-sampleapp-security.xml, especially the following: - ranger.plugin.sampleapp.policy.rest.url - ranger.plugin.sampleapp.service.name # Review and update properties in conf/ranger-sampleapp-audit.xml # Review and update properties in conf/log4j.xml 6. Execute - Use default authorizer i.e. not Ranger: $ cd /tmp/sampleapp $ ./run-sampleapp.sh # At the prompt, enter commands to trigger access authorization, like: command> read filePath user1 userGroup1 userGroup2 userGroup3 command> write filePath user1 userGroup1 userGroup2 userGroup3 command> execute filePath user1 userGroup1 userGroup2 userGroup3 - Use Ranger authorizer $ cd /tmp/sampleapp $ ./run-sampleapp.sh ranger-authz # At the prompt, enter commands to trigger access authorization, like: command> read filePath user1 userGroup1 userGroup2 userGroup3 command> write filePath user1 userGroup1 userGroup2 userGroup3 command> execute filePath user1 userGroup1 userGroup2 userGroup3 # audit logs can be seen in /tmp/ranger_audit.log