In the Hadoop ecosystem, each component (i.e., Hive, HBase) has its own authorization implementation and ability to plug in a custom authorization module. To implement the centralized authorization and audit feature for a component, the component should support a customizable (or pluggable) authorization module.
The custom component Authorization Plugin should do the following:
Provide authorization based on Policies defined in Policy Admin Tool
Provide audit information based on the authorization decisions
Implementing Custom Component Authorization
To implement the custom component authorization plugin, the Ranger common agent framework provides the following functionalities:
Ability to read all policies from Policy Manager for a given repository-id
Ability to log audit information
When the custom authorization module is initialized, the module should do the following:
Initiate a REST API call to the “Policy Admin Tool” to retrieve all policies associated with the specific component.
Once the policies are available, it should:
be built into a custom data structure for enabling the authorization module.
kick off the policy updater thread to refresh policies from “Policy Admin Tool” at a regular interval.
When the custom authorization module is called to perform authorization of a component action (such as READ action) on a specific component resource (such as /app folder), the authorization module will:
Identify authorization decision - For each policy:policyList:
If (resource in policy <match> auth-requested-resource)
If (action-in-policy <match>action-requested
If (current-user or current-user-groups or public-group <allowed> for the policy), Return access-allowed
Identify auditing needs - For each policy:policyList
If (resource in policy <match> auth-requested-resource), return policy.isAuditEnabled()