Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Developing a Custom Authorization Module

In the Hadoop ecosystem, each component (i.e., Hive, HBase) has its own authorization implementation and ability to plug in a custom authorization module. To implement the centralized authorization and audit feature for a component, the component should support a customizable (or pluggable) authorization module.

The custom component Authorization Plugin should do the following:

  • Provide authorization based on Policies defined in Policy Admin Tool

  • Provide audit information based on the authorization decisions

Implementing Custom Component Authorization

To implement the custom component authorization plugin, the Ranger common agent framework provides the following functionalities:

  • Ability to read all policies from Service Manager for a given service-id

  • Ability to log audit information

When the custom authorization module is initialized, the module should do the following:

  1. Initiate a REST API call to the “Policy Admin Tool” to retrieve all policies associated with the specific component.

  2. Once the policies are available, it should:

    • be built into a custom data structure for enabling the authorization module.

    • kick off the policy updater thread to refresh policies from “Policy Admin Tool” at a regular interval.

When the custom authorization module is called to perform authorization of a component action (such as READ action) on a specific component resource (such as /app folder), the authorization module will:

  • Identify authorization decision - For each policy:policyList:

    • If (resource in policy <match> auth-requested-resource)

    • If (action-in-policy <match>action-requested

    • If (current-user or current-user-groups or public-group <allowed> for the policy), Return access-allowed

  • Identify auditing needs - For each policy:policyList

    • If (resource in policy <match> auth-requested-resource), return policy.isAuditEnabled()