Developing a Custom Authorization Module
In the Hadoop ecosystem, each component (i.e., Hive, HBase) has its own authorization implementation and ability to plug in a custom authorization module. To implement the centralized authorization and audit feature for a component, the component should support a customizable (or pluggable) authorization module.
The custom component Authorization Plugin should do the following:
- Provide authorization based on Policies defined in Policy Admin Tool
- Provide audit information based on the authorization decisions
Implementing Custom Component Authorization
To implement the custom component authorization plugin, the Ranger common agent framework provides the following functionalities:
- Ability to read all policies from Service Manager for a given service-id
- Ability to log audit information
When the custom authorization module is initialized, the module should do the following:
- Initiate a REST API call to the “Policy Admin Tool” to retrieve all policies associated with the specific component.
- Once the policies are available, it should:
- be built into a custom data structure for enabling the authorization module.
- kick off the policy updater thread to refresh policies from “Policy Admin Tool” at a regular interval.
When the custom authorization module is called to perform authorization of a component action (such as READ action) on a specific component resource (such as /app folder), the authorization module will:
- Identify authorization decision - For each policy:policyList:
- If (resource in policy <match> auth-requested-resource)
- If (action-in-policy <match>action-requested
- If (current-user or current-user-groups or public-group <allowed> for the policy), Return access-allowed
- Identify auditing needs - For each policy:policyList
- If (resource in policy <match> auth-requested-resource), return policy.isAuditEnabled()