Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Task marked complete

...

  •  User stories documented (Shenggu)
  •  User stories reviewed (Nitin)
  •  Design documented (Shenggu)
  •  Design reviewed (Andreas)
  •  Feature merged (Shenggu)
  •  Integration tests (Shenggu)
  •  Documentation for feature (Shenggu)
  •  Blog post (Shenggu)

...

  • As a Hue admin, I should be able to easily configure CDAP as a plugin app in the Hue system
  • As a CDAP user or a CDAPadmin, I should be able to explore all the entities of CDAP (ex: Namespaces, Streams, Programs etc.(Namespace->Application->Program(->subprogram), Namespace->Stream/Dataset/Aritifacts) in Cloudera Hue's UI.
  • As a CDAP user, I should be able to perform all the ACL management operations provided by Apache Sentry through Cloudera Hue's admin UI.
    • CDAP superusers can manage all the rules
    • A user/groups who have ADMIN on one entity can give ACL on that entity to other users/groups

Design

...

Scenerios

#Scenario 1

A user (typically a CDH user) is using Hue for exploring and managing ACL and other operations for all the different services on their cluster. He would prefer to use Hue and the consistent UI to manage ACLs for CDAP from a central place rather than separately in CDAP UI. 

Design

This integration code to be implemented will be part of the Cloudera Hue and communicate to CDAP & Apache Sentry through Rest/Thrift to manage the ACLs. The Hue/app itself does not store any state during this process.

...

Communication with Apache SENTRY is enabled by SENTRY's thrift service. When admin grants/ revokes certain privileges through the Hue UI, it will be propagated to the SENTRY system and take effects on the further request coming from CDAP. In design one Hue will talk to the Sentry directly while design two take advantage of the Sentry Client apis built in CDAP to do so. We currently preferred Although the second one since it design involves less code modification in Hue and it favors future change of security functionalities (as we have to change both in Hue and in CDAP for the first design in this case)to be implemented, we will still implement design one as it is compatible with the behaviors of other plugins(hive/hdfs) in Hue and it is suitable for more cases(a security breach for instance). To work on design one, the Hue itself will also talk to sentry and have a separate keytab file to get authenticated with kerberos

UI Mockup

One possible UI layout is shown below. All the entities in CDAP can be listed hierarchically in the left. When click on one specific entity, user is able to view the detailed properties of this entity and manage the acl rules associated with this entity. The actual UI may vary in colors and relative layout of elements but stick to this concept.

Here is are some other possible UI designs. Basically the ideas behind are the same that we provide a hierarchy entity structure to user with either a separate panel or a pop-up window to manage the ACLs.

...

In this case, the entire ACL management buttons are presented in the pop up window. The descriptions of entities can be displayed right to the entity name or displayed as anchors when mouse hovers over it.

 

Among all the UI layouts, we prefer the to implement the first one, since displaying all the UI components on the same page invloves less window open/close logic and less confusing to end users. In addtion, as the description of each entitiy is generally not that long (less than 5 entries in the first layer) and thus it is possible to put the ACL-adding-panel right under the descriptions. 

Configuration

To configure the CDAP app in HUE, simply copy the cdap app source code into $HUE_ROOT and run commands below: 

...

URLResponse
GET /cdap/index.mako (main page)
GET /cdap/details/path/to/entity/entity_id/json of entity properties
GET /cdap/acl/path/to/entity/entity_id/json of entity ACLs
POST /cdap/acl/add/entity_id/ --data {groupid, operationoperations}200 ok / 500 error
POST /cdap/acl/revoke/entity_id/ --data {groupid, operations}200 ok / 500 error
  
  
 

 

The operations here include {READ | WRITE | EXECUTE | ADMIN | ALL}. Multiple operations can be granted/revoked at once.

 

Out of Scope

In the above design, the system only supports listing all entities in CDAP and perform ACL management on these entities, while there is no way actually deploy/start/stop a programfull-support for managing the entities. These cases are listed as below and might be supported in the future.

  • Deploy/Start/Destroy a program
  • Creating/Deleting/Renaming an entity
  • List and Explore those entities that are not related to ACL management such as services, workflows
  • Change the properties of entities