Versions Compared

Old Version 8

changes.mady.by.user Robin Rielley

Saved on

compared with

New Version Current

changes.mady.by.user Robin Rielley

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Note

Note: This topic is no longer supported.

CDAP Ranger Authorization Extension

Apache Ranger is centralized security framework used to manage authorization privileges. 

Architecture

CDAP Ranger extension consists of three major components:

  1. CDAP Ranger Loookup: Enables Ranger to lookup CDAP entities.

  2. CDAP Ranger Binding: Enables CDAP to use privileges in Ranger for enforcement.

  3. CDAP Ranger Service Definition: Defines CDAP as a service and it's resources in Ranger.

Installation

Before enabling CDAP Authorization please read the following documentation.

Installing CDAP Lookup in Ranger

  1. Create a new folder called cdap under your Ranger plugins directory. Typically on Ambari clusters it is: /usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/classes/ranger-plugins

    mkdir cdap

    cd cdap

  2. Move the CDAP Ranger Lookup jar to the cdap plugin directory created above.

    mv path-to-jar/cdap-ranger-lookup-[version]-jar-with-dependencies.jar ./

  3. Change permission to the cdap plugin directory (if required)

    chown -R ranger:ranger cdap/

  4. Restart Ranger service

Adding CDAP as a service in Ranger

  1. You can use the `ranger-servicedef-cdap.json <https://github.com/cdapio/cdap-security-extn/blob/develop/cdap-ranger/cdap-ranger-lookup/src/main/resources/ranger-servicedef-cdap.json >`__ to add CDAP as a service in Ranger

    curl -u ranger-admin-user:ranger-admin-password -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d @ranger-servicedef-cdap.json http://rangerhost:rangerport/service/plugins/definitions

  2. Now go to the Ranger Admin UI and click on the + button for CDAP service.

  3. Fill in the details of your CDAP instance.

Configuration

Definition

Example

Service Name

Name of this service

cdapdev

Username

Username to use to connect to cdap instance

username

Password

Password for the above user

password

Instance URL

CDAP instance URL

mycdaphost:router-port

Add New Configuration

 

 

policy.download.auth.users

User allowed to download policies

cdap

policy.grantrevoke.auth.users

User allowed to grant/revoke

cdap

Note: CDAP username and password is only needed if you want lookup of (auto completion of entity names) CDAP entities in Ranger Admin UI. This user must have authorization for the entities to be able to look it up. Please see documentation below on how to add these privileges. Although, it is not necessary for this user to have authorization on all entities. In this case you will not be able to use auto completion of entity names in Ranger Admin UI and will have to type complete entity names.

...

Optional: As mentioned earlier if you want Ranger to be able to lookup CDAP entities you will need to give the connecting user specified during service definition ANY (READ, WRITE, EXECUTE or ADMIN) privilege on all entities. You can just go ahead and add that user with some permission to the above existing policies. Note: This is an optional step. You can still use CDAP Ranger Extension without granting the above connecting user ANY privilege on all the resource although you will not be able to use lookup feature in Ranger and will have to manually type complete entity names.

...

Installing CDAP Authorization Binding for Enforcement

  1. Put the Ranger CDAP configuration xml files under some path which is accessible to cdap user. For example:

    mkdir /usr/local/ranger-cdap-conf

  2. Put the following three files in this directory

...

3. Edit the ranger-cdap-security.xml file

Configuration

Definition

Example

ranger.plugin.cdap.policy. rest.url

Name of this service

http://rangerhost: port

ranger.plugin.cdap.service .name

Service name given in Ranger while adding CDAP

cdapdev

4. Give cdap user permission on the above created directory and configuration files

...

7. Save and Restart CDAP.

Policy Management

Policies on mid-level entities

CDAP Policies can be managed in Ranger just like other service policies. Please read the Ranger documentation on Policy management to learn more.

CDAP Ranger Plugin allows to grant policies on mid-level entities in CDAP entity hierarchy by specifying * for lower level and marking them as exclude. For example the below screenshot shows the policy on namespace:default. Notice that the value for application and program are * and they are marked as exclude.

...

Wildcard Policies

CDAP Ranger plugin allows to grant wildcard policies on entities. The supported wildcards are * and ?* wildcard in Ranger matches 0 or more characters. CDAP does not expect wildcard * to match 0 characters (absence of value) so a * should always be prefixed with ?. For example to grant a user privilege on all programs the wildcard value should be as shown below.

...

A Case Study

Consider a common use case for secure environments, especially data lakes:

...

finance namespace. Also, we could assign privileges to groups rather than individuals - that will make our policies easier to manage over time, especially when new operators enter the team, or existing ones leave: that will simply require adding or removing a user from the group.

Conclusion

We have created a namespace that is impersonated by a headless service account; and we have given privileges to a human user to deploy and operate pipelines in the namespace. To summarize all the privileges we had to assign:

...