Hello, everyone!
Today I'm going to introduce you DAYU
Several features of Ranger
• Policy-based access permission model
• General policy synchronization and decision logic to facilitate the extended access of control plug-ins
• Built-in control plug-ins for common systems (such as 12 HDFS, YARN, HBase, etc.), and can be extended
• Built-in user synchronization mechanism based on LDAP, File, and Unix, and can be extended
Permission model
Permission model
Access permissions define the relationship between "user-resource-permission". Ranger abstracts this relationship based on policies, and then extends its own permission model. The meaning of "user-resource-authority" is explained in detail:
• User : expressed by User or Group, User represents the user who accesses the resource, and Group represents the user group to which the user belongs.
• Resource : Expressed by Resource, the business resources corresponding to different components are different, such as File Path of HDFS and Table of HBase.
• Permission : Expressed by (AllowACL, DenyACL), similar to whitelist and blacklist mechanisms, AllowACL is used to describe the situation of allowed access, and DenyACL is used to describe the situation of denied access. The permissions corresponding to different components are also different.
The access permission model in Ranger can be described by the following expression, which abstracts the relationship between the three "user-resource-permissions":
Service = List<‘Policy’>
Policy = List<‘Resource’> + AllowACL + DenyACL
AllowACL = List<‘AccessItem’> allow + List<‘AccssItem’> allowException
DenyACL = List<‘AccessItem’> deny + List<‘AccssItem’> denyException
AccessItem = List<‘User/Group’> + List<‘AccessType’>
Description:
Resource here refers to the actual resource of the component, such as hdfs path, hive database, table, column, etc.
AccessType here refers to the type of access permissions, such as read, write,
excute and other operations. AccessItem here is the access item, including users and access permissions Two-part
priority
denyException> deny> allowException> allow
The following table lists the model entity enumeration values (that is, access permission types) of some systems supported by Ranger:
| Service | Resource | Access Type |
|---|---|---|
| HDFS | Path | Read,Write,Execute |
| HBase | Table,Column-family,Column | Read,Write,Create,Admin |
| Hive | Database,Table,UDF,Column,URL | Select,Update,Create,Drop,Alter,Index,Lock,Write,Read,ALL |
System plug-in (AgentPlugin)
The system plug-in is mainly responsible for three things:
• Regularly pull the policy from RangerAdmin
• Execute the access decision tree according to the policy
• Real-time record access audit
The following table lists the extended interfaces of the Ranger plug-in to partially supported systems:
| Service | Extensible Interface | Ranger Implement Class |
|---|---|---|
| HDFS | org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider | org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer |
| HBase | org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.Interface | org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor |
| Hive | org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory | org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory |
