kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shaofeng SHI (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (KYLIN-2703) Manage ACL through Apache Ranger
Date Thu, 01 Feb 2018 13:07:00 GMT

     [ https://issues.apache.org/jira/browse/KYLIN-2703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Shaofeng SHI updated KYLIN-2703:
--------------------------------
    Component/s:     (was: General)
                 Security

> Manage ACL through Apache Ranger
> --------------------------------
>
>                 Key: KYLIN-2703
>                 URL: https://issues.apache.org/jira/browse/KYLIN-2703
>             Project: Kylin
>          Issue Type: New Feature
>          Components: Security
>            Reporter: peng.jianhua
>            Assignee: peng.jianhua
>            Priority: Major
>              Labels: newbie, patch, scope
>             Fix For: v2.2.0
>
>         Attachments: 0001-KYLIN-2703-kylin-supports-managing-access-rights-for.patch,
KylinAuditLog.jpg, KylinPlugins.jpg, KylinPolicies.jpg, KylinServiceEntry.jpg, NewKylinPolicy.jpg,
NewKylinService.jpg, Ranger-PMS-hope.png
>
>
> Ranger is a framework to enable, monitor and manage comprehensive data security across
the Hadoop platform. Apache Ranger has the following goals:
> 1. Centralized security administration to manage all security related tasks in a central
UI or using REST APIs.
> 2. Fine grained authorization to do a specific action and/or operation with Hadoop component/tool
and managed through a central administration tool
> 3. Standardize authorization method across all Hadoop components.
> 4. Enhanced support for different authorization methods - Role based access control,
attribute based access control etc.
> 5. Centralize auditing of user access and administrative actions (security related) within
all the components of Hadoop.
> Ranger has supported enable, monitor and manage following components:
> 1. HDFS
> 2. HIVE
> 3. HBASE
> 4. KNOX
> 5. YARN
> 6. STORM
> 7. SOLR
> 8. KAFKA
> 9. ATLAS
> In order to improve the flexibility of kylin privilege control and enhance value of kylin
in the Apache Hadoop ecosystem, like hdfs, yarn, hive, hbase, Kylin should also support that
using Ranger to control access rights for project and cube. 
> Specific implementation plan is as following:
> On the ranger website, administrators can configure policies to control user access to
projects and cube permissions.
> Kylin provides an abstract class and authorization interfaces for use by the ranger plugin.
kylin instantiates ranger plugin’s implementation class when starting(this class extends
the abstract class provided by kylin).
> Ranger plugin periodically polls ranger admin, updates the policy to the local, and updates
project and cube access rights based on policy information.
> In the Kylin side:
> 1. Kylin provides an abstract class that enables the ranger plugin's implementation class
to extend.
> 2. Add configuration item.  1) ranger authorization switch, 2) ranger plugin implementation
class's name.
> 3. Instantiate the ranger plugin implementation class when starting kylin.
> 4. kylin provides authorization interfaces for ranger plugin calls.
> 5. According to the ranger authorization configuration item, hide kylin's authorization
management page.
> 6. Using ranger manager access rights of the kylin does not affect kylin's existing permissions
functions and logic.
> In the Ranger side:
> 1. Ranger plugin will periodically polls ranger admin, updates the policy to the local.
> 2. The ranger plugin invoking the authorization interfaces provided by kylin to updates
the project and cube access rights based on the policy information.
> reference link:https://issues.apache.org/jira/browse/RANGER-1672



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message