| <!doctype html> |
| <html lang="en" dir="ltr" class="docs-wrapper plugin-docs plugin-id-default docs-version-current docs-doc-page docs-doc-id-security/authorization-pushdown" data-has-hydrated="false"> |
| <head> |
| <meta charset="UTF-8"> |
| <meta name="generator" content="Docusaurus v3.4.0"> |
| <title data-rh="true">Authorization Push-down | Apache Gravitino</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:image" content="https://gravitino.apache.org/img/social-card.png"><meta data-rh="true" name="twitter:image" content="https://gravitino.apache.org/img/social-card.png"><meta data-rh="true" property="og:url" content="https://gravitino.apache.org/docs/next/security/authorization-push-down"><meta data-rh="true" property="og:locale" content="en"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Authorization Push-down | Apache Gravitino"><meta data-rh="true" name="description" content="Authorization Push-down"><meta data-rh="true" property="og:description" content="Authorization Push-down"><link data-rh="true" rel="icon" href="/img/favicon.ico"><link data-rh="true" rel="canonical" href="https://gravitino.apache.org/docs/next/security/authorization-push-down"><link data-rh="true" rel="alternate" href="https://gravitino.apache.org/docs/next/security/authorization-push-down" hreflang="en"><link data-rh="true" rel="alternate" href="https://gravitino.apache.org/docs/next/security/authorization-push-down" hreflang="x-default"><link rel="alternate" type="application/rss+xml" href="/blog/rss.xml" title="Apache Gravitino RSS Feed"> |
| <link rel="alternate" type="application/atom+xml" href="/blog/atom.xml" title="Apache Gravitino Atom Feed"> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <script src="/js/matomo.js" async></script><link rel="stylesheet" href="/assets/css/styles.abfa2f42.css"> |
| <script src="/assets/js/runtime~main.27d2f8b0.js" defer="defer"></script> |
| <script src="/assets/js/main.5245ada1.js" defer="defer"></script> |
| </head> |
| <body class="navigation-with-keyboard"> |
| <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){try{return new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}}()||function(){try{return window.localStorage.getItem("theme")}catch(t){}}();t(null!==e?e:"light")}(),function(){try{const n=new URLSearchParams(window.location.search).entries();for(var[t,e]of n)if(t.startsWith("docusaurus-data-")){var a=t.replace("docusaurus-data-","data-");document.documentElement.setAttribute(a,e)}}catch(t){}}()</script><div id="__docusaurus"><div role="region" aria-label="Skip to main content"><a class="skipToContent_oHve" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"><div class="navbar__logo"><img src="/img/logo.svg" alt="Logo" class="themedComponent_C5w8 themedComponent--light_EwGC"><img src="/img/logo.svg" alt="Logo" class="themedComponent_C5w8 themedComponent--dark_iOLs"></div></a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/">Apache Gravitino</a></div><div class="navbar__items navbar__items--right"><a class="navbar__item navbar__link" href="/community">Community</a><a class="navbar__item navbar__link" href="/contrib">Contributing</a><a class="navbar__item navbar__link" href="/downloads">Downloads</a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/docs/next/">Docs</a><a class="navbar__item navbar__link" href="/blog">Blog</a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link" href="/docs/next/security/authorization-push-down">ASF</a><ul class="dropdown__menu"><li><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Foundation</a></li><li><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer" class="dropdown__link">License</a></li><li><a href="https://www.apache.org/events/current-event.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Events</a></li><li><a href="https://privacy.apache.org/policies/privacy-policy-public.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Privacy</a></li><li><a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Security</a></li><li><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Sponsorship</a></li><li><a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Thanks</a></li><li><a href="https://github.com/apache/gravitino/blob/main/CODE_OF_CONDUCT.md" target="_blank" rel="noopener noreferrer" class="dropdown__link">Code of Conduct</a></li></ul></div><a href="https://github.com/apache/gravitino" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link header-github-link" aria-label="GitHub repository"></a><div class="navbarSearchContainer_qYls"></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_nm_I"><div class="docsWrapper_sa0z"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_Bav6" type="button"></button><div class="docRoot_TyON"><aside class="theme-doc-sidebar-container docSidebarContainer_JGdd"><div class="sidebarViewport_dtQr"><div class="sidebar_mhZE"><div class="tw"><div class="relative my-2 px-2"><button class="border-none relative w-full cursor-default rounded-md bg-white dark:bg-[#21222b] dark:text-white py-1.5 pl-3 pr-10 text-left text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 focus:outline-none focus:ring-2 focus:ring-indigo-500 sm:text-sm sm:leading-6" id="headlessui-listbox-button-:R32llaqh:" type="button" aria-haspopup="listbox" aria-expanded="false" data-headlessui-state=""><span class="flex items-center"><span class="ml-3 block truncate">Next</span></span><span class="pointer-events-none absolute inset-y-0 right-0 ml-3 flex items-center pr-2"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true" data-slot="icon" class="h-5 w-5 text-gray-400"><path fill-rule="evenodd" d="M10.53 3.47a.75.75 0 0 0-1.06 0L6.22 6.72a.75.75 0 0 0 1.06 1.06L10 5.06l2.72 2.72a.75.75 0 1 0 1.06-1.06l-3.25-3.25Zm-4.31 9.81 3.25 3.25a.75.75 0 0 0 1.06 0l3.25-3.25a.75.75 0 1 0-1.06-1.06L10 14.94l-2.72-2.72a.75.75 0 0 0-1.06 1.06Z" clip-rule="evenodd"></path></svg></span></button></div></div><nav aria-label="Docs sidebar" class="menu thin-scrollbar menu_Y1UP"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/docs/next/">What's Apache Gravitino?</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/docs/next/overview">Overview</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/docs/next/getting-started">Getting started</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/docs/next/how-to-install">How to install Gravitino</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/docs/next/chart">Install Gravitino on Kubernetes</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/docs/next/iceberg-rest-service">Iceberg REST catalog service</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/docs/next/webui">Web UI</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" role="button" aria-expanded="false" href="/docs/next/lakehouse-iceberg-catalog">Catalogs</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" role="button" aria-expanded="false" href="/docs/next/trino-connector/index">Trino connector</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" role="button" aria-expanded="false" href="/docs/next/spark-connector/spark-connector">Spark connector</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" role="button" aria-expanded="false" href="/docs/next/flink-connector/flink-connector">Flink connector</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" role="button" aria-expanded="false" href="/docs/next/gravitino-server-config">Server administration</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" role="button" aria-expanded="false" href="/docs/next/lineage/lineage">Lineage</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret menu__link--active" role="button" aria-expanded="true" href="/docs/next/security/security">Security</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/next/security/security">Overview</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/next/security/access-control">Access Control</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/docs/next/security/authorization-push-down">Authorization Push-down</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/next/security/how-to-authenticate">How to authenticate</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/next/security/how-to-use-cors">How to use CORS</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/next/security/how-to-use-https">How to use HTTPS</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/next/security/credential-vending">Credential Vending</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" role="button" aria-expanded="false" href="/docs/next/how-to-use-the-playground">Gravitino playground</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" role="button" aria-expanded="false" href="/docs/next/manage-metalake-using-gravitino">Programming guides</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" role="button" aria-expanded="false" href="/docs/next/how-to-build">Development guides</a></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/docs/next/glossary">Apache Gravitino Glossary</a></li></ul></nav></div></div></aside><main class="docMainContainer_jN9B"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_p07H"><div class="theme-doc-version-banner alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for <!-- -->Apache Gravitino<!-- --> <b>Next</b> version.</div><div class="margin-top--md">For up-to-date documentation, see the <b><a href="/docs/0.9.1/security/authorization-push-down">latest version</a></b> (<!-- -->0.9.1<!-- -->).</div></div><div class="docItemContainer_OBAp"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_R0s7" aria-label="Breadcrumbs"><ul class="breadcrumbs" itemscope="" itemtype="https://schema.org/BreadcrumbList"><li class="breadcrumbs__item"><a aria-label="Home page" class="breadcrumbs__link" href="/"><svg viewBox="0 0 24 24" class="breadcrumbHomeIcon_eS75"><path d="M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z" fill="currentColor"></path></svg></a></li><li class="breadcrumbs__item"><span class="breadcrumbs__link">Security</span><meta itemprop="position" content="1"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link" itemprop="name">Authorization Push-down</span><meta itemprop="position" content="2"></li></ul></nav><span class="theme-doc-version-badge badge badge--secondary">Version: Next</span><div class="tocCollapsible_xyJb theme-doc-toc-mobile tocMobile__LRY"><button type="button" class="clean-btn tocCollapsibleButton_tRc_">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>Authorization Push-down</h1></header><div class="row"><div class="col col--12 markdown"><h2 class="anchor anchorWithStickyNavbar_dDHj" id="authorization-push-down">Authorization Push-down<a class="hash-link" aria-label="Direct link to Authorization Push-down" title="Direct link to Authorization Push-down" href="/docs/next/security/authorization-push-down#authorization-push-down"></a></h2> |
| <p><img decoding="async" loading="lazy" alt="authorization push down" src="/assets/images/authorization-pushdown-4ed3aad2fcf51c080732e0eb55586380.png" width="2016" height="1790" class="img_CujE"></p> |
| <p>Gravitino offers a set of authorization frameworks that integrate with various underlying data source permission systems, such as MySQL's native permission management and Apache Ranger for big data. These frameworks align with Gravitino's own authorization model and methodology. |
| Gravitino manages different data sources through Catalogs, and when a user performs an authorization operation on data within a Catalog, Gravitino invokes the Authorization Plugin module for that Catalog. |
| This module translates Gravitino's authorization model into the permission rules of the underlying data source. The permissions are then enforced by the underlying permission system via the respective client, such as JDBC or the Apache Ranger client.</p> |
| <h3 class="anchor anchorWithStickyNavbar_dDHj" id="ranger-hadoop-sql-plugin">Ranger Hadoop SQL Plugin<a class="hash-link" aria-label="Direct link to Ranger Hadoop SQL Plugin" title="Direct link to Ranger Hadoop SQL Plugin" href="/docs/next/security/authorization-push-down#ranger-hadoop-sql-plugin"></a></h3> |
| <p>In order to use the Ranger Hadoop SQL Plugin, you need to configure the following properties:</p> |
| <table><thead><tr><th>Property Name</th><th>Description</th><th>Default Value</th><th>Required</th><th>Since Version</th></tr></thead><tbody><tr><td><code>authorization-provider</code></td><td>Providers to use to implement authorization plugin such as <code>ranger</code>.</td><td>(none)</td><td>No</td><td>0.6.0-incubating</td></tr><tr><td><code>authorization.ranger.admin.url</code></td><td>The Apache Ranger web URIs.</td><td>(none)</td><td>No</td><td>0.6.0-incubating</td></tr><tr><td><code>authorization.ranger.service.type</code></td><td>The Apache Ranger service type, Currently only supports <code>HadoopSQL</code> or <code>HDFS</code></td><td>(none)</td><td>No</td><td>0.8.0-incubating</td></tr><tr><td><code>authorization.ranger.auth.type</code></td><td>The Apache Ranger authentication type <code>simple</code> or <code>kerberos</code>.</td><td><code>simple</code></td><td>No</td><td>0.6.0-incubating</td></tr><tr><td><code>authorization.ranger.username</code></td><td>The Apache Ranger admin web login username (auth type=simple), or kerberos principal(auth type=kerberos), Need have Ranger administrator permission.</td><td>(none)</td><td>No</td><td>0.6.0-incubating</td></tr><tr><td><code>authorization.ranger.password</code></td><td>The Apache Ranger admin web login user password (auth type=simple), or path of the keytab file(auth type=kerberos)</td><td>(none)</td><td>No</td><td>0.6.0-incubating</td></tr><tr><td><code>authorization.ranger.service.name</code></td><td>The Apache Ranger service name.</td><td>(none)</td><td>No</td><td>0.6.0-incubating</td></tr><tr><td><code>authorization.ranger.service.create-if-absent</code></td><td>If this property is true and the Ranger service doesn't exist, Gravitino will create a Ranger service</td><td>false</td><td>No</td><td>0.9.0-incubating</td></tr><tr><td><code>authorization.ranger.jdbc.driverClassName</code></td><td>The property is used to specify driver class name when creating Ranger HadoopSQL service</td><td><code>org.apache.hive.jdbc.HiveDrive</code></td><td>No</td><td>0.9.0-incubating</td></tr><tr><td><code>authorization.ranger.jdbc.url</code></td><td>The property is used to specify jdbc url when creating Ranger HadoopSQL service</td><td><code>jdbc:hive2://127.0.0.1:8081</code></td><td>No</td><td>0.9.0-incubating</td></tr><tr><td><code>authorization.ranger.hadoop.security.authentication</code></td><td>The property is used to specify Hadoop security authentication when creating Ranger HDFS service</td><td><code>simple</code></td><td>No</td><td>0.9.0-incubating</td></tr><tr><td><code>authorization.ranger.hadoop.rpc.protection</code></td><td>The property is used to specify Hadoop rpc protection when creating Ranger HDFS service</td><td><code>authentication</code></td><td>No</td><td>0.9.0-incubating</td></tr><tr><td><code>authorization.ranger.fs.default.name</code></td><td>The property is used to specify default filesystem when creating Ranger HDFS service</td><td><code>hdfs://127.0.0.1:8090</code></td><td>No</td><td>0.9.0-incubating</td></tr></tbody></table> |
| <div class="theme-admonition theme-admonition-caution admonition_Afce alert alert--warning"><div class="admonitionHeading_STdq"><span class="admonitionIcon_y_9a"><svg viewBox="0 0 16 16"><path fill-rule="evenodd" d="M8.893 1.5c-.183-.31-.52-.5-.887-.5s-.703.19-.886.5L.138 13.499a.98.98 0 0 0 0 1.001c.193.31.53.501.886.501h13.964c.367 0 .704-.19.877-.5a1.03 1.03 0 0 0 .01-1.002L8.893 1.5zm.133 11.497H6.987v-2.003h2.039v2.003zm0-3.004H6.987V5.987h2.039v4.006z"></path></svg></span>caution</div><div class="admonitionContent__Pyd"><p>The Gravitino Ranger authorization plugin only supports the Apache Ranger HadoopSQL Plugin and Apache Ranger HDFS Plugin.</p></div></div> |
| <p>Once you have used the correct configuration, you can perform authorization operations by calling Gravitino <a href="https://gravitino.apache.org/docs/latest/api/rest/grant-roles-to-a-user" target="_blank" rel="noopener noreferrer">authorization RESTful API</a>.</p> |
| <p>Gravitino will initially create three roles in Apache Ranger:</p> |
| <ul> |
| <li>GRAVITINO_METALAKE_OWNER_ROLE: Includes users and user groups designated as metalake owners, corresponding to the owner's privileges in Ranger policies.</li> |
| <li>GRAVITINO_CATALOG_OWNER_ROLE: Includes users and user groups designated as catalog owners, corresponding to the owner's privileges in Ranger policies.</li> |
| <li>GRAVITINO_OWNER_ROLE: Used to label Ranger policy items related to schema and table owner privileges. It does not include any users or user groups.</li> |
| </ul> |
| <h4 class="anchor anchorWithStickyNavbar_dDHj" id="example-of-using-the-ranger-hadoop-sql-plugin">Example of using the Ranger Hadoop SQL Plugin<a class="hash-link" aria-label="Direct link to Example of using the Ranger Hadoop SQL Plugin" title="Direct link to Example of using the Ranger Hadoop SQL Plugin" href="/docs/next/security/authorization-push-down#example-of-using-the-ranger-hadoop-sql-plugin"></a></h4> |
| <p>Suppose you have an Apache Hive service in your datacenter and have created a <code>hiveRepo</code> in Apache Ranger to manage its permissions. |
| The Ranger service is accessible at <code>172.0.0.100:6080</code>, with the username <code>Jack</code> and the password <code>PWD123</code>. |
| To add this Hive service to Gravitino using the Hive catalog, you'll need to configure the following parameters.</p> |
| <div class="language-properties codeBlockContainer_bYzg theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_BeB_"><pre tabindex="0" class="prism-code language-properties codeBlock_WXO5 thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_kWWH"><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization-provider=ranger</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.ranger.admin.url=172.0.0.100:6080</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.ranger.auth.type=simple</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.ranger.username=Jack</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.ranger.password=PWD123</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.ranger.service.type=HadoopSQL</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.ranger.service.name=hiveRepo</span><br></span></code></pre><div class="buttonGroup_XUPc"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_mUYJ" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_jzSv"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_Oj1I"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div> |
| <div class="theme-admonition theme-admonition-caution admonition_Afce alert alert--warning"><div class="admonitionHeading_STdq"><span class="admonitionIcon_y_9a"><svg viewBox="0 0 16 16"><path fill-rule="evenodd" d="M8.893 1.5c-.183-.31-.52-.5-.887-.5s-.703.19-.886.5L.138 13.499a.98.98 0 0 0 0 1.001c.193.31.53.501.886.501h13.964c.367 0 .704-.19.877-.5a1.03 1.03 0 0 0 .01-1.002L8.893 1.5zm.133 11.497H6.987v-2.003h2.039v2.003zm0-3.004H6.987V5.987h2.039v4.006z"></path></svg></span>caution</div><div class="admonitionContent__Pyd"><p>Gravitino 0.8.0 only supports the authorization Apache Ranger Hive service , Apache Iceberg service and Apache Paimon Service. |
| Spark can use Kyuubi authorization plugin to access Gravitino's catalog. But the plugin can't support to update or delete data for Paimon catalog. |
| More data source authorization is under development.</p></div></div> |
| <h3 class="anchor anchorWithStickyNavbar_dDHj" id="chain-authorization-plugin">chain authorization plugin<a class="hash-link" aria-label="Direct link to chain authorization plugin" title="Direct link to chain authorization plugin" href="/docs/next/security/authorization-push-down#chain-authorization-plugin"></a></h3> |
| <p>Gravitino supports chaining multiple authorization plugins to secure one catalog. |
| The authorization plugin chain is defined in the <code>authorization.chain.plugins</code> property, with the plugin names separated by commas. |
| When a user performs an authorization operation on data within a catalog, the chained plugin will apply the authorization rules for every plugin defined in the chain.</p> |
| <p>In order to use the chained authorization plugin, you need to configure the following properties:</p> |
| <table><thead><tr><th>Property Name</th><th>Description</th><th>Default Value</th><th>Required</th><th>Since Version</th></tr></thead><tbody><tr><td><code>authorization-provider</code></td><td>Providers to use to implement authorization plugin such as <code>chain</code></td><td>(none)</td><td>No</td><td>0.8.0-incubating</td></tr><tr><td><code>authorization.chain.plugins</code></td><td>The comma-separated list of plugin names, like <code>${plugin-name1},${plugin-name2},...</code></td><td>(none)</td><td>Yes if you use chain plugin</td><td>0.8.0-incubating</td></tr><tr><td><code>authorization.chain.${plugin-name}.ranger.admin.url</code></td><td>The Ranger authorization plugin properties of the <code>${plugin-name}</code></td><td>(none)</td><td>Yes if you use chain plugin</td><td>0.8.0-incubating</td></tr><tr><td><code>authorization.chain.${plugin-name}.ranger.service.type</code></td><td>The Ranger authorization plugin properties of the <code>${plugin-name}</code></td><td>(none)</td><td>Yes if you use chain plugin</td><td>0.8.0-incubating</td></tr><tr><td><code>authorization.chain.${plugin-name}.ranger.service.name</code></td><td>The Ranger authorization plugin properties of the <code>${plugin-name}</code></td><td>(none)</td><td>Yes if you use chain plugin</td><td>0.8.0-incubating</td></tr><tr><td><code>authorization.chain.${plugin-name}.ranger.username</code></td><td>The Ranger authorization plugin properties of the <code>${plugin-name}</code></td><td>(none)</td><td>Yes if you use chain plugin</td><td>0.8.0-incubating</td></tr><tr><td><code>authorization.chain.${plugin-name}.ranger.password</code></td><td>The Ranger authorization plugin properties of the <code>${plugin-name}</code></td><td>(none)</td><td>Yes if you use chain plugin</td><td>0.8.0-incubating</td></tr></tbody></table> |
| <div class="theme-admonition theme-admonition-caution admonition_Afce alert alert--warning"><div class="admonitionHeading_STdq"><span class="admonitionIcon_y_9a"><svg viewBox="0 0 16 16"><path fill-rule="evenodd" d="M8.893 1.5c-.183-.31-.52-.5-.887-.5s-.703.19-.886.5L.138 13.499a.98.98 0 0 0 0 1.001c.193.31.53.501.886.501h13.964c.367 0 .704-.19.877-.5a1.03 1.03 0 0 0 .01-1.002L8.893 1.5zm.133 11.497H6.987v-2.003h2.039v2.003zm0-3.004H6.987V5.987h2.039v4.006z"></path></svg></span>caution</div><div class="admonitionContent__Pyd"><p>The Gravitino chain authorization plugin only supports the Apache Ranger HadoopSQL Plugin and Apache Ranger HDFS Plugin. |
| The properties of every chained authorization plugin should use <code>authorization.chain.${plugin-name}</code> as the prefix.</p></div></div> |
| <h4 class="anchor anchorWithStickyNavbar_dDHj" id="example-of-using-the-chain-authorization-plugin">Example of using the chain authorization Plugin<a class="hash-link" aria-label="Direct link to Example of using the chain authorization Plugin" title="Direct link to Example of using the chain authorization Plugin" href="/docs/next/security/authorization-push-down#example-of-using-the-chain-authorization-plugin"></a></h4> |
| <p>Suppose you have an Apache Hive service in your datacenter and have created a <code>hiveRepo</code> in Apache Ranger to manage its permissions. |
| The Apache Hive service will use HDFS to store its data. You have created a <code>hdfsRepo</code> in Apache Ranger to manage HDFS's permissions.</p> |
| <div class="language-properties codeBlockContainer_bYzg theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_BeB_"><pre tabindex="0" class="prism-code language-properties codeBlock_WXO5 thin-scrollbar" style="color:#bfc7d5;background-color:#292d3e"><code class="codeBlockLines_kWWH"><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization-provider=chain</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.plugins=hive,hdfs</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.hive.ranger.admin.url=http://ranger-service:6080</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.hive.ranger.service.type=HadoopSQL</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.hive.ranger.service.name=hiveRepo</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.hive.ranger.auth.type=simple</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.hive.ranger.username=Jack</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.hive.ranger.password=PWD123</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.hdfs.ranger.admin.url=http://ranger-service:6080</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.hdfs.ranger.service.type=HDFS</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.hdfs.ranger.service.name=hdfsRepo</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.hdfs.ranger.auth.type=simple</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.hdfs.ranger.username=Jack</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">authorization.chain.hdfs.ranger.password=PWD123</span><br></span></code></pre><div class="buttonGroup_XUPc"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_mUYJ" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_jzSv"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_Oj1I"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div></div></div></div><div class="row"><div class="col col--12"><footer class="theme-doc-footer docusaurus-mt-lg"><div class="row margin-top--sm theme-doc-footer-edit-meta-row"><div class="col"><a href="https://github.com/apache/gravitino-site/tree/main/docs/security/authorization-pushdown.md" target="_blank" rel="noopener noreferrer" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_h4UQ" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_jTHa"></div></div></footer></div></div></article><div class="row"><div class="col col--12"><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/docs/next/security/access-control"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Access Control</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/docs/next/security/how-to-authenticate"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">How to authenticate</div></a></nav></div></div></div></div><div class="col col--3"><div class="tableOfContents_N7TR thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a class="table-of-contents__link toc-highlight" href="/docs/next/security/authorization-push-down#authorization-push-down">Authorization Push-down</a><ul><li><a class="table-of-contents__link toc-highlight" href="/docs/next/security/authorization-push-down#ranger-hadoop-sql-plugin">Ranger Hadoop SQL Plugin</a></li><li><a class="table-of-contents__link toc-highlight" href="/docs/next/security/authorization-push-down#chain-authorization-plugin">chain authorization plugin</a></li></ul></li></ul></div></div></div></div></main></div></div></div><footer class="footer footer--dark"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="footer__copyright"><div> |
| <p> |
| Copyright © 2025 The Apache Software Foundation, Licensed under the Apache License, Version 2.0. <br> |
| Apache Gravitino, the names of other Apache projects, and the ASF logo are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. |
| </p> |
| </div></div></div></div></footer></div> |
| </body> |
| </html> |
