blob: e4295d4b5c0537965893d12ef9cde91ea68d4ef9 [file] [log] [blame]
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
1. Introduction
2. SampleApp
A simple application to demonstrate use of pluggable authorization.
- IAuthorizer:
the authorization interface. Authorizes read/write/execute access to a given file
- DefaultAuthorizer:
default authorizer implementation, authorizes all accesses
- SampleApp:
- main application that prompts the user to enter access to authorize in the following format:
read filePath user1 userGroup1 userGroup2 userGroup3
write filePath user1 userGroup1 userGroup2 userGroup3
execute filePath user1 userGroup1 userGroup2 userGroup3
3. SampleApp Plugin
- RangerAuthorizer implements IAuthorizer interface and performs authorization using Ranger policies.
- For simplicity, uses policies in a HDFS service instance (like cl1_hadoop): which uses 'path' as the resource and supports 'read', 'write' and 'execute' accessTypes
- conf/ranger-sampleapp-security.xml: has configurations for plugin, like Ranger Admin URL, name of the service containing policies
- conf/ranger-sampleapp-audit.xml: has configurations for plugin audit, like log4j logger name, HDFS folder, DB connection details
4. Build
$ mvn clean compile package assembly:assembly
$ cd ranger-examples
$ mvn clean compile package assembly:assembly
# Following files created by the build will be required to setup SampleApp:
target/ranger-examples-<version>-sampleapp.tar.gz
target/ranger-examples-<version>-sampleapp-plugin.tar.gz
5. Setup SampleApp
# Create a empty directory to setup the application
$ mkdir /tmp/sampleapp
$ cd /tmp/sampleapp
$ tar xvfz ranger-examples-<version>-sampleapp.tar.gz
# add Ranger authorizer bits
$ tar xvfz ranger-examples-<version>-sampleapp-plugin.tar.gz
# Review and update properties in conf/ranger-sampleapp-security.xml, especially the following:
- ranger.plugin.sampleapp.policy.rest.url
- ranger.plugin.sampleapp.service.name
# Review and update properties in conf/ranger-sampleapp-audit.xml
# Review and update properties in conf/log4j.xml
6. Execute
- Use default authorizer i.e. not Ranger:
$ cd /tmp/sampleapp
$ ./run-sampleapp.sh
# At the prompt, enter commands to trigger access authorization, like:
command> read filePath user1 userGroup1 userGroup2 userGroup3
command> write filePath user1 userGroup1 userGroup2 userGroup3
command> execute filePath user1 userGroup1 userGroup2 userGroup3
- Use Ranger authorizer
$ cd /tmp/sampleapp
$ ./run-sampleapp.sh ranger-authz
# At the prompt, enter commands to trigger access authorization, like:
command> read filePath user1 userGroup1 userGroup2 userGroup3
command> write filePath user1 userGroup1 userGroup2 userGroup3
command> execute filePath user1 userGroup1 userGroup2 userGroup3
# audit logs can be seen in /tmp/ranger_audit.log