[KYUUBI #2395] [DOC] Add Documentation for Spark AuthZ Extension

### _Why are the changes needed?_

### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible

- [ ] Add screenshots for manual tests if appropriate

- [ ] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request

Closes #2395 from yaooqinn/doc2.

Closes #2395

109440b [Kent Yao] [DOC] Add Documentation for Spark AuthZ Extension
852e7fd [Kent Yao] [DOC] Add Documentation for Spark AuthZ Extension
dfeef88 [Kent Yao] [DOC] Add Documentation for Spark AuthZ Extension

Authored-by: Kent Yao <yao@apache.org>
Signed-off-by: ulysses-you <ulyssesyou@apache.org>

docs/security/authorization/index.rst

@@ -0,0 +1,26 @@
+.. Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+..    http://www.apache.org/licenses/LICENSE-2.0
+
+.. Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+.. image:: https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg
+   :align: center
+   :width: 25%
+
+Kyuubi Authorization Guide
+==========================
+
+.. toctree::
+    :maxdepth: 2
+
+    Spark AuthZ Plugin <spark/index>

docs/security/authorization/spark/build.md

@@ -0,0 +1,104 @@
+<!--
+ - Licensed to the Apache Software Foundation (ASF) under one or more
+ - contributor license agreements.  See the NOTICE file distributed with
+ - this work for additional information regarding copyright ownership.
+ - The ASF licenses this file to You under the Apache License, Version 2.0
+ - (the "License"); you may not use this file except in compliance with
+ - the License.  You may obtain a copy of the License at
+ -
+ -   http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing, software
+ - distributed under the License is distributed on an "AS IS" BASIS,
+ - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ - See the License for the specific language governing permissions and
+ - limitations under the License.
+ -->
+
+
+
+# Building Kyuubi Spark AuthZ Plugin
+
+<img src="https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg" alt="Kyuubi logo" width="50%" align="right" />
+
+## Build with Apache Maven
+
+Kyuubi Spark AuthZ Plugin is built using [Apache Maven](http://maven.apache.org).
+To build it, `cd` to the root direct of kyuubi project and run:
+
+```shell
+build/mvn clean package -pl :kyuubi-spark-authz_2.12 -DskipTests
+```
+
+After a while, if everything goes well, you will get the plugin finally in two parts:
+
+- The main plugin jar, which is under `./extensions/spark/kyuubi-spark-authz/target/kyuubi-spark-authz_${scala.binary.version}-${project.version}.jar`
+- The least transitive dependencies needed, which are under `./extensions/spark/kyuubi-spark-authz/target/scala-${scala.binary.version}/jars`
+
+### Build against Different Apache Spark Versions
+
+The maven option `spark.version` is used for specifying Spark version to compile with and generate corresponding transitive dependencies.
+By default, it is always built with the latest `spark.version` defined in kyuubi project main pom file.
+Sometimes, it may be incompatible with other Spark distributions, then you may need to build the plugin on your own targeting the Spark version you use.
+
+For example,
+
+```shell
+build/mvn clean package -pl :kyuubi-spark-authz_2.12 -DskipTests -Dspark.version=3.0.2
+```
+
+The available `spark.version`s are shown in the following table.
+
+|   Spark Version   |  Supported  |                                                              Remark                                                              |
+|:-----------------:|:-----------:|:--------------------------------------------------------------------------------------------------------------------------------:|
+|      master       |      √      |                                                                -                                                                 |
+|       3.3.x       |      √      |                                                                -                                                                 |
+|       3.2.x       |      √      |                                                                -                                                                 |
+|       3.1.x       |      √      |                                                                -                                                                 |
+|       3.0.x       |      √      |                                                                -                                                                 |
+|       2.4.x       |      √      |                                                                -                                                                 |
+| 2.3.x and earlier |      ×      | [PR 2367](https://github.com/apache/incubator-kyuubi/pull/2367) is used to track how we work with older releases with scala 2.11 |
+
+Currently, Spark released with Scala 2.12 are supported.
+
+### Build against Different Apache Ranger Versions
+
+The maven option `ranger.version` is used for specifying Ranger version to compile with and generate corresponding transitive dependencies.
+By default, it is always built with the latest `ranger.version` defined in kyuubi project main pom file.
+Sometimes, it may be incompatible with other Ranger Admins, then you may need to build the plugin on your own targeting the Ranger Admin version you connect with.
+
+```shell
+build/mvn clean package -pl :kyuubi-spark-authz_2.12 -DskipTests -Dranger.version=0.7.0
+```
+
+The available `ranger.version`s are shown in the following table.
+
+| Ranger Version |  Supported  | Remark |
+|:--------------:|:-----------:|:------:|
+|     2.2.x      |      √      |   -    |
+|     2.1.x      |      √      |   -    |
+|     2.0.x      |      √      |   -    |
+|     1.2.x      |      √      |   -    |
+|     1.1.x      |      √      |   -    |
+|     1.0.x      |      √      |   -    |
+|     0.7.x      |      √      |   -    |
+|     0.6.x      |      √      |   -    |
+
+Currently, all ranger releases are supported.
+
+## Test with ScalaTest Maven plugin
+If you omit `-DskipTests` option in the command above, you will also get all unit tests run.
+
+```shell
+build/mvn clean package -pl :kyuubi-spark-authz_2.12
+```
+
+If any bug occurs and you want to debug the plugin yourself, you can configure `-DdebugForkedProcess=true` and `-DdebuggerPort=5005`(optional).
+
+```shell
+build/mvn clean package -pl :kyuubi-spark-authz_2.12 -DdebugForkedProcess=true
+```
+
+The tests will suspend at startup and wait for a remote debugger to attach to the configured port.
+
+We will appreciate if you can share the bug or the fix to the Kyuubi community.

docs/security/authorization/spark/index.rst

@@ -0,0 +1,28 @@
+.. Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+..    http://www.apache.org/licenses/LICENSE-2.0
+
+.. Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+.. image:: https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg
+   :align: center
+   :width: 25%
+
+Kyuubi Spark AuthZ Plugin
+=========================
+
+.. toctree::
+    :maxdepth: 2
+
+    Overview <overview>
+    Building <build>
+    Installing <install>

docs/security/authorization/spark/install.md

@@ -0,0 +1,126 @@
+<!--
+ - Licensed to the Apache Software Foundation (ASF) under one or more
+ - contributor license agreements.  See the NOTICE file distributed with
+ - this work for additional information regarding copyright ownership.
+ - The ASF licenses this file to You under the Apache License, Version 2.0
+ - (the "License"); you may not use this file except in compliance with
+ - the License.  You may obtain a copy of the License at
+ -
+ -   http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing, software
+ - distributed under the License is distributed on an "AS IS" BASIS,
+ - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ - See the License for the specific language governing permissions and
+ - limitations under the License.
+ -->
+
+<img src="https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg" alt="Kyuubi logo" width="25%" align="center" />
+
+
+# Installing and Configuring Kyuubi Spark AuthZ Plugin
+
+## Pre-install
+
+- [Apache Ranger](https://ranger.apache.org/)
+
+  This plugin works as a ranger rest client with Apache Ranger admin server to do privilege check.
+  Thus, a ranger server need to be installed ahead and available to use.
+
+- Building(optional)
+
+  If your ranger admin or spark distribution is not compatible with the official pre-built [artifact](https://mvnrepository.com/artifact/org.apache.kyuubi/kyuubi-spark-authz) in maven central.
+  You need to [build](build.md) the plugin targeting the spark/ranger you are using by yourself.
+
+## Install
+
+With the `kyuubi-spark-authz_*.jar` and its transitive dependencies available for spark runtime classpath, such as
+- Copied to `$SPARK_HOME/jars`, or
+- Specified to `spark.jars` configuration
+
+## Configure
+
+### Settings for Connecting Ranger Admin
+
+#### ranger-spark-security.xml
+- Create `ranger-spark-security.xml` in `$SPARK_HOME/conf` and add the following configurations
+for pointing to the right Ranger admin server.
+
+```xml
+<configuration>
+    <property>
+        <name>ranger.plugin.spark.policy.rest.url</name>
+        <value>ranger admin address like http://ranger-admin.org:6080</value>
+    </property>
+
+    <property>
+        <name>ranger.plugin.spark.service.name</name>
+        <value>a ranger hive service name</value>
+    </property>
+
+    <property>
+        <name>ranger.plugin.spark.policy.cache.dir</name>
+        <value>./a ranger hive service name/policycache</value>
+    </property>
+
+    <property>
+        <name>ranger.plugin.spark.policy.pollIntervalMs</name>
+        <value>5000</value>
+    </property>
+
+    <property>
+        <name>ranger.plugin.spark.policy.source.impl</name>
+        <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
+    </property>
+
+</configuration>
+```
+
+#### ranger-spark-audit.xml
+
+Create `ranger-spark-audit.xml` in `$SPARK_HOME/conf` and add the following configurations
+to enable/disable auditing.
+
+```xml
+<configuration>
+
+    <property>
+        <name>xasecure.audit.is.enabled</name>
+        <value>true</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.db</name>
+        <value>false</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.db.jdbc.driver</name>
+        <value>com.mysql.jdbc.Driver</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.db.jdbc.url</name>
+        <value>jdbc:mysql://10.171.161.78/ranger</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.db.password</name>
+        <value>rangeradmin</value>
+    </property>
+
+    <property>
+        <name>xasecure.audit.destination.db.user</name>
+        <value>rangeradmin</value>
+    </property>
+
+</configuration>
+```
+
+### Settings for Spark Session Extensions
+
+Add `org.apache.kyuubi.plugin.spark.authz.ranger.RangerSparkExtension` to the spark configuration `spark.sql.extensions`.
+
+```properties
+spark.sql.extensions=org.apache.kyuubi.plugin.spark.authz.ranger.RangerSparkExtension
+```

docs/security/authorization/spark/overview.md

@@ -0,0 +1,57 @@
+<!--
+ - Licensed to the Apache Software Foundation (ASF) under one or more
+ - contributor license agreements.  See the NOTICE file distributed with
+ - this work for additional information regarding copyright ownership.
+ - The ASF licenses this file to You under the Apache License, Version 2.0
+ - (the "License"); you may not use this file except in compliance with
+ - the License.  You may obtain a copy of the License at
+ -
+ -   http://www.apache.org/licenses/LICENSE-2.0
+ -
+ - Unless required by applicable law or agreed to in writing, software
+ - distributed under the License is distributed on an "AS IS" BASIS,
+ - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ - See the License for the specific language governing permissions and
+ - limitations under the License.
+ -->
+
+# Kyuubi AuthZ Plugin For Spark SQL
+
+<img src="https://svn.apache.org/repos/asf/comdev/project-logos/originals/kyuubi-1.svg" alt="Kyuubi logo" width="25%" align="right" />
+
+Security is one of the fundamental features for enterprise adoption with Kyuubi.
+When deploying Kyuubi against secured clusters,
+storage-based authorization is enabled by default, which only provides file-level coarse-grained authorization mode.
+When row/column-level fine-grained access control is required,
+we can enhance the data access model with the Kyuubi Spark AuthZ plugin.
+
+## Authorization in Kyuubi
+
+### Storage-based Authorization
+
+As Kyuubi supports multi tenancy, a tenant can only visit authorized resources,
+including computing resources, data, etc.
+Most file systems, such as HDFS, support ACL management based on files and directories.
+
+A so called Storage-based authorization mode is supported by Kyuubi by default.
+In this model, all objects, such as databases, tables, partitions, in meta layer are mapping to folders or files in the storage layer,
+as well as their permissions.
+
+Storage-based authorization offers users with database, table and partition-level coarse-gained access control.
+
+### SQL-standard authorization with Ranger
+
+A SQL-standard authorization usually offers a row/colum-level fine-grained access control to meet the real-world data security need.
+
+[Apache Ranger](https://ranger.apache.org/) is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform. 
+This plugin enables Kyuubi with data and metadata control access ability for Spark SQL Engines, including,
+
+- Column-level fine-grained authorization
+- Row-level fine-grained authorization, a.k.a. Row-level filtering
+- Data masking
+
+## The Plugin Itself
+
+Kyuubi Spark Authz Plugin itself provides general purpose for ACL management for data & metadata while using Spark SQL.
+It is not necessary to deploy it with the Kyuubi server and engine, and can be used as an extension for any Spark SQL jobs.
+However, the authorization always requires a robust authentication layer and multi tenancy support, so Kyuubi is a perfect match.