Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
CDAP Ranger Extension
Apache Ranger is centralized security framework used to manage authorization privileges. Read more
CDAP Ranger extension consists of three major components:
- CDAP Ranger Loookup: Enables Ranger to lookup CDAP entities.
- CDAP Ranger Binding: Enables CDAP to use privileges in Ranger for enforcement.
- CDAP Ranger Service Definition: Defines CDAP as a service and it's resources in Ranger.
Before enabling CDAP Authorization please read the following documentation.
Building Ranger Extension
CDAP Ranger extension can be built from source code by running the following command:
mvn clean package
To build without running unit tests
mvn clean package -DskipTests
Optionally, you can download pre-built extension jars from maven central.
Installing CDAP Lookup in Ranger
- Create a new folder called
cdapunder your Ranger plugins directory. Typically on Ambari clusters it is: /usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/classes/ranger-plugins
- Move the CDAP Ranger Lookup jar to the cdap plugin directory created above.
mv path-to-jar/cdap-ranger-lookup-[version]-jar-with-dependencies.jar ./
- Change permission to the cdap plugin directory (if required)
chown -R ranger:ranger cdap/
- Restart Ranger service
Adding CDAP as a service in Ranger
- You can use the ranger-servicedef-cdap.json to add CDAP as a service in Ranger
curl -u ranger-admin-user:ranger-admin-password -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d @ranger-servicedef-cdap.json http://rangerhost:rangerport/service/plugins/definitions
- Now go to the Ranger Admin UI and click on the + button for CDAP service.
- Fill in the details of your CDAP instance.
|Service Name||Name of this service||cdapdev|
|Username||Username to use to connect to cdap instance||username|
|Password||Password for the above user||password|
|Instance URL||CDAP instance URL||mycdaphost:router-port|
|Add New Configuration|
|policy.download.auth.users||User allowed to download policies||cdap|
|policy.grantrevoke.auth.users||User allowed to grant/revoke||cdap|
Note: CDAP username and password is only needed if you want lookup of (auto completion of entity names) CDAP entities in Ranger Admin UI. This user must have authorization for the entities to be able to look it up. Please see documentation below on how to add these privileges. Although, it is not necessary for this user to have authorization on all entities. In this case you will not be able to use auto completion of entity names in Ranger Admin UI and will have to type complete entity names.
- Click on Test Connection button to test that Ranger can successfully establish connection with CDAP.
Now click on Add button, this will add the CDAP service in Ranger.
Once the CDAP service is added in Ranger you will see that Ranger creates some default wildcard policies without any users/groups assigned to it.
Optional: As mentioned earlier if you want Ranger to be able to lookup CDAP entities you will need to give the connecting user specified during service definition ANY (READ, WRITE, EXECUTE or ADMIN) privilege on all entities. You can just go ahead and add that user with some permission to the above existing policies. Note: This is an optional step. You can still use CDAP Ranger Extension without granting the above connecting user ANY privilege on all the resource although you will not be able to use lookup feature in Ranger and will have to manually type complete entity names.
Installing CDAP Authorization Binding for Enforcement
- Put the Ranger CDAP configuration xml files under some path which is accessible to
cdapuser. For example:
- Put the following three files in this directory
You can download a CDAP specific sample here. You might need to modify these configuration files according to your environment but the default will work fine in most cases.
- Edit the
|ranger.plugin.cdap.policy.rest.url||Name of this service||http://rangerhost:port|
|ranger.plugin.cdap.service.name||Service name given in Ranger while adding CDAP||cdapdev|
cdapuser permission on the above created directory and configuration files
chown -R cdap:cdap /usr/local/ranger-cdap-conf/
- Move the CDAP Ranger Binding jar to correct directory (if needed) and give cdap permissions on it
mv /cdap-ranger-binding-0.1.0.jar /opt/cdap/master/ext/security/
chown cdap:cdap cdap-ranger-binding-0.1.0.jar
- Edit the CDAP configuration in Ambari Admin UI and add the following in the custom cdap-site.xml section
security.authorization.enabled=true security.authorization.extension.extra.classpath=/usr/local/ranger-cdap-conf security.authorization.extension.jar.path=/opt/cdap/master/ext/security/cdap-ranger-binding-0.1.0.jar
- Save and Restart CDAP.
CDAP Policies can be managed in Ranger just like other service policies. Please read the Ranger documentation on Policy management to learn more.
CDAP Ranger Plugin allows to grant policies on mid-level entities in CDAP entity hierarchy by specifying
* for lower level and marking them as
exclude. For example the below screenshot shows the policy on
namespace:default. Notice that the value for
* and they are marked as