New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Presto ranger integration #244
Conversation
Thank you for your pull request and welcome to our community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. In order for us to review and merge your code, please submit the signed CLA to cla@prestosql.io. If you are contributing on behalf of someone else (e.g., your employer), the individual CLA may not be sufficient and your employer may need the Corporate CLA signed. |
As discussed over slack, we could use product-tests to test the integration. |
@stagraqubole Added the product tests and documentation. |
return userGroups.getUserGroups(identity.getUser()); | ||
} | ||
|
||
public String getRowLevelFilterExp(String catalogName, RangerPrestoResource resource, Identity identity) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The row filter methods should be removed, they arent being used right now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
column mask changes too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Acked
@Override | ||
public SystemAccessControl create(Map<String, String> config) | ||
{ | ||
RangerConfiguration rangerConfig = RangerConfiguration.getInstance(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should store away the pluginClassLoader in constructor and use it in create() method.
We can follow the example of ClassLoaderSafeConnectorMetadata to create a wrapper on top of RangerSystemAccessControl to use pluginClassloader for all SystemAccessControl functions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Acked
The product tests are using file based policy client which is not used outside of tests. I was hoping we could get a container image of ranger, set it up with some preset policies and use the real world RestClient of Ranger for the tests. But wait on the comments from @martint, @dain or @electrum before you put in effort on this. |
I have created a boilerplate plugin that works with recent Ranger. It is part of the Ranger source code instead of Presto, as Ranger as the infrastructure for creating these type of plugins. Will work on integrating it into Ranger itself. |
@Phelodas @cryptoe I have submitted the first iteration of the patch to Ranger: https://issues.apache.org/jira/browse/RANGER-2395 . We are testing it in our production environment. Couple of points:
|
@cryptoe |
@Phelodas @cryptoe @dain the plugin is in review with Apache Ranger. I fyou have some time to spare and would like to ensure its quality please have a look at:
@sajjoseph the one that is in review with Apache Ranger (note: not the one in this PR) does support recent versions of Ranger. It is applied against master however. |
Thanks @bolkedebruin. I spent some time yesterday and got 244 working with ranger 1.2 version. I quickly checked the plugin added in ranger. I liked the brevity. I wonder how you are managing the dependency issue reported by @cryptoe in ranger plugin. Anyway, I had to dig a little with 244 PR to figure out how I can make everything work. All the entries below might be obvious for others, but not for me.
For example, in ranger-security.xml, you will find the following:
It should be changed to:
if the name of the catalog was newhive and similar changes through out the xml files.
If there is interest, I can get a PR for ranger 1.2 added here. Next step is to incorporate kerberos based authentication in the plugin (initial authentication into ranger at the time of loading the plugin. I know it supports it, but not documented at this time). Hope it helps. |
The dependency issue is solved with a shim. That’s why is is now based on the source tree of Ranger rather than Presto as Ranger has the necessary infrastructure for this. Furthermore, I don’t it’s a great idea to use the hive definitions for Presto and we made presto use its own, this also helps when the row filtering and column masking is used as you can than use ansi sql and no translation is required. The plugin in this Pr is also using private apis from Ranger for syncing users, which is not required. The plugin that is with Apache Ranger supports the latest release of presto. In other words I don’t think the best place for the plugin is here (presto) but rather with Ranger. Edit: both versions of the plugin already support Kerberos. |
Support for Presto has been merged into Ranger (no row level security yet, as Presto lacks support at the moment). |
@cryptoe - I seem to have difficulty in getting the tag based policies working. For example, if we tag a certain table column and if there is a tag based policies in place, I expected the table suddenly come under the scrutiny of that policy and the defined access control checks take place. If you can help me understand how the tag based policies will work with the current implementation, that will be great. |
You guys have any timelines to merge this PR? Or is this abandoned? |
@jkegzhan it is part of Ranger 2.0. Presto > 321 require a newer version that hasnt been merged yet. In other words it has been working for around a year already. |
This issue should be closed |
@cryptoe any idea on https://jira.apache.org/jira/browse/RANGER-2816 ? |
Porting project to prestoSQL with review comments addressed.
I was planning to use testing https://github.com/prestosql/presto/blob/master/presto-main/src/main/java/io/prestosql/server/testing/TestingPrestoServer.java which uses presto-main dependency and internally brings jersey 2.xx jars. As ranger client uses jersey 1.xx jars, I was not able to write test cases for the same. Need pointers to solve this unit test cases issue.
@stagraqubole @dain @martint