Versions Compared

Old Version 5

changes.mady.by.user Balaji Ganesan

Saved on

compared with

New Version 6

changes.mady.by.user Balaji Ganesan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Identify the additional information to be added to the request context for your use case. Write a context enricher, if necessary, to add the necessary information to the request context.  Refer to the Context Enricher section below for details.
    1. Time-of-day use case: Information required to enforce this dynamic rule is the the time when the resource is accessed. Since this information is already present in the access request, there is no need to write a context enricher.
    2. Project-assignment-restriction use case: Information required to enforce this dynamic rule is the projects the current user is assigned to. Write a context enricher which adds the assigned projects information to the access request, for example with the following:
      1.  Let’s assume that user/group to project assignment is kept in disk file
      2.  During initialization, the context enricher reads in the disk file into an in-memory map of users or user-groups to projects.
      3.  During enrichment phase, the context enricher extracts the requesting user’s name and group membership from the request and uses them to retrieve currently assigned projects from in-memory map.
      4.  The context enricher pushes the currently assigned projects information into the request context.
  2. Implement/use appropriate condition evaluators to enforce conditions specified on the policy.  Refer to the Condition Evaluators section below for details.
    1. Time-of-day use case: Ranger ships with a standard condition evaluator which does that (RangerTimeOfDayMatcher).  Please review its code.
      1.   It extracts the access time from the access request and compares against the valid times specified on the policy.
      2.   If access time lies within any of the time windows then it returns true.
    2. Project-assignment-restriction use case: implement a condition evaluator that compares the user’s project membership (added to the request context by the context enricher) against the project names specified in the policy and return true if user is in one of the projects specified in the policy.
  3. Update the service type definition with the context richer and condition evaluator details so that Policy engine knows to wire them in the authorization pipeline and to let the policy authors enter the condition values in policies.  Refer to the Working Example Appendix section below for an example for steps and commands that achieve that.
  4. Shutdown the HDFS service and Ranger Admin.
  5. Deploy the Context enricher and condition evaluators’ code to the HDFS namenode and Ranger Admin.
    1. Typically for ranger server this would be: /usr/hdp/<version-#>/ranger-admin/ews/webapp/WEB-INF/lib
    2. For a service like HDFS this would typically be /usr/hdp/<version-#>/hadoop/lib.
    3. Note that for the service the jars need to be copied only to the nodes that take part in the authorization.  This differs from service to service.  For example, in case of HDFS only namenode participates in authorization.  Where as for HBase both Master and Region server participate in authorization.
  6. Restart the both the Ranger Admin and then the HDFS namenode.
  7. Verify that Ranger UI shows the new policy condition.
  8. Create a policy with values for the custom condition and validate that authorization is as expected.
  9. Get HDFS service definition from Ranger Admin:
    1. curl --user admin:admin --get "http://node-1:6080/service/public/v2/api/servicedef/name/hdfs"
    2. This returns json response. Note down the id of the service type.
    3. Look at sample output #1 below.
  10. A Context Enricher is any Java class that extends abstract class  RangerAbstractContextEnricher.
  11. A series of context enrichers can be configured in a service type definition.
  12. Before the access request is evaluated by the policy engine, context enrichers are invoked to update the request context with additional information.
  13. Context Enricher is not expected to maintain any state and in general should be written to be reentrant.
  14. Context enricher object would be garbage collected and new one created whenever a new set of policies is available to the plugin.  Since the policies change infrequently, this is expected to be of minimal performance impact.

Steps and command to update service definition
Anchor
#workingexample
#workingexample

  1. Get HDFS service definition from Ranger Admin:
    1. curl --
    Now add context enricher to HDFS service definition using the following command.
    1. curl --user admin:admin --put “get "http://node-1:6080/service/public/v2/api/servicedef/name/hdfs
    2. Include the edited json in the body of the post.  This should echo back the request body.
    3. Look at Sample output # 2 below.
    4. "
    5. This returns json response. Note down the id of the service type.
    6. Look at sample output #1 below.
  2. Now add context enricher Next add condition evaluator to HDFS service definition using the following command:.
    1. curl --user admin:admin --put “http://node-1:6080/service/public/v2/api/servicedef/name/hdfs
    2. Include the edited json in the body of the post.  This should echo back the request body.
    3. Look at at Sample output #3 below# 2 below.
    Copy the
  3. Next add condition evaluator jar to ranger server’s classpath.  Copy both condition evaluator and context enricher to the classpath of the service where the ranger plugin runs.
  4. A Context Enricher is any Java class that extends abstract class  RangerAbstractContextEnricher.
  5. A series of context enrichers can be configured in a service type definition.
  6. Before the access request is evaluated by the policy engine, context enrichers are invoked to update the request context with additional information.
  7. Context Enricher is not expected to maintain any state and in general should be written to be reentrant.
  8. Context enricher object would be garbage collected and new one created whenever a new set of policies is available to the plugin.  Since the policies change infrequently, this is expected to be of minimal performance impact.

...

  1. to HDFS service definition using the following command:
    1. curl --user admin:admin --put “http://node-1:6080/service/public/v2/api/servicedef/name/hdfs
    2. Include the edited json in the body of the post.  This should echo back the request body.
    3. Look at Sample output #3 below.
  2. Copy the condition evaluator jar to ranger server’s classpath.  Copy both condition evaluator and context enricher to the classpath of the service where the ranger plugin runs.

Context Enricher

What is a context enricher?

...