You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

 

Sentry currently integrates with Apache Hive, Apache Sqoop, Apache Solr, Apache Kafka, HDFS and Cloudera Impala. Sentry is pluggable and it is fairly simple to delegate Sentry to your authorization and policy management needs. In this document we talk about the main steps required for integration, code organization and examples to get you started.

Integration step by step:

       Apache Kafka will be the example for the following guide.

  1. Define authorization model (reference code: https://github.com/apache/sentry/tree/master/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka)
    1. Create the sentry-core-model-kafka for Kafka.
    2. Create KafkaAuthorizable which should extend the interface Authorizable
    3. Create all authorization types with enum AuthorizableType in KafkaAuthorizable, eg, Cluster, Host, etc.
    4. Create sub class of KafkaAuthorizable for every authorization type, eg, Cluster, Host, etc.
  2. Define action factory  (reference code: https://github.com/apache/sentry/blob/master/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaActionFactory.java)
    1. KafkaActionFactory defines all actions for Kafka with name and code, eg, READ(0x0001), WRITE(0x0002), etc.
    2. The action code will be used for action imply with operation &. The imply rule is defined in org.apache.sentry.core.common.BitFieldAction. According to the rule, READ imply WRITE = FALSE, ALL imply WRITE = TRUE.
  3. Define privilegeModel with authorization model and action factory (reference code: https://github.com/apache/sentry/blob/master/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaPrivilegeModel.java)
    1. Create implyMethodMap which is responsible for imply the authorization types which is defined in KafkaAuthorizable, the imply rule is defined in org.apache.sentry.policy.common.CommonPrivilege. The following are the supported imply methods for the authorization types:
      1. STRING : compare the authorization type as string and case insensitive.

      2. STRING_CASE_SENSITIVE : compare the authorization type as string and case sensitive.

      3. URL : compare the authorization type as url according to org.apache.sentry.core.common.utils.PathUtils.

    2. Implement the getImplyMethodMap() with the created implyMethodMap.
    3. Implement the getBitFieldActionFactory with KafkaActionFactory.
  4. Define the binding (reference code: https://github.com/apache/sentry/blob/master/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/binding/KafkaAuthBinding.java)
    1. Crete the KafkaAuthBinding which is responsible for do the authorization for Kafka.
    2. AuthorizationProvider should be the member of binding and will be initialized with the implementation of PolicyEngine and ProviderBackend. For PolicyEngine, org.apache.sentry.policy.engine.common.CommonPolicyEngine is the default implementation and user can implement the interface if needed. For ProviderBackend, org.apache.sentry.provider.db.generic.SentryGenericProviderBackend is the default implementation. The sample code for the initialization is KafkaAuthBinding.createAuthProvider().
    3. Add the method to expose the AuthorizationProvider.hasAccess(), eg, KafkaAuthBinding.authorize().
  5. Implement the hook (reference code: https://github.com/apache/sentry/blob/master/sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/authorizer/SentryKafkaAuthorizer.java)
    1. The purpose for the hook is to use KafkaAuthBinding.authorize() to do the authorization.
  6. manage the authorization metadata
    1. There are 2 ways to manage the authorization metadata like create role, grant role to group, grant privilege to role, revoke privilege from role, etc.
      1. Implement the hook with the 

 


Main modules:

  • Binding: Authorization checks happen here

  • Model: Define what are the objects in your system that you want to control access and define the granularity

  • Policy engine: Define how you want to evaluate policies. For example: Wildcards?

  • E2E tests

Example:

Sqoop integration: https://issues.apache.org/jira/browse/SENTRY-612

Code organization:

Repo: https://github.com/apache/sentry


 

  • No labels