Ranger是一个用于Hadoop平台的安全框架,提供集中的服务启用、权限管理和全方位的数据安全访问控制。它支持通过UI或RESTAPI进行安全管理,实现细粒度的授权,包括基于角色和属性的授权,并对Hadoop组件的安全行为进行审计。Ranger的核心是Web应用程序,包含策略管理、审计日志和报告功能。示例代码展示了如何使用Ranger的API进行用户管理和权限设置。
Ranger是用来在Hadoop平台上进行监控,启用服务,以及全方位数据安全访问管理的安全框架。
目标
- 允许用户使用UI或者REST API对所有和安全相关的任务进行集中化管理
- 允许用户使用一个管理工具对操作Hadoop体系中的组件和工具的行为进行细粒度的授权
- 支持Hadoop体系中各个组件的授权认证标准
- 增强了对不同业务场景需求的授权方法支持,例如基于角色的授权或者基于属性的授权
- 支持对Hadoop组件所有涉及安全的审计行为的集中化管理
工作原理
Ranger的核心是web应用程序,也成为RangerAdmin模块,此模块由管理策略,审计日志和报告等三部分组成。
Java开发的Ranger工具类
import java.io.IOException;
import java.io.InputStream;
import java.util.Properties;
import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject;
import com.fline.aic.db.util.HttpClientUtil;
import org.apache.commons.lang.StringUtils;
public class RangerUtil {
private static String rangerUrl = "rangeUrl";
private static String rangerUserName = "rangeUserName";
private static String rangerPassword = "rangePassword";
private static String hiveService="active_hive";
static {
Properties p = new Properties();
InputStream fis = RangerUtil.class.getClassLoader()
.getResourceAsStream("applicationContext.properties");
if (fis == null) {
} else {
try {
p.load(fis);
fis.close();
} catch (IOException e) {
e.printStackTrace();
}
}
rangerUrl=p.getProperty("multi.rangerUrl");
rangerUserName=p.getProperty("multi.rangerUserName");
rangerPassword=p.getProperty("multi.rangerPassword");
hiveService=p.getProperty("multi.rangerHiveService");
}
/**
* 根据用户名获取信息
* @param userName
* @return
*/
public static String getUser(String userName) {
String result = HttpClientUtil.doGet(rangerUrl+"service/xusers/users/userName/"+userName,rangerUserName,rangerPassword);
return result;
}
/**
* 创建用户
* @param userName
* @param password
* @return
*/
public static String createUser(String userName,String password) {
StringBuilder sb = new StringBuilder();
sb.append("{");
sb.append("\"name\":\""+userName+"\",");
sb.append("\"password\":\""+password+"\",");
sb.append("\"userRoleList\":[\"ROLE_USER\"]");
sb.append("}");
String result = HttpClientUtil.doPostJson(rangerUrl+"service/xusers/secure/users", sb.toString(),rangerUserName,rangerPassword);
return result;
}
/**
* hive库的所有权授权给用户
* @param userName
* @param hivedb
* @return
* @throws IOException
*/
public static String createHivePolice(String userName,String hivedb) throws IOException {
String policeName=hivedb+"_"+userName+"_owner";
String policeDescription="Policy for "+hivedb+" - database, table, column";
StringBuilder sb = new StringBuilder();
sb.append("{");
sb.append(" \"isEnabled\": true," +
" \"version\": 1," +
" \"service\": \""+hiveService+"\"," +
" \"name\": \""+policeName+"\"," +
" \"policyType\": 0," +
" \"policyPriority\": 0," +
" \"description\": \""+policeDescription+"\"," +
" \"isAuditEnabled\": true," +
" \"resources\": {" +
" \"database\": {" +
" \"values\": [" +
" \""+hivedb+"\"" +
" ]," +
" \"isExcludes\": false," +
" \"isRecursive\": false" +
" }," +
" \"column\": {" +
" \"values\": [" +
" \"*\"" +
" ]," +
" \"isExcludes\": false," +
" \"isRecursive\": false" +
" }," +
" \"table\": {" +
" \"values\": [" +
" \"*\"" +
" ]," +
" \"isExcludes\": false," +
" \"isRecursive\": false" +
" }" +
" }," +
" \"policyItems\": [" +
" {" +
" \"accesses\": [" +
" {" +
" \"type\": \"select\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"update\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"create\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"drop\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"alter\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"index\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"lock\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"all\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"read\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"write\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"repladmin\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"serviceadmin\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"tempudfadmin\"," +
" \"isAllowed\": true" +
" }" +
" ]," +
" \"users\": [" +
" \""+userName+"\"" +
" ]," +
" \"groups\": []," +
" \"conditions\": []," +
" \"delegateAdmin\": true" +
" }" +
" ]," +
" \"denyPolicyItems\": []," +
" \"allowExceptions\": []," +
" \"denyExceptions\": []," +
" \"dataMaskPolicyItems\": []," +
" \"rowFilterPolicyItems\": []," +
" \"options\": {}," +
" \"validitySchedules\": []," +
" \"policyLabels\": [" +
" \"\"" +
" ]");
sb.append("}");
String result = HttpClientUtil.doPostJson(rangerUrl+"service/plugins/policies", sb.toString(),rangerUserName,rangerPassword);
return result;
}
/**
* 获取serviceName下的全部有效的策略
*/
public static String getAllPolicies(){
String result = HttpClientUtil.doGet(rangerUrl+"service/plugins/policies/download/"+hiveService,rangerUserName,rangerPassword);
return result;
}
/**
* 将某库中的某表的只读授权给用户
* @param userName
* @param hivedb
* @param tableName
* @return
* @throws IOException
*/
public static String updateAuthUserTable(String userName,String hivedb,String tableName) throws IOException {
String policeName =hivedb+"_authorize_"+userName;
String isExistPolice = getPoliciesByName(policeName);
String result = "";
if("Not found".equals(isExistPolice) || StringUtils.isEmpty(isExistPolice)){
result = createAuthUserTable(userName,hivedb,tableName);
}else{
JSONObject obj = JSONObject.parseObject(isExistPolice);
//Police ID
long id = obj.getLong("id");
JSONObject resources = obj.getJSONObject("resources");
JSONObject table = resources.getJSONObject("table");
JSONArray values = table.getJSONArray("values");
//已经存在了该表的授权
if(values.contains(tableName)){
return isExistPolice;
}else{
values.add(tableName);
table.put("values",values);
result = updatePoliciesById(id,obj.toJSONString());
}
}
return result;
}
/**
* 删除授权
* @param userName
* @param hivedb
* @param tableName
* @return
* @throws IOException
*/
public static String removeAuthUserTable(String userName,String hivedb,String tableName) throws IOException {
String policeName =hivedb+"_authorize_"+userName;
String isExistPolice = getPoliciesByName(policeName);
String result = "";
if(!"Not found".equals(isExistPolice) && StringUtils.isNotEmpty(isExistPolice)){
JSONObject obj = JSONObject.parseObject(isExistPolice);
//Police ID
long id = obj.getLong("id");
JSONObject resources = obj.getJSONObject("resources");
JSONObject table = resources.getJSONObject("table");
JSONArray values = table.getJSONArray("values");
System.out.println("授权表==>"+values);
//已经存在了该表的授权
if(values.contains(tableName)){
values.remove(tableName);
//如果删除没有了其他表的授权则直接删除该规则
if(values==null ||values.size()==0){
System.out.println("执行删除操作");
deletePoliciesById(id);
}else {
table.put("values", values);
System.out.println("执行更新操作");
result = updatePoliciesById(id, obj.toJSONString());
}
}
}
return result;
}
/**
* 将某库中的某表的只读授权给用户
* @param userName
* @param hivedb
* @param tableName
* @return
* @throws IOException
*/
public static String createAuthUserTable(String userName,String hivedb,String tableName) throws IOException {
String policeName=hivedb+"_authorize_"+userName;
String policeDescription="Policy for some tables in"+hivedb+" To "+userName;
StringBuilder sb = new StringBuilder();
sb.append("{");
sb.append(" \"isEnabled\": true," +
" \"version\": 1," +
" \"service\": \""+hiveService+"\"," +
" \"name\": \""+policeName+"\"," +
" \"policyType\": 0," +
" \"policyPriority\": 0," +
" \"description\": \""+policeDescription+"\"," +
" \"isAuditEnabled\": true," +
" \"resources\": {" +
" \"database\": {" +
" \"values\": [" +
" \""+hivedb+"\"" +
" ]," +
" \"isExcludes\": false," +
" \"isRecursive\": false" +
" }," +
" \"column\": {" +
" \"values\": [" +
" \"*\"" +
" ]," +
" \"isExcludes\": false," +
" \"isRecursive\": false" +
" }," +
" \"table\": {" +
" \"values\": [" +
" \""+tableName+"\"" +
" ]," +
" \"isExcludes\": false," +
" \"isRecursive\": false" +
" }" +
" }," +
" \"policyItems\": [" +
" {" +
" \"accesses\": [" +
" {" +
" \"type\": \"select\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"read\"," +
" \"isAllowed\": true" +
" }" +
" ]," +
" \"users\": [" +
" \""+userName+"\"" +
" ]," +
" \"groups\": []," +
" \"conditions\": []," +
" \"delegateAdmin\": true" +
" }" +
" ]," +
" \"denyPolicyItems\": []," +
" \"allowExceptions\": []," +
" \"denyExceptions\": []," +
" \"dataMaskPolicyItems\": []," +
" \"rowFilterPolicyItems\": []," +
" \"options\": {}," +
" \"validitySchedules\": []," +
" \"policyLabels\": [" +
" \"\"" +
" ]");
sb.append("}");
String result = HttpClientUtil.doPostJson(rangerUrl+"service/plugins/policies", sb.toString(),rangerUserName,rangerPassword);
return result;
}
/**
* 根据PoliciesName获取策略
* @param policeName
*/
public static String getPoliciesByName(String policeName){
String result = HttpClientUtil.doGet(rangerUrl+"service/public/v2/api/service/"+hiveService+"/policy/"+policeName,rangerUserName,rangerPassword);
return result;
}
/**
* 根据策略ID删除
* @param id
*/
public static String deletePoliciesById(long id){
String result = HttpClientUtil.doDelete(rangerUrl+"service/public/v2/api/policy/"+id,rangerUserName,rangerPassword);
return result;
}
/**
* 根据策略ID更新
* @param id
* @param jsonStr
*/
public static String updatePoliciesById(long id,String jsonStr){
String result = HttpClientUtil.doPut(rangerUrl+"service/public/v2/api/policy/"+id,jsonStr,rangerUserName,rangerPassword);
return result;
}
}
扫一扫
6440
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
