Ranger is a security framework for monitoring, enabling services, and comprehensive data security access management on the Hadoop platform.
Target
- Allows users to centrally manage all security-related tasks using UI or REST API
- Allow users to use a management tool to perform fine-grained authorization on the behavior of operating components and tools in the Hadoop system
- Support authorization and certification standards for each component in the Hadoop system
- Enhanced support for authorization methods required by different business scenarios, such as role-based authorization or attribute-based authorization
- Supports centralized management of all security-related audit behaviors of Hadoop components
working principle
The core of Ranger is the web application, also known as the RangerAdmin module, which consists of three parts: management policy, audit log and report.
Ranger tool class developed by Java
import java.io.IOException;
import java.io.InputStream;
import java.util.Properties;
import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject;
import com.fline.aic.db.util.HttpClientUtil;
import org.apache.commons.lang.StringUtils;
public class RangerUtil {
private static String rangerUrl = "rangeUrl";
private static String rangerUserName = "rangeUserName";
private static String rangerPassword = "rangePassword";
private static String hiveService="active_hive";
static {
Properties p = new Properties();
InputStream fis = RangerUtil.class.getClassLoader()
.getResourceAsStream("applicationContext.properties");
if (fis == null) {
} else {
try {
p.load(fis);
fis.close();
} catch (IOException e) {
e.printStackTrace();
}
}
rangerUrl=p.getProperty("multi.rangerUrl");
rangerUserName=p.getProperty("multi.rangerUserName");
rangerPassword=p.getProperty("multi.rangerPassword");
hiveService=p.getProperty("multi.rangerHiveService");
}
/**
* 根据用户名获取信息
* @param userName
* @return
*/
public static String getUser(String userName) {
String result = HttpClientUtil.doGet(rangerUrl+"service/xusers/users/userName/"+userName,rangerUserName,rangerPassword);
return result;
}
/**
* 创建用户
* @param userName
* @param password
* @return
*/
public static String createUser(String userName,String password) {
StringBuilder sb = new StringBuilder();
sb.append("{");
sb.append("\"name\":\""+userName+"\",");
sb.append("\"password\":\""+password+"\",");
sb.append("\"userRoleList\":[\"ROLE_USER\"]");
sb.append("}");
String result = HttpClientUtil.doPostJson(rangerUrl+"service/xusers/secure/users", sb.toString(),rangerUserName,rangerPassword);
return result;
}
/**
* hive库的所有权授权给用户
* @param userName
* @param hivedb
* @return
* @throws IOException
*/
public static String createHivePolice(String userName,String hivedb) throws IOException {
String policeName=hivedb+"_"+userName+"_owner";
String policeDescription="Policy for "+hivedb+" - database, table, column";
StringBuilder sb = new StringBuilder();
sb.append("{");
sb.append(" \"isEnabled\": true," +
" \"version\": 1," +
" \"service\": \""+hiveService+"\"," +
" \"name\": \""+policeName+"\"," +
" \"policyType\": 0," +
" \"policyPriority\": 0," +
" \"description\": \""+policeDescription+"\"," +
" \"isAuditEnabled\": true," +
" \"resources\": {" +
" \"database\": {" +
" \"values\": [" +
" \""+hivedb+"\"" +
" ]," +
" \"isExcludes\": false," +
" \"isRecursive\": false" +
" }," +
" \"column\": {" +
" \"values\": [" +
" \"*\"" +
" ]," +
" \"isExcludes\": false," +
" \"isRecursive\": false" +
" }," +
" \"table\": {" +
" \"values\": [" +
" \"*\"" +
" ]," +
" \"isExcludes\": false," +
" \"isRecursive\": false" +
" }" +
" }," +
" \"policyItems\": [" +
" {" +
" \"accesses\": [" +
" {" +
" \"type\": \"select\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"update\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"create\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"drop\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"alter\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"index\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"lock\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"all\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"read\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"write\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"repladmin\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"serviceadmin\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"tempudfadmin\"," +
" \"isAllowed\": true" +
" }" +
" ]," +
" \"users\": [" +
" \""+userName+"\"" +
" ]," +
" \"groups\": []," +
" \"conditions\": []," +
" \"delegateAdmin\": true" +
" }" +
" ]," +
" \"denyPolicyItems\": []," +
" \"allowExceptions\": []," +
" \"denyExceptions\": []," +
" \"dataMaskPolicyItems\": []," +
" \"rowFilterPolicyItems\": []," +
" \"options\": {}," +
" \"validitySchedules\": []," +
" \"policyLabels\": [" +
" \"\"" +
" ]");
sb.append("}");
String result = HttpClientUtil.doPostJson(rangerUrl+"service/plugins/policies", sb.toString(),rangerUserName,rangerPassword);
return result;
}
/**
* 获取serviceName下的全部有效的策略
*/
public static String getAllPolicies(){
String result = HttpClientUtil.doGet(rangerUrl+"service/plugins/policies/download/"+hiveService,rangerUserName,rangerPassword);
return result;
}
/**
* 将某库中的某表的只读授权给用户
* @param userName
* @param hivedb
* @param tableName
* @return
* @throws IOException
*/
public static String updateAuthUserTable(String userName,String hivedb,String tableName) throws IOException {
String policeName =hivedb+"_authorize_"+userName;
String isExistPolice = getPoliciesByName(policeName);
String result = "";
if("Not found".equals(isExistPolice) || StringUtils.isEmpty(isExistPolice)){
result = createAuthUserTable(userName,hivedb,tableName);
}else{
JSONObject obj = JSONObject.parseObject(isExistPolice);
//Police ID
long id = obj.getLong("id");
JSONObject resources = obj.getJSONObject("resources");
JSONObject table = resources.getJSONObject("table");
JSONArray values = table.getJSONArray("values");
//已经存在了该表的授权
if(values.contains(tableName)){
return isExistPolice;
}else{
values.add(tableName);
table.put("values",values);
result = updatePoliciesById(id,obj.toJSONString());
}
}
return result;
}
/**
* 删除授权
* @param userName
* @param hivedb
* @param tableName
* @return
* @throws IOException
*/
public static String removeAuthUserTable(String userName,String hivedb,String tableName) throws IOException {
String policeName =hivedb+"_authorize_"+userName;
String isExistPolice = getPoliciesByName(policeName);
String result = "";
if(!"Not found".equals(isExistPolice) && StringUtils.isNotEmpty(isExistPolice)){
JSONObject obj = JSONObject.parseObject(isExistPolice);
//Police ID
long id = obj.getLong("id");
JSONObject resources = obj.getJSONObject("resources");
JSONObject table = resources.getJSONObject("table");
JSONArray values = table.getJSONArray("values");
System.out.println("授权表==>"+values);
//已经存在了该表的授权
if(values.contains(tableName)){
values.remove(tableName);
//如果删除没有了其他表的授权则直接删除该规则
if(values==null ||values.size()==0){
System.out.println("执行删除操作");
deletePoliciesById(id);
}else {
table.put("values", values);
System.out.println("执行更新操作");
result = updatePoliciesById(id, obj.toJSONString());
}
}
}
return result;
}
/**
* 将某库中的某表的只读授权给用户
* @param userName
* @param hivedb
* @param tableName
* @return
* @throws IOException
*/
public static String createAuthUserTable(String userName,String hivedb,String tableName) throws IOException {
String policeName=hivedb+"_authorize_"+userName;
String policeDescription="Policy for some tables in"+hivedb+" To "+userName;
StringBuilder sb = new StringBuilder();
sb.append("{");
sb.append(" \"isEnabled\": true," +
" \"version\": 1," +
" \"service\": \""+hiveService+"\"," +
" \"name\": \""+policeName+"\"," +
" \"policyType\": 0," +
" \"policyPriority\": 0," +
" \"description\": \""+policeDescription+"\"," +
" \"isAuditEnabled\": true," +
" \"resources\": {" +
" \"database\": {" +
" \"values\": [" +
" \""+hivedb+"\"" +
" ]," +
" \"isExcludes\": false," +
" \"isRecursive\": false" +
" }," +
" \"column\": {" +
" \"values\": [" +
" \"*\"" +
" ]," +
" \"isExcludes\": false," +
" \"isRecursive\": false" +
" }," +
" \"table\": {" +
" \"values\": [" +
" \""+tableName+"\"" +
" ]," +
" \"isExcludes\": false," +
" \"isRecursive\": false" +
" }" +
" }," +
" \"policyItems\": [" +
" {" +
" \"accesses\": [" +
" {" +
" \"type\": \"select\"," +
" \"isAllowed\": true" +
" }," +
" {" +
" \"type\": \"read\"," +
" \"isAllowed\": true" +
" }" +
" ]," +
" \"users\": [" +
" \""+userName+"\"" +
" ]," +
" \"groups\": []," +
" \"conditions\": []," +
" \"delegateAdmin\": true" +
" }" +
" ]," +
" \"denyPolicyItems\": []," +
" \"allowExceptions\": []," +
" \"denyExceptions\": []," +
" \"dataMaskPolicyItems\": []," +
" \"rowFilterPolicyItems\": []," +
" \"options\": {}," +
" \"validitySchedules\": []," +
" \"policyLabels\": [" +
" \"\"" +
" ]");
sb.append("}");
String result = HttpClientUtil.doPostJson(rangerUrl+"service/plugins/policies", sb.toString(),rangerUserName,rangerPassword);
return result;
}
/**
* 根据PoliciesName获取策略
* @param policeName
*/
public static String getPoliciesByName(String policeName){
String result = HttpClientUtil.doGet(rangerUrl+"service/public/v2/api/service/"+hiveService+"/policy/"+policeName,rangerUserName,rangerPassword);
return result;
}
/**
* 根据策略ID删除
* @param id
*/
public static String deletePoliciesById(long id){
String result = HttpClientUtil.doDelete(rangerUrl+"service/public/v2/api/policy/"+id,rangerUserName,rangerPassword);
return result;
}
/**
* 根据策略ID更新
* @param id
* @param jsonStr
*/
public static String updatePoliciesById(long id,String jsonStr){
String result = HttpClientUtil.doPut(rangerUrl+"service/public/v2/api/policy/"+id,jsonStr,rangerUserName,rangerPassword);
return result;
}
}