ranger cache
ranger cache 缓存就是保存在大数据组件ranger plugin的服务器上, plugin鉴权不用再去访问ranger admin, 难怪速度可以满足要求.
cache
- policy 默认更新为30s
this.pollingIntervalMs = pluginConfig.getLong(propertyPrefix + ".policy.pollIntervalMs", 30 * 1000);
ranger policy cache
顶层有policyVersion, policyUpdateTime标记策略的版本和更新日期, 以便用于识别是否需要同步.
ranger policy 定义
关键的policy配置.
其实跟网页版的信息一摸一样, 并没有做额外的处理, 整个ranger策略配置的网页就是个普通的crud.
{
"service": "tdw_hive",
"name": "all - database, table, column",
"policyType": 0,
"policyPriority": 0,
"description": "Policy for all - database, table, column",
"isAuditEnabled": true,
"resources": {
"database": {
"values": [
"*"
],
"isExcludes": false,
"isRecursive": false
},
"column": {
"values": [
"*"
],
"isExcludes": false,
"isRecursive": false
},
"table": {
"values": [
"*"
],
"isExcludes": false,
"isRecursive": false
}
},
"policyItems": [
{
"accesses": [
{
"type": "select",
"isAllowed": true
},
{
"type": "update",
"isAllowed": true
},
{
"type": "create",
"isAllowed": true
},
{
"type": "drop",
"isAllowed": true
},
{
"type": "alter",
"isAllowed": true
},
{
"type": "index",
"isAllowed": true
},
{
"type": "lock",
"isAllowed": true
},
{
"type": "all",
"isAllowed": true
},
{
"type": "read",
"isAllowed": true
},
{
"type": "write",
"isAllowed": true
},
{
"type": "repladmin",
"isAllowed": true
},
{
"type": "serviceadmin",
"isAllowed": true
},
{
"type": "tempudfadmin",
"isAllowed": true
},
{
"type": "refresh",
"isAllowed": true
}
],
"users": [
"hive"
],
"groups": [],
"roles": [],
"conditions": [],
"delegateAdmin": true
},
{
"accesses": [
{
"type": "all",
"isAllowed": true
},
{
"type": "drop",
"isAllowed": true
},
{
"type": "serviceadmin",
"isAllowed": true
},
{
"type": "select",
"isAllowed": true
},
{
"type": "read",
"isAllowed": true
},
{
"type": "update",
"isAllowed": true
},
{
"type": "create",
"isAllowed": true
},
{
"type": "index",
"isAllowed": true
},
{
"type": "lock",
"isAllowed": true
},
{
"type": "refresh",
"isAllowed": true
},
{
"type": "repladmin",
"isAllowed": true
},
{
"type": "write",
"isAllowed": true
},
{
"type": "alter",
"isAllowed": true
}
],
"users": [
"{OWNER}"
],
"groups": [],
"roles": [],
"conditions": [],
"delegateAdmin": true
},
{
"accesses": [
{
"type": "select",
"isAllowed": true
},
{
"type": "update",
"isAllowed": true
},
{
"type": "create",
"isAllowed": true
},
{
"type": "drop",
"isAllowed": true
},
{
"type": "alter",
"isAllowed": true
},
{
"type": "index",
"isAllowed": true
},
{
"type": "lock",
"isAllowed": true
},
{
"type": "all",
"isAllowed": true
},
{
"type": "read",
"isAllowed": true
},
{
"type": "write",
"isAllowed": true
},
{
"type": "repladmin",
"isAllowed": true
},
{
"type": "serviceadmin",
"isAllowed": true
},
{
"type": "tempudfadmin",
"isAllowed": true
},
{
"type": "refresh",
"isAllowed": true
}
],
"users": [
"ambari-qa",
"admin",
"hive",
"presto",
"hdfs",
"hbase"
],
"groups": [],
"roles": [],
"conditions": [],
"delegateAdmin": true
}
],
"denyPolicyItems": [],
"allowExceptions": [],
"denyExceptions": [],
"dataMaskPolicyItems": [],
"rowFilterPolicyItems": [],
"serviceType": "hive",
"options": {},
"validitySchedules": [],
"policyLabels": [],
"zoneName": "",
"isDenyAllElse": false,
"id": 23,
"guid": "79ebfbd6-aa8a-4746-a84d-57a8652697e3",
"isEnabled": true,
"version": 1
}
ranger service definition
serviceDefinition部分, 定义了service相关的信息, 比如有什么资源resources(database/table/column), 有什么权限accessTypes(read/write/delete)等.
"serviceDef": {
"name": "hive",
"displayName": "Hadoop SQL",
"implClass": "org.apache.ranger.services.hive.RangerServiceHive",
"label": "Hive Server2",
"description": "Hive Server2",
"options": {
"enableDenyAndExceptionsInPolicies": "true"
},
"configs": [
{
"itemId": 1,
"name": "username",
"type": "string",
"mandatory": true,
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Username"
},
{
"itemId": 2,
"name": "password",
"type": "password",
"mandatory": true,
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Password"
},
{
"itemId": 3,
"name": "jdbc.driverClassName",
"type": "string",
"mandatory": true,
"defaultValue": "org.apache.hive.jdbc.HiveDriver",
"validationRegEx": "",
"validationMessage": "",
"uiHint": ""
},
{
"itemId": 4,
"name": "jdbc.url",
"type": "string",
"mandatory": true,
"defaultValue": "",
"validationRegEx": "",
"validationMessage": "",
"uiHint": "{\"TextFieldWithIcon\":true, \"info\": \"1.For Remote Mode, eg.<br>jdbc:hive2://<host>:<port><br>2.For Embedded Mode (no host or port), eg.<br>jdbc:hive2:///;initFile=<file><br>3.For HTTP Mode, eg.<br>jdbc:hive2://<host>:<port>/;<br>transportMode=http;httpPath=<httpPath><br>4.For SSL Mode, eg.<br>jdbc:hive2://<host>:<port>/;ssl=true;<br>sslTrustStore=tStore;trustStorePassword=pw<br>5.For ZooKeeper Mode, eg.<br>jdbc:hive2://<host>/;serviceDiscoveryMode=<br>zooKeeper;zooKeeperNamespace=hiveserver2<br>6.For Kerberos Mode, eg.<br>jdbc:hive2://<host>:<port>/;<br>principal=hive/domain@EXAMPLE.COM<br>\"}"
},
{
"itemId": 5,
"name": "commonNameForCertificate",
"type": "string",
"mandatory": false,
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Common Name for Certificate"
}
],
"resources": [
{
"itemId": 1,
"name": "database",
"type": "string",
"level": 10,
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": false,
"excludesSupported": true,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": "true",
"ignoreCase": "true"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Hive Database",
"description": "Hive Database",
"accessTypeRestrictions": [],
"isValidLeaf": true
},
{
"itemId": 5,
"name": "url",
"type": "string",
"level": 10,
"mandatory": true,
"lookupSupported": false,
"recursiveSupported": true,
"excludesSupported": false,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerURLResourceMatcher",
"matcherOptions": {
"wildCard": "true",
"ignoreCase": "false"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "URL",
"description": "URL",
"accessTypeRestrictions": [],
"isValidLeaf": true
},
{
"itemId": 6,
"name": "hiveservice",
"type": "string",
"level": 10,
"mandatory": true,
"lookupSupported": false,
"recursiveSupported": false,
"excludesSupported": false,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": "true",
"ignoreCase": "false"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Hive Service",
"description": "Hive Service",
"accessTypeRestrictions": [],
"isValidLeaf": true
},
{
"itemId": 7,
"name": "global",
"type": "string",
"level": 10,
"mandatory": false,
"lookupSupported": false,
"recursiveSupported": false,
"excludesSupported": false,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": "true",
"ignoreCase": "false"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Global",
"description": "Global",
"accessTypeRestrictions": [],
"isValidLeaf": true
},
{
"itemId": 2,
"name": "table",
"type": "string",
"level": 20,
"parent": "database",
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": false,
"excludesSupported": true,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": "true",
"ignoreCase": "true"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Hive Table",
"description": "Hive Table",
"accessTypeRestrictions": [],
"isValidLeaf": true
},
{
"itemId": 3,
"name": "udf",
"type": "string",
"level": 20,
"parent": "database",
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": false,
"excludesSupported": true,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": "true",
"ignoreCase": "true"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Hive UDF",
"description": "Hive UDF",
"accessTypeRestrictions": [],
"isValidLeaf": true
},
{
"itemId": 4,
"name": "column",
"type": "string",
"level": 30,
"parent": "table",
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": false,
"excludesSupported": true,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": "true",
"ignoreCase": "true"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "",
"label": "Hive Column",
"description": "Hive Column",
"accessTypeRestrictions": [],
"isValidLeaf": true
}
],
"accessTypes": [
{
"itemId": 1,
"name": "select",
"label": "select",
"impliedGrants": []
},
{
"itemId": 2,
"name": "update",
"label": "update",
"impliedGrants": []
},
{
"itemId": 3,
"name": "create",
"label": "Create",
"impliedGrants": []
},
{
"itemId": 4,
"name": "drop",
"label": "Drop",
"impliedGrants": []
},
{
"itemId": 5,
"name": "alter",
"label": "Alter",
"impliedGrants": []
},
{
"itemId": 6,
"name": "index",
"label": "Index",
"impliedGrants": []
},
{
"itemId": 7,
"name": "lock",
"label": "Lock",
"impliedGrants": []
},
{
"itemId": 8,
"name": "all",
"label": "All",
"impliedGrants": [
"select",
"update",
"create",
"drop",
"alter",
"index",
"lock",
"read",
"write",
"repladmin",
"serviceadmin",
"refresh"
]
},
{
"itemId": 9,
"name": "read",
"label": "Read",
"impliedGrants": []
},
{
"itemId": 10,
"name": "write",
"label": "Write",
"impliedGrants": []
},
{
"itemId": 11,
"name": "repladmin",
"label": "ReplAdmin",
"impliedGrants": []
},
{
"itemId": 12,
"name": "serviceadmin",
"label": "Service Admin",
"impliedGrants": []
},
{
"itemId": 13,
"name": "tempudfadmin",
"label": "Temporary UDF Admin",
"impliedGrants": []
},
{
"itemId": 14,
"name": "refresh",
"label": "Refresh",
"impliedGrants": []
}
],
"policyConditions": [],
"contextEnrichers": [],
"enums": [],
"dataMaskDef": {
"maskTypes": [
{
"itemId": 1,
"name": "MASK",
"label": "Redact",
"description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'",
"transformer": "mask({col})",
"dataMaskOptions": {}
},
{
"itemId": 2,
"name": "MASK_SHOW_LAST_4",
"label": "Partial mask: show last 4",
"description": "Show last 4 characters; replace rest with 'x'",
"transformer": "mask_show_last_n({col}, 4, 'x', 'x', 'x', -1, '1')",
"dataMaskOptions": {}
},
{
"itemId": 3,
"name": "MASK_SHOW_FIRST_4",
"label": "Partial mask: show first 4",
"description": "Show first 4 characters; replace rest with 'x'",
"transformer": "mask_show_first_n({col}, 4, 'x', 'x', 'x', -1, '1')",
"dataMaskOptions": {}
},
{
"itemId": 4,
"name": "MASK_HASH",
"label": "Hash",
"description": "Hash the value",
"transformer": "mask_hash({col})",
"dataMaskOptions": {}
},
{
"itemId": 5,
"name": "MASK_NULL",
"label": "Nullify",
"description": "Replace with NULL",
"dataMaskOptions": {}
},
{
"itemId": 6,
"name": "MASK_NONE",
"label": "Unmasked (retain original value)",
"description": "No masking",
"dataMaskOptions": {}
},
{
"itemId": 12,
"name": "MASK_DATE_SHOW_YEAR",
"label": "Date: show only year",
"description": "Date: show only year",
"transformer": "mask({col}, 'x', 'x', 'x', -1, '1', 1, 0, -1)",
"dataMaskOptions": {}
},
{
"itemId": 13,
"name": "CUSTOM",
"label": "Custom",
"description": "Custom",
"dataMaskOptions": {}
}
],
"accessTypes": [
{
"itemId": 1,
"name": "select",
"label": "select",
"impliedGrants": []
}
],
"resources": [
{
"itemId": 1,
"name": "database",
"type": "string",
"level": 10,
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": false,
"excludesSupported": false,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": "false",
"ignoreCase": "true"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "{ \"singleValue\":true }",
"label": "Hive Database",
"description": "Hive Database",
"accessTypeRestrictions": [],
"isValidLeaf": false
},
{
"itemId": 2,
"name": "table",
"type": "string",
"level": 20,
"parent": "database",
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": false,
"excludesSupported": false,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": "false",
"ignoreCase": "true"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "{ \"singleValue\":true }",
"label": "Hive Table",
"description": "Hive Table",
"accessTypeRestrictions": [],
"isValidLeaf": false
},
{
"itemId": 4,
"name": "column",
"type": "string",
"level": 30,
"parent": "table",
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": false,
"excludesSupported": false,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": "false",
"ignoreCase": "true"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "{ \"singleValue\":true }",
"label": "Hive Column",
"description": "Hive Column",
"accessTypeRestrictions": [],
"isValidLeaf": true
}
]
},
"rowFilterDef": {
"accessTypes": [
{
"itemId": 1,
"name": "select",
"label": "select",
"impliedGrants": []
}
],
"resources": [
{
"itemId": 1,
"name": "database",
"type": "string",
"level": 10,
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": false,
"excludesSupported": false,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": "false",
"ignoreCase": "true"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "{ \"singleValue\":true }",
"label": "Hive Database",
"description": "Hive Database",
"accessTypeRestrictions": [],
"isValidLeaf": false
},
{
"itemId": 2,
"name": "table",
"type": "string",
"level": 20,
"parent": "database",
"mandatory": true,
"lookupSupported": true,
"recursiveSupported": false,
"excludesSupported": false,
"matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
"matcherOptions": {
"wildCard": "false",
"ignoreCase": "true"
},
"validationRegEx": "",
"validationMessage": "",
"uiHint": "{ \"singleValue\":true }",
"label": "Hive Table",
"description": "Hive Table",
"accessTypeRestrictions": [],
"isValidLeaf": true
}
]
},
"id": 3,
"guid": "3e1afb5a-184a-4e82-9d9c-87a5cacc243c",
"isEnabled": true,
"createTime": "20230630-21:36:43.000-+0800",
"updateTime": "20230630-21:36:43.000-+0800",
"version": 1
}