自定义Ranger插件 Zeppelin集成Ranger方案 (非LDAP模式)

已于 2023-02-21 17:32:07 修改
阅读量1.7k 收藏 12
点赞数 6
分类专栏: 大数据平台-日常运维 文章标签: zeppelin集成 shiro 大数据
于 2021-04-23 16:02:08 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/EdwardWong_/article/details/116044348
版权

序:

最近项目需求要用Ranger把Zeppelin管起来,之前聊过使用LDAP的模式,这次我们说说不使用LDAP,通过开发Ranger插件的方式将Zeppelin和Ranger继承起来

目录

序:

一、Zeppelin权限部分分析

1、zeppelin-note权限分析

2、zeppelin-shiro权限分析

二、shiro权限原理分析及Ranger原理分析

1、shiro认证授权原理

2、Ranger认证授权原理

三、自定义Ranger插件

1、编写shiroService

 2、编写资源json文件

 3、编写Ranger授权类

四、自定义Shiro拦截器(RangerFilter)

五、测试

一、Zeppelin权限部分分析

由官方文档可知,zeppelin权限是使用shiro接管的,认证、授权默认使用的shiro的textRealm,同时还支持LDAPRealm、PamRealm、JDBCRealm等其他Realm。

Zeppelin中的权限有两个大模块,一方面是note粒度的权限,另一方面是菜单权限粒度,解释器配置页面的访问权限、版本控制页面的访问权限以及其他一些页面url的拦截。

1、zeppelin-note权限分析

对于note粒度的权限,划分为可读可写可执行,配置的方式目前有两种:页面配置和RESTApi设置,如下图:

源码中实现过程是在org.apache.zeppelin.service.NotebookService类中,所有的note操作都要经过org.apache.zeppelin.service.NotebookService.checkPermission()方法来鉴权

  enum Permission {
    READER,
    WRITER,
    RUNNER,
    OWNER,
  }

  /**
   * Return null when it is allowed, otherwise return the error message which could be
   * propagated to frontend
   *
   * @param noteId
   * @param context
   * @param permission
   * @param op
   * @return
   */
  private <T> boolean checkPermission(String noteId,
                                      Permission permission,
                                      Message.OP op,
                                      ServiceContext context,
                                      ServiceCallback<T> callback) throws IOException {
    boolean isAllowed = false;
    Set<String> allowed = null;
    switch (permission) {
      case READER:
        isAllowed = authorizationService.isReader(noteId, context.getUserAndRoles());
        allowed = authorizationService.getReaders(noteId);
        break;
      case WRITER:
        isAllowed = authorizationService.isWriter(noteId, context.getUserAndRoles());
        allowed = authorizationService.getWriters(noteId);
        break;
      case RUNNER:
        isAllowed = authorizationService.isRunner(noteId, context.getUserAndRoles());
        allowed = authorizationService.getRunners(noteId);
        break;
      case OWNER:
        isAllowed = authorizationService.isOwner(noteId, context.getUserAndRoles());
        allowed = authorizationService.getOwners(noteId);
        break;
    }
    if (isAllowed) {
      return true;
    } else {
      String errorMsg = "Insufficient privileges to " + permission + " note.\n" +
          "Allowed users or roles: " + allowed + "\n" + "But the user " +
          context.getAutheInfo().getUser() + " belongs to: " + context.getUserAndRoles();
      callback.onFailure(new ForbiddenException(errorMsg), context);
      return false;
    }
  }

2、zeppelin-shiro权限分析

zeppelin默认使用shiro.ini的方式来配置权限,它还支持从LDAP和其他Realm同步用户  zeppelin集成LDAP https://blog.csdn.net/EdwardWong_/article/details/115401467 

我们在shiro中配置好的url,最终都会走org.apache.shiro.web.filter.authz.RolesAuthorizationFilter.isAccessAllowed()方法来处理,处理原理此处不细说,如果我们想使用Ranger来处理权限,此处是着手之处



package org.apache.shiro.web.filter.authz;

import java.io.IOException;
import java.util.Set;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.CollectionUtils;

// shiro 源码
public class RolesAuthorizationFilter extends AuthorizationFilter {
    public RolesAuthorizationFilter() {
    }

    public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws IOException {
        Subject subject = this.getSubject(request, response);
        String[] rolesArray = (String[])mappedValue;
        if (rolesArray != null && rolesArray.length != 0) {
            Set<String> roles = CollectionUtils.asSet(rolesArray);
            return subject.hasAllRoles(roles);
        } else {
            return true;
        }
    }
}

二、shiro权限原理分析及Ranger原理分析

1、shiro认证授权原理

// Todo...

2、Ranger认证授权原理

// Todo...

对于note粒度的权限,如果我们使用Ranger来鉴权,对zeppelin源码入侵性过大,后续zeppelin官方的升级适配和其他一些问题过于繁琐,所以再三思考过后决定先实现菜单权限层面的Ranger管控

三、自定义Ranger插件

官方给出了一些案例,阅读完后感觉一言难尽,了解到一些大概的流程,但是对于开发自定义插件帮助实在有限,于是一边借鉴其他官方Ranger插件的代码,一遍捋Ranger源码,最后终于开发成功。

ranger插件包层次如下

1、编写shiroService

pom文件如下:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <parent>
        <artifactId>ranger</artifactId>
        <groupId>org.apache.ranger</groupId>
        <version>2.0.0</version>
    </parent>
    <modelVersion>4.0.0</modelVersion>

    <artifactId>ranger-shiro-plugin</artifactId>

    <dependencies>
        <!-- Apache Shiro -->
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>1.7.0</version>
        </dependency>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-web</artifactId>
            <version>1.7.0</version>
        </dependency>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-config-core</artifactId>
            <version>1.7.0</version>
        </dependency>
        <dependency>
            <groupId>org.apache.ranger</groupId>
            <artifactId>ranger-plugins-common</artifactId>
            <version>2.0.0</version>
        </dependency>
        <dependency>
            <groupId>org.apache.ranger</groupId>
            <artifactId>ranger-plugins-audit</artifactId>
            <version>2.0.0</version>
        </dependency>
        <dependency>
            <groupId>org.apache.ranger</groupId>
            <artifactId>credentialbuilder</artifactId>
            <version>2.0.0</version>
        </dependency>



    </dependencies>
    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-shade-plugin</artifactId>
                <version>2.3</version>
                <executions>
                    <execution>
                        <phase>package</phase>
                        <goals>
                            <goal>shade</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>


        </plugins>

    </build>
</project>

首先编写RangerService类,需要继承RangerBaseService类,并实现init()、validateConfig()、lookupResource方法。validateConfig()方法是对参数的验证方法,会对在RangerWeb界面上配置的zeppelin参数进行认证。lookResource方法是RangerWeb的一个自动补全参数方法,代码如下

package org.apache.ranger.services.shiro;

import org.apache.ranger.plugin.client.BaseClient;
import org.apache.ranger.plugin.model.RangerService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.service.RangerBaseService;
import org.apache.ranger.plugin.service.ResourceLookupContext;

import java.util.HashMap;
import java.util.List;
import java.util.Map;

/**
 * @author Edwards Wang
 * @version 2021/4/13 下午5:39
 * describe:
 */
public class RangerServiceShiroTest extends RangerBaseService {

    @Override
    public void init(RangerServiceDef serviceDef, RangerService service) {
        super.init(serviceDef, service);
    }

    @Override
    public Map<String, Object> validateConfig() throws Exception {
        String errMes = "Failed,cannot connext to the zeppelin Service";
        String successMes = "Connection Success";
        Map<String, Object> map = new HashMap<>();
        if (!configs.containsKey("interpreterPage")){
            BaseClient.generateResponseDataMap(false,errMes,errMes,null,null,map);
        }else {
            BaseClient.generateResponseDataMap(true,successMes,successMes,null,null,map);
        }
        return map;
    }

    @Override
    public List<String> lookupResource(ResourceLookupContext context) throws Exception {
        return null;
    }

}

 2、编写资源json文件

我们要对我们的插件有一个描述文件,文件要放在agents-common/src/main/resources/service-defs/路径下

首先是对插件的描述,需要有id、name、类路径、标签和描述

  "id":29,
  "name": "shiroTest2",
  "implClass": "org.apache.ranger.services.shiro.RangerServiceShiroTest",
  "label": "SHIRO Repository",
  "description": "SHIRO Repository",
  "resources":

 然后是对我们插件要管控的资源的描述

{
      "itemId": 1,
      "name": "path",
      "type": "path",
      "level": 10,
      "parent": "",
      "mandatory": true,
      "lookupSupported": true,
      "recursiveSupported": true,
      "excludesSupported": false,
      "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
      "matcherOptions": { "wildCard":true, "ignoreCase":false },
      "validationRegEx":"",
      "validationMessage": "",
      "uiHint":"",
      "label": "url",
      "description": "url"
    }

然后是对权限的设置,这里只开启了一个权限get(此get和http请求无关,只是是否可以访问) 

   {
      "itemId": 1,
      "name": "get",
      "label": "get"
    }

完整的文件内容如下

{
  "id":29,
  "name": "shiroTest2",
  "implClass": "org.apache.ranger.services.shiro.RangerServiceShiroTest",
  "label": "SHIRO Repository",
  "description": "SHIRO Repository",
  "resources":
  [
    {
      "itemId": 1,
      "name": "path",
      "type": "path",
      "level": 10,
      "parent": "",
      "mandatory": true,
      "lookupSupported": true,
      "recursiveSupported": true,
      "excludesSupported": false,
      "matcher": "org.apache.ranger.plugin.resourcematcher.RangerPathResourceMatcher",
      "matcherOptions": { "wildCard":true, "ignoreCase":false },
      "validationRegEx":"",
      "validationMessage": "",
      "uiHint":"",
      "label": "url",
      "description": "url"
    }
  ],

  "accessTypes":
  [
    {
      "itemId": 1,
      "name": "get",
      "label": "get"
    }
  ],
  "configs":
  [
    {
      "itemId": 1,
      "name": "interpreterPage",
      "type": "string",
      "subType": "",
      "mandatory": true,
      "validationRegEx":"",
      "validationMessage": "",
      "uiHint":"",
      "label": "interpreterPage"
    }
  ]
}

 在完成service和资源文件后,需要执行命令将我们的插件加载进Ranger,命令如下:

curl -u admin:admin -X POST -H "Accept: application/json" -H "Content-Type: application/json" –d @ranger-servicedef-shiro.json 'http://localhost:6080/service/public/v2/api/servicedef'

然后需要重启RangerAdmin,接下来打开RangerWeb界面就能看到我们的插件了

 3、编写Ranger授权类

我们的RangerShiroAuthorizer要继承shiro的org.apache.shiro.web.filter.authz.AuthorizationFilter类,并实现isAccessAllowed方法

package org.apache.ranger.authorization.shiro.authorizer;

import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

/**
 * @author Edwards Wang
 * @version 2021/4/13 下午2:16
 * describe:
 */
public class RangerShiroAuthorizer extends AuthorizationFilter {
    public RangerShiroAuthorizer() {
    }

    @Override
    public boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
        Subject subject = getSubject(request,response);
        // 获取用户
        String userName = (String) subject.getPrincipal();

        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
        // 获取要拦截的url
        StringBuffer url = httpServletRequest.getRequestURL();

        RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
        resource.setValue("path",url.toString());

        RangerAccessRequestImpl rangerAccessRequest = new RangerAccessRequestImpl(resource,"get",userName,null);
        // 此处的名字要和json文件中定义的name插件名一致
        RangerBasePlugin rangerBasePlugin = new RangerBasePlugin("shiroTest2", "shiroTest2");
        rangerBasePlugin.setResultProcessor(new RangerDefaultAuditHandler());
        rangerBasePlugin.init();
        // 将权限交由Ranger来审核,返回boolean的值再交给shiro
        RangerAccessResult result = rangerBasePlugin.isAccessAllowed(rangerAccessRequest);

        return result != null && result.getIsAllowed();
    }
}

4、编写audit文件和security文件,我们要将这两个文件放在插件包的resource路径下:

首先是ranger-shiroTest2-audit.xml

<?xml version="1.0"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
    <!-- DB audit provider configuration -->
    <property>
        <name>xasecure.audit.destination.db</name>
        <value>false</value>
    </property>

    <property>
        <name>xasecure.audit.destination.db.jdbc.driver</name>
        <value>com.mysql.jdbc.Driver</value>
    </property>

    <property>
        <name>xasecure.audit.destination.db.jdbc.url</name>
        <value>jdbc:mysql://localhost/ranger_audit</value>
    </property>

    <property>
        <name>xasecure.audit.destination.db.password</name>
        <value>rangerlogger</value>
    </property>

    <property>
        <name>xasecure.audit.destination.db.user</name>
        <value>rangerlogger</value>
    </property>

    <property>
        <name>xasecure.audit.destination.db.batch.filespool.dir</name>
        <value>/tmp/audit/db/spool</value>
    </property>


    <!-- HDFS audit provider configuration -->
    <property>
        <name>xasecure.audit.destination.hdfs</name>
        <value>false</value>
    </property>

    <property>
        <name>xasecure.audit.destination.hdfs.dir</name>
        <value>hdfs://localhost:8020/ranger/audit</value>
    </property>

    <property>
        <name>xasecure.audit.destination.hdfs.batch.filespool.dir</name>
        <value>/tmp/audit/hdfs/spool</value>
    </property>


    <!-- Log4j audit provider configuration -->
    <property>
        <name>xasecure.audit.destination.log4j</name>
        <value>true</value>
    </property>

    <property>
        <name>xasecure.audit.destination.log4j.logger</name>
        <value>ranger_audit_logger</value>
    </property>
</configuration>

 然后是ranger-shiroTest2-security.xml

有一个属性,需要特别注意。 这就是名为ranger.plugin.httpservice.service.name的属性。 此属性的值必须与您在Ranger UI中使用的服务名称相同。

<?xml version="1.0"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
    <property>
        <name>ranger.plugin.shiroTest2.policy.rest.url</name>
        <value>http://192.168.101.48:6080</value>
        <description>
            URL to Ranger Admin
        </description>
    </property>

    <property>
        <name>ranger.plugin.shiroTest2.service.name</name>
        <value>MyService</value>
        <description>
            Name of the Ranger service containing policies for this shiroTest2 instance
        </description>
    </property>

    <property>
        <name>ranger.plugin.shiroTest2.policy.source.impl</name>
        <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
        <description>
            Class to retrieve policies from the source
        </description>
    </property>

    <property>
        <name>ranger.plugin.shiroTest2.policy.rest.ssl.config.file</name>
        <value>ranger-policymgr-ssl.xml</value>
        <description>
            Path to the file containing SSL details to contact Ranger Admin
        </description>
    </property>

    <property>
        <name>ranger.plugin.shiroTest2.policy.pollIntervalMs</name>
        <value>30000</value>
        <description>
            How often to poll for changes in policies?
        </description>
    </property>

    <property>
        <name>ranger.plugin.shiroTest2.policy.cache.dir</name>
        <value>/tmp</value>
        <description>
            Directory where Ranger policies are cached after successful retrieval from the source
        </description>
    </property>

    <property>
        <name>ranger.plugin.shiroTest2.policy.rest.client.connection.timeoutMs</name>
        <value>120000</value>
        <description>
            RangerRestClient Connection Timeout in Milli Seconds
        </description>
    </property>

    <property>
        <name>ranger.plugin.shiroTest2.policy.rest.client.read.timeoutMs</name>
        <value>30000</value>
        <description>
            RangerRestClient read Timeout in Milli Seconds
        </description>
    </property>
</configuration>

然后打包。接下来开始写shiro拦截器部分 

四、自定义Shiro拦截器(RangerFilter)

在zeppelin的zeppelin-server/src/main/java/org/apache/zeppelin下新建一个filter包,在filter包下新建一个shiro拦截器:RangerFilter,继承org.apache.shiro.web.filter.authz.AuthorizationFilter方法,实现isAccessAllowed方法,在方法里直接调用我们ranger插件包内的isAccessAllowed方法

package org.apache.zeppelin.filter;


import org.apache.ranger.authorization.shiro.authorizer.RangerShiroAuthorizer;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

/**
 * @author Edwards Wang
 * @version 2021/4/20 下午2:30
 * describe:
 */
public class RangerFilter extends AuthorizationFilter {
    @Override
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception {
        return new RangerShiroAuthorizer().isAccessAllowed(request,response,mappedValue);
    }
}

然后修改shiro.ini文件,在[main]模块下新增条目

[main]
rangerFilter = org.apache.zeppelin.filter.RangerFilter

在[url]模块下修改条目,此处只以解释器页面为例

[urls]
/api/version = anon
/api/cluster/address = anon
/api/interpreter/setting/restart/** = authc
/api/interpreter/** = authc, rangerFilter

 完整的shiro.ini文件如下

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

[users]
# List of users with their password allowed to access Zeppelin.
# To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
# To enable admin user, uncomment the following line and set an appropriate password.
#admin = password1, admin
user1 = password2, role1, role2
user2 = password3, role3
user3 = password4, role2

# Sample LDAP configuration, for user Authentication, currently tested for single Realm
[main]
### A sample for configuring Active Directory Realm
#activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm
#activeDirectoryRealm.systemUsername = userNameA

#use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html
#activeDirectoryRealm.systemPassword = passwordA
#activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks
#activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM
#activeDirectoryRealm.url = ldap://ldap.test.com:389
#activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr"
#activeDirectoryRealm.authorizationCachingEnabled = false

### A sample for configuring LDAP Directory Realm
#ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
## search base for ldap groups (only relevant for LdapGroupRealm):
#ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM
#ldapRealm.contextFactory.url = ldap://ldap.test.com:389
#ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM
#ldapRealm.contextFactory.authenticationMechanism = simple

### A sample PAM configuration
#pamRealm=org.apache.zeppelin.realm.PamRealm
#pamRealm.service=sshd

### A sample for configuring ZeppelinHub Realm
#zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm
## Url of ZeppelinHub
#zeppelinHubRealm.zeppelinhubUrl = https://www.zeppelinhub.com
#securityManager.realms = $zeppelinHubRealm

## A same for configuring Knox SSO Realm
#knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm
#knoxJwtRealm.providerUrl = https://domain.example.com/
#knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html
#knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout
#knoxJwtRealm.logoutAPI = true
#knoxJwtRealm.redirectParam = originalUrl
#knoxJwtRealm.cookieName = hadoop-jwt
#knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knox-sso.pem
#
#knoxJwtRealm.groupPrincipalMapping = group.principal.mapping
#knoxJwtRealm.principalMapping = principal.mapping
#authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter
rangerFilter = org.apache.zeppelin.filter.RangerFilter

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager

### If caching of user is required then uncomment below lines
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager

### Enables 'HttpOnly' flag in Zeppelin cookies
cookie = org.apache.shiro.web.servlet.SimpleCookie
cookie.name = JSESSIONID
cookie.httpOnly = true
### Uncomment the below line only when Zeppelin is running over HTTPS
#cookie.secure = true
sessionManager.sessionIdCookie = $cookie

securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
shiro.loginUrl = /api/login

[roles]
role1 = *
role2 = *
role3 = *
admin = *

[urls]
# This section is used for url-based security. For details see the shiro.ini documentation.
#
# You can secure interpreter, configuration and credential information by urls.
# Comment or uncomment the below urls that you want to hide:
# anon means the access is anonymous.
# authc means form based auth Security.
#
# IMPORTANT: Order matters: URL path expressions are evaluated against an incoming request
# in the order they are defined and the FIRST MATCH WINS.
#
# To allow anonymous access to all but the stated urls,
# uncomment the line second last line (/** = anon) and comment the last line (/** = authc)
#
/api/version = anon
/api/cluster/address = anon
# Allow all authenticated users to restart interpreters on a notebook page.
# Comment out the following line if you would like to authorize only admin users to restart interpreters.
/api/interpreter/setting/restart/** = authc
/api/interpreter/** = authc, rangerFilter
/api/notebook-repositories/** = authc, roles[admin]
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/api/admin/** = authc, roles[admin]
#/** = anon
/** = authc

 修改完毕,将ranger和ranger插件的包放到lib路径下重启zeppelin

五、测试

首先打开zeppelin的界面,使用默认的user1用户登录,访问interpreter界面,会发现报错说没有权限

然后我们进入RangerWeb界面配置权限,首先配置插件

然后配置策略,将url和用户角色权限加上

点击add或save,然后重新回到zeppelin界面,这回就可以正常访问解释器页面了

大功告成!!

有任何问题可以评论留言,开发过程中有一些坑,大家遇到我踩过的可以帮大家解答一下

EdwardsWang丶
关注
  • 6
    点赞
  • 12
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 3
    评论
专栏目录
ranger-cmus:用于与Cmus Audio Player集成Ranger插件
05-19
这是用于文件管理器的插件,它添加了3个用于与音频播放器进行交互的自定义​​命令: :cmus_play :将文件/文件夹发送到播放列表。 :cmus_lib :将文件/文件夹添加到库中。 :cmus_queue :使文件/文件夹:cmus_...
zeppelin使用shiro进行权限验证
BruceBupt的博客
06-03 2215
zeppelin使用shiro进行权限控制,默认情况下是anonymous,即不用登录即可使用。如果要增加登录验证,可以按照下列步骤操作。修改配置后需要重启才能生效。 cd ${zeppelin} ./bin/zeppelin-daemon.sh restart 1.禁止匿名访问 如果没有conf/zeppelin-site.xml,那么执行 cd $(zeppelin)/conf c...
Zeppelin连接Spark实现SQLStdBasedAuthorization权限验证
简单就好
01-12 2968
zeppelin连接Spark实现SQLStdBasedAuthorization权限验证
zeppelin源码分析(4)——主要的class分析(下)
重来
05-25 2106
本文主要分析类图中右下角的部分,如果说类图中右上角部分决定了zeppelin运行时对解释器进程的处理,那么右下角这部分类是决定了Note运行方式。 Note Note是单个’记事本’的内存对象,是zeppelin管理的最小单位,无论是做权限控制、共享、还是持久化,都是以Note为粒度的。从类关系上看,Note是由一些列的有序Paragraph组成,因此其绝大部分职责都是与管理Paragrap
[Zeppelin]设置访问登录权限
SmartSi
06-05 8296
1. 概述我们在浏览器中输入 http://localhost:8080/ 进入Zeppelin的主页,不需要用任何的验证就可以进入主页面:换句话说,任何人在浏览器输入上面地址(本机),都可以访问Zeppelin里的所有笔记. 在上图中我们也可以看到我们的登陆用户是anonymous.2. 修改匿名访问Zeppelin启动默认是匿名(anonymous)模式登录的.如果设置访问登录权限,需要设置c
解决Zeppelin使用JdbcRealm角色查询与鉴权不生效问题
IT小王
07-28 168
可能因为角色SQL判断复杂,查询不通用的特性。导致没有将JDBC方式进行角色查询与校验的相关代码放入。总之,遇到问题解决不了还是得看源码。使用开源软件,一定要会自己编译,不然后续需要改造代码,就没办法操作了。
Zeppelin集成Ranger实现用户权限管控
u010543388的博客
07-30 2042
前言 一、架构说明 二、
Ranger-Sqoop2插件实现详解
木木与呆呆的专栏
09-21 1230
1.组件和插件介绍 1.1.Ranger介绍 Apache Ranger能够监控和管理整个Hadoop平台的综合数据安全, 目前作为Apache Top Level Project(TLP顶级项目), 最新版本是2.0.0。它主要提供如下特性: 基于策略(Policy-based)的访问权限模型 通用的策略同步与决策逻辑,方便控制插件的扩展接入 内置常见系...
审计日志导致hiveserver2内存泄露的问题排查解决
06-06 945
记录一次hiveserver2内存泄露问题排查
Ranger集成CDH Hive
qq_35741557的博客
05-28 1873
安装 HIVE插件只对使用JDBC方式访问HIVE的请求进行权限管理,HIVE-CLI不受限制! 解压文件ranger-2.1.0-hive-plugin.tar.gz并修改install.properties文件 #ranger admin的路径 POLICY_MGR_URL=http://cdh04:6080 #hive服务名称 REPOSITORY_NAME=hivedev #hive的安装路径 COMPONENT_INSTALL_DIR_NAME=/opt/cloudera/parcels/CDH/
Apache Ranger入门与进阶使用
qq_41463207的博客
04-02 2447
ranger是hadoop生态中的权限管理和用户审计插件ranger丰富的插件数量让它的使用常广泛,但是苦于官方文档常少,学习起来就常麻烦。本篇博客是取各文档之精华所做的,相信你完成的看完后对于ranger会有更多的理解
ranger-admin集成
11-26
ranger-1.2-admin资源下载,里面包含web页面及sql脚本,在linux操作系统上可以直接运行
ranger_devicons:Ranger插件,将文件字形图标支持添加到Ranger
05-01
插件引入了一个新的linemode,该模式以文件图标为前缀 先决条件 该插件使用来自修补的NERDfont的字形。 因此,为了使该插件正常工作,您需要安装NERDfont并将其设置为终端的默认字体。 我个人使用了Source Code ...
cdh6.3.2编译的ranger版本
最新发布
08-03
此软件可以直接适用于cdh6.3.2的安装和应用,ranger我们都知道,是一个权限管理工具,可以做到精细化权限管理,编译ranger的cdh6.3.2,会出现各种报错,这里提供编译好的包
CDH 6.3.1 ranger ranger-2.1.0-admin.tar.gz
11-04
CDH 6.3.1 ranger admin模块; 需要剩下的 编译包请留言。已经完全解决所有版本的编译。
ranger插件开发(上)
hncscwc的博客
09-02 1747
Apache ranger 是一个集中式的安全管理框架,用户可以登录到ranger的web控制台配置不同的策略,实现对hadoop相关生态组件细粒度的权限控制。最新版本(2.1.0)支持的...
Apache Ranger对Hive数据脱敏-行过滤Row Filter、列屏蔽Column Masking
王佩的CSDN博客
02-26 5434
概述 Apache Ranger对Hive数据支持两种脱敏方式:行过滤Row Filter、列屏蔽Column Masking。它可对Select结果进行行列级别数据脱敏,从而达到对用户屏蔽敏感信息的目的。 注意:该功能只适用于HiveServer2使用场景(如Beeline/JDBC/Hue等途径执行的Select),对Hive Cli(如Hive -e)和直接读取Hive表的HDFS文件场景不...
大数据Ranger-2.3.0 Hive插件安装
如切如磋,如琢如磨,臻于至善。
01-28 637
Apache Ranger来源于2013年成立于美国加利福尼亚的XA Secure公司,它是一个Hadoop安全相关的开源组件。在2014年,Hortonworks收购了XA Secure公司,将其贡献给了Apache软件基金会,目前是Apache的顶级开源项目。Ranger-hive的插件编译、部署 控制hive授权
一篇全面的zepplin教程
热门推荐
jin6872115的博客
10-29 1万+
https://www.jianshu.com/p/090f02005e07   1.Zeppelin是什么? Apache Zeppelin是一款基于Web的Notebook(类似于jupyter notebook),支持交互式地数据分析。 Zeppelin可实现你所需要的: 数据采集 数据发现 数据分析 数据可视化和协作 支持多种语言,默认是Scala(背后是Spark shel...
ranger用户同步于ldap
04-30
ranger用户同步于ldap是指Apache Ranger作为授权管理系统,将LDAP服务器中的用户同步到Ranger系统中,以便为这些用户分配访问和操作Hadoop集群的权限LDAP是轻量级目录访问协议,被广泛应用于企业级身份认证和权限管理。通过将Ranger系统与LDAP服务器进行集成,管理员可以轻松地将LDAP中的用户和组同步到Ranger系统中,以维护基于用户的访问控制策略。 当LDAP中添加、删除或更改用户和组时,Ranger也相应地更新Ranger中的用户和组信息。这种同步机制使得企业中的用户和组一致性得到保证,有效地提高了系统访问控制的管理效率。 值得注意的是,为了确保LDAP用户同步至Ranger系统后能够正确地使用,管理员还需要对Ranger系统进行相应的配置和授权管理,例如定义访问策略和角色等。只有在完整配置并且正确授权后,才能确保可以最大限度地发挥Ranger系统的访问控制功能。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

EdwardsWang丶

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值