ranger icon indicating copy to clipboard operation
ranger copied to clipboard
verified publisher icon apache

RANGER-2128: Implementation of Ranger Spark SQL plugin

Open yaooqinn opened this issue 7 years ago • 7 comments

pre-work

Basic concepts and introductions can be found in spark-authorizer's documentations.

additionals

https://github.com/apache/spark/pull/17724 exposed a new experimental develop api SparkSessionExetensions, which is able to add user supplied extensions to SparkSession object during instantiation via program api or the spark property named spark.sql.extensions.

This PR uses spark.sql.extensions and other necessary ranger-hive-plugin settings to enable Ranger security support for Spark SQL with hive as external catalog.

spark.sql.extensions=
org.apache.ranger.authorization.spark.authorizer.RangerSparkSQLExtension

yaooqinn avatar Jun 26 '18 11:06 yaooqinn

@boscodurai ship it?

tooptoop4 avatar Feb 22 '19 22:02 tooptoop4

keen to see this in action! do you have any jar and setup notes for this?

tooptoop4 avatar Apr 28 '19 21:04 tooptoop4

@yaooqinn can u create apache review?

tooptoop4 avatar May 07 '19 20:05 tooptoop4

@tooptoop4 review request created.

yaooqinn avatar May 18 '19 15:05 yaooqinn

Hi!

This work is very interesting! Any progress on the merge?

ptallada avatar Apr 08 '20 20:04 ptallada

@yaooqinn Can you fix the conflicts?

rimolive avatar Apr 27 '20 18:04 rimolive

@yaooqinn any thoughts on resolving the conflicts?

shgriffi avatar Jul 28 '20 19:07 shgriffi

What does this PR do/accomplish that isn't already possible with the existing Hive support? We're currently running Spark Thriftserver (3.2.x) with the kyuubi plugin against Ranger where in Ranger we've defined the service as a Hive service and everything with regards to authentication and authorization seems to be working as expected.

The only thing that I've observed that doesn't work is the auto-complete when creating policies via the Ranger UI, I assume this is a slight dialect difference in the response from the Spark Thriftserver vs a real HiveServer2 since the query being run by Ranger (show databases like "*") returns the databases just fine when I run it myself.

simonvanderveldt avatar Nov 25 '22 16:11 simonvanderveldt

What does this PR do/accomplish that isn't already possible with the existing Hive support? We're currently running Spark Thriftserver (3.2.x) with the kyuubi plugin against Ranger where in Ranger we've defined the service as a Hive service and everything with regards to authentication and authorization seems to be working as expected.

The only thing that I've observed that doesn't work is the auto-complete when creating policies via the Ranger UI, I assume this is a slight dialect difference in the response from the Spark Thriftserver vs a real HiveServer2 since the query being run by Ranger (show databases like "*") returns the databases just fine when I run it myself.

Thanks @simonvanderveldt. I think than we can include Kyuubi plugin in Ranger for Spark. If you are familiar with Kyuubi than Can you please raise demo PR?

bhavikpatel9977 avatar Nov 28 '22 09:11 bhavikpatel9977

+1

waywtdcc avatar Dec 21 '22 05:12 waywtdcc

will this work with spark-submit cluster mode without passing keytab?

ManoharVanam avatar Oct 18 '23 12:10 ManoharVanam

I am going to close this in favor of the kyuubi spark authz plugin

yaooqinn avatar Nov 10 '23 06:11 yaooqinn