Skip to main content
Version: 0.7.0-incubating

Authorization Push-down

Authorization Push-down

authorization push down

Gravitino offers a set of authorization frameworks that integrate with various underlying data source permission systems, such as MySQL's native permission management and Apache Ranger for big data. These frameworks align with Gravitino's own authorization model and methodology. Gravitino manages different data sources through Catalogs, and when a user performs an authorization operation on data within a Catalog, Gravitino invokes the Authorization Plugin module for that Catalog. This module translates Gravitino's authorization model into the permission rules of the underlying data source. The permissions are then enforced by the underlying permission system via the respective client, such as JDBC or the Apache Ranger client.

Authorization Hive with Ranger properties

In order to use the Authorization Ranger Hive Plugin, you need to configure the following properties and Apache Hive catalog properties:

Property NameDescriptionDefault ValueRequiredSince Version
authorization-providerProviders to use to implement authorization plugin such as ranger.(none)No0.6.0-incubating
authorization.ranger.admin.urlThe Apache Ranger web URIs.(none)No0.6.0-incubating
authorization.ranger.auth.typeThe Apache Ranger authentication type simple or kerberos.simpleNo0.6.0-incubating
authorization.ranger.usernameThe Apache Ranger admin web login username (auth type=simple), or kerberos principal(auth type=kerberos), Need have Ranger administrator permission.(none)No0.6.0-incubating
authorization.ranger.passwordThe Apache Ranger admin web login user password (auth type=simple), or path of the keytab file(auth type=kerberos)(none)No0.6.0-incubating
authorization.ranger.service.nameThe Apache Ranger service name.(none)No0.6.0-incubating

Once you have used the correct configuration, you can perform authorization operations by calling Gravitino authorization RESTful API.

Example of using the Authorization Ranger Hive Plugin

Suppose you have an Apache Hive service in your datacenter and have created a hiveRepo in Apache Ranger to manage its permissions. The Ranger service is accessible at 172.0.0.100:6080, with the username Jack and the password PWD123. To add this Hive service to Gravitino using the Hive catalog, you'll need to configure the following parameters.

authorization-provider=ranger
authorization.ranger.admin.url=172.0.0.100:6080
authorization.ranger.auth.type=simple
authorization.ranger.username=Jack
authorization.ranger.password=PWD123
authorization.ranger.service.name=hiveRepo
caution

Gravitino 0.6.0 only supports the authorization Apache Ranger Hive service and more data source authorization is under development.