Implement the SentryShellCommon to manage the authorization metadata, eg, SentryShellKafka.If you're looking for the right tool for your monitoring and alarm application, the Sentry is it.Implement the hook and using the component's framework to manage the authorization metadata with SentryGenericServiceClient, eg, SentryKafkaAuthorizer.addAcls() for grant privileges to role, SentryKafkaAuthorizer.removeAcls() for revoke privileges from role, etc.There are 2 ways to manage the authorization metadata like create role, grant role to group, grant privilege to role, revoke privilege from role, etc.The purpose for the hook is to use thorize() to do the authorization.Add the method to expose the AuthorizationProvider.hasAccess(), eg, thorize().
Define sentry code#
The sample code for the initialization is KafkaAuthBinding.createAuthProvider(). For ProviderBackend, .db.generic.SentryGenericProviderBackend is the default implementation. For PolicyEngine, . is the default implementation and user can implement the interface if needed. AuthorizationProvider should be the member of binding and will be initialized with the implementation of PolicyEngine and ProviderBackend.Crete the KafkaAuthBinding which is responsible for do the authorization for Kafka.Implement the getBitFieldActionFactory with KafkaActionFactory.Implement the getImplyMethodMap() with the created implyMethodMap.URL : compare the authorization type as url according to . STRING_CASE_SENSITIVE : compare the authorization type as string and case sensitive. STRING : compare the authorization type as string and case insensitive. Create implyMethodMap which is responsible for imply the authorization types which is defined in KafkaAuthorizable, the imply rule is defined in .common.CommonPrivilege. The following are the supported imply methods for the authorization types:.Define privilege model with authorization model and action factory (reference code: ).According to the rule, READ imply WRITE = FALSE, ALL imply WRITE = TRUE. The imply rule is defined in .common.BitFieldAction. The action code will be used for action imply with operation &.KafkaActionFactory defines all actions for Kafka with name and code, eg, READ(0x0001), WRITE(0x0002), etc.Define action factory (reference code: ).Create sub class of KafkaAuthorizable for every authorization type, eg, Cluster, Host, etc.Create all authorization types with enum AuthorizableType in KafkaAuthorizable, eg, Cluster, Host, etc.Create KafkaAuthorizable which should extend the interface Authorizable.Create the sentry-core-model-kafka for Kafka.Define authorization model (reference code: ).Policy enforcement plugin running on apache components sideĪpache Kafka will be the example for the following guide. All the implementation is based on the previous framework, and I think we can improve the framework to make it more clearly. Get privileges with backend, do the transformation (currently, there is no transformation), return the privileges. Define authorization model, Define privilege model with authorization model and action factory Main modules:Īuthorizables, privileges, and corresponding backend metadata: so new engine will need to extend implementation to cover these pieces, e.g.
In this document we talk about the main steps required for integration, code organization and examples to get you started. Sentry is pluggable and it is fairly simple to delegate Sentry to your authorization and policy management needs. It has been successfully integrated with Apache Hive, Apache Sqoop2, Apache Solr, Apache Kafka, HDFS and Cloudera Impala. Sentry currently has involved into a universal authorization policy engine.
0 kommentar(er)
