openLooKeng is a drop in engine which enables in-situ analytics on any data, anywhere, including geographically remote data sources. It provides a global view of all of your data via its SQL 2003 interface. With high availability, auto-scaling, built-in caching and indexing support, openLooKeng is ready for enterprise workload with required reliability.
openlookeng-ranger-plugin is a Ranger Plugin for openLooKeng to enable, monitor and manage comprehensive data security.
Check out the code from GIT repository
On the root folder, please execute the following Maven command:
mvn clean package
ranger-<ranger.version>-admin-openlookeng-<openlookeng.version>-plugin.tar.gz
ranger-<ranger.version>-openlookeng-<openlookeng.version>-plugin.tar.gz
1). Expand the ranger-<ranger.version>-admin-openlookeng-<openlookeng.version>-plugin.tar.gz file, you would see the following folders in the target folder:
openlookeng
service-defs
2). Register Service Type definition with Ranger
Service type definition should be registered with Ranger using REST API provided by Ranger Admin. Once registered, Ranger Admin will provide UI to create service instances (called as repositories in previous releases) and policies for the service-type. Ranger plugin uses the service type definition and the policies to determine if an access request should be granted or not. The register REST API can be invoked using curl command as shown in the example below :
curl -u admin:password -X POST -H "Accept: application/json" -H "Content-Type: application/json" -d @service-defs/ranger-servicedef-openlookeng.json http://ranger-admin-host:port/service/plugins/definitions
The example of query REST API of Ranger:
curl -u admin:password -X GET -H "Accept: application/json" -H "Content-Type: application/json" http://ranger-admin-host:port/service/plugins/definitions
The example of delete REST API of Ranger:
curl -u admin:password -X DELETE http://ranger-admin-host:port/service/plugins/definitions/{service id}
3). Copy openlookeng folder to ranger-plugins folder of Ranger Admin installed directory (e.g. ranger-<ranger.version>-admin/ews/webapp/WEB-INF/classes/ranger-plugins/)
1). Expand the ranger-<ranger.version>-openlookeng-<openlookeng.version>-plugin.tar.gz file
2). Modify the install.properties file with appropriate variables. There is an example that some variables were modified as follows:
# Location of Policy Manager URL # Example: POLICY_MGR_URL=http://policymanager.xasecure.net:6080 POLICY_MGR_URL=http://xxx.xxx.xxx.xxx:6080 # This is the repository name created within policy manager # Example: REPOSITORY_NAME=openlookengdev REPOSITORY_NAME=openlookengdev # openLooKeng component installed directory # COMPONENT_INSTALL_DIR_NAME=../openlookeng COMPONENT_INSTALL_DIR_NAME=/home/hetu-server-1.0.1 XAAUDIT.SOLR.ENABLE=false XAAUDIT.SUMMARY.ENABLE=false
3). Execute ./enable-openlookeng-plugin.sh
Restart Ranger Admin service: service ranger-admin restart
Restart openLooKeng service: ./launcher restart
You can add a new policy from the Ranger Admin's Policy Listing Page of openLooKeng service. The ranger plugin of openLooKeng supports manager the privileges of systemproperty, catalog, sessionproperty, schema, table and column.
use
privilege to catalog, all operations under the catalog have no permission.select
privilege was granted, the catalog can be available for show catalogs.catalog
or in the current catalog.select
privilege was granted, the schema can be available for show schemas.schema
or in the current schema.select
privilege was granted, the table can be available for show tables.table
along with their data type and other attributes.select
privilege was granted, the column can be available for show columns.Column mask is only suitable for select
operation, the specified user can only access the data after the mask. At present, openLooKeng support 8 mask policies.
Masking Option | Description |
---|---|
Redact |
Replace lowercase with x , uppercase with X , digits with 0 . |
Partial mask: show last 4 |
Show last 4 characters; replace rest with X . |
Partial mask: show first 4 |
Show first 4 characters; replace rest with x . |
Hash |
Hash the value of a varchar with sha256. |
Nullify |
Replace with NULL. |
Unmasked (retain original value) |
No masking. |
Date: show only year |
Date: show only year. |
Custom |
Custom. Example: cast(concat({col}, "test") as {type}). |
Row filter is only suitable for select
operation, the specified user can only access the data after filter. You can customize the filter expression as the condition in where
of SQL.
use
and select
privileges should be granted to a particular catalog. show
or create
privileges are optional to enable show or create schemas.Label | Description |
---|---|
Policy Name | Enter an appropriate policy name. |
catalog | Select the appropriate catalog. |
none | Label none indicates don't need to config other resources. |
select
privilege to information_schema
of particular catalog.Label | Description |
---|---|
Policy Name | Enter an appropriate policy name. |
catalog | Select the appropriate catalog. |
schema | select information_schema . |
table | * (indicates select all tables) |
column | * (indicates select all columns) |
Label | Description |
---|---|
Policy Name | Enter an appropriate policy name. |
systemproperty | Specify the appropriate system session property. |
Label | Description |
---|---|
Policy Name | Enter an appropriate policy name. |
catalog | Select the appropriate catalog. |
sessionproperty | Specify the appropriate catalog session property. |
Label | Description |
---|---|
Policy Name | Enter an appropriate policy name. |
catalog | Select the appropriate catalog. |
schema | For the selected catalog(s), select schema(s) for the which the policy will be applicable. |
table | For the selected catalog(s) and schema(s), select table(s) for the which the policy will be applicable. |
column | For the selected catalog(s), schema(s) and table(s), select column(s) for the which the policy will be applicable |
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。