apache/kyuubi
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
4de2976fd4
kyuubi/docs/security/authorization.md
Cheng Pan 19150ca292
[KYUUBI #951] [LICENSE] Add license header on all docs 
<!--
Thanks for sending a pull request!

Here are some tips for you:
  1. If this is your first time, please read our contributor guidelines: https://kyuubi.readthedocs.io/en/latest/community/contributions.html
  2. If the PR is related to an issue in https://github.com/apache/incubator-kyuubi/issues, add '[KYUUBI #XXXX]' in your PR title, e.g., '[KYUUBI #XXXX] Your PR title ...'.
  3. If the PR is unfinished, add '[WIP]' in your PR title, e.g., '[WIP][KYUUBI #XXXX] Your PR title ...'.
-->

### _Why are the changes needed?_
<!--
Please clarify why the changes are needed. For instance,
  1. If you add a feature, you can talk about the use case of it.
  2. If you fix a bug, you can clarify why it is a bug.
-->

### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible

- [ ] Add screenshots for manual tests if appropriate

- [ ] [Run test](https://kyuubi.readthedocs.io/en/latest/develop_tools/testing.html#running-tests) locally before make a pull request

Closes #951 from pan3793/license.

Closes #951

4629eecd [Cheng Pan] Fix
c45a0784 [Cheng Pan] nit
b9a46b42 [Cheng Pan] pin license header at first line
80d1a71b [Cheng Pan] nit
b2a46e4c [Cheng Pan] Update
f6acaaf8 [Cheng Pan] minor
ef99183f [Cheng Pan] Add license header on all docs

Authored-by: Cheng Pan <chengpan@apache.org>
Signed-off-by: Cheng Pan <chengpan@apache.org>
(cherry picked from commit a76c344042)
Signed-off-by: Cheng Pan <chengpan@apache.org>
2021-08-19 09:54:01 +08:00

50 lines
3.9 KiB
Markdown
Raw Blame History

<!--
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-->
# ACL Management Guide
- [Authorization Modes](#1)
- [Storage-Based Authorization](#1.1)
- [SQL-Standard Based Authorization](#1.2)
- [Ranger Security Support](#1.3)
<h2 id="1">Authorization Modes</h2>
Three primary modes for Kyuubi authorization are available by [Submarine Spark Security](https://github.com/apache/submarine/tree/master/submarine-security/spark-security):
<h4 id="1.1">Storage-Based Authorization</h4>
Enabling Storage Based Authorization in the `Hive Metastore Server` uses the HDFS permissions to act as the main source for verification and allows for consistent data and metadata authorization policy. This allows control over metadata access by verifying if the user has permission to access corresponding directories on the HDFS. Similar with `HiveServer2`, files and directories will be translated into hive metadata objects, such as dbs, tables, partitions, and be protected from end user's queries through Kyuubi.
Storage-Based Authorization offers users with Database, Table and Partition-level coarse-gained access control.
<h4 id="1.2">SQL-Standard Based Authorization</h4>
Enabling SQL-Standard Based Authorization gives users more fine-gained control over access comparing with Storage Based Authorization. Besides of the ability of Storage Based Authorization, SQL-Standard Based Authorization can improve it to Views and Column-level. Unfortunately, Spark SQL does not support grant/revoke statements which controls access, this might be done only through the HiveServer2. But it's gratifying that [Submarine Spark Security](https://github.com/apache/submarine/tree/master/submarine-security/spark-security) makes Spark SQL be able to understand this fine-grain access control granted or revoked by Hive.
With [Kyuubi](https://github.com/apache/incubator-kyuubi), the SQL-Standard Based Authorization is guaranteed for the security configurations, metadata, and storage information is preserved from end users.
Please refer to the [Submarine Spark Security](https://submarine.apache.org/docs/userDocs/submarine-security/spark-security/README) in the online documentation for an overview on how to configure SQL-Standard Based Authorization for Spark SQL.
<h4 id="1.3">Ranger Security Support (Recommended)</h4>
[Apache Ranger](https://ranger.apache.org/) is a framework to enable, monitor and manage comprehensive data security across the Hadoop platform but end before Spark or Spark SQL. The [Submarine Spark Security](https://github.com/apache/submarine/tree/master/submarine-security/spark-security) enables Kyuubi with control access ability reusing [Ranger Plugin for Hive MetaStore
](https://cwiki.apache.org/confluence/display/RANGER/Ranger+Plugin+for+Hive+MetaStore). [Apache Ranger](https://ranger.apache.org/) makes the scope of existing SQL-Standard Based Authorization expanded but without supporting Spark SQL. [Submarine Spark Security](https://github.com/apache/submarine/tree/master/submarine-security/spark-security) sticks them together.
Please refer to the [Submarine Spark Security](https://submarine.apache.org/docs/userDocs/submarine-security/spark-security/README) in the online documentation for an overview on how to configure Ranger for Spark SQL.
Reference in New Issue View Git Blame Copy Permalink