Closed bowenliang123 closed 1 year ago
We are using the Ranger 2.3.0 performing access request via the AUTHZ Kyuubi plugin. We expected AUTHZ to be able to sync the groups with the Ranger UserStore, but this is currently not possible. As mentioned in this issue, the only option to fetch group info is via the Hadoop security module UserGroupInformation
, but it would be nice if this was configurable. The solution suggested by @bowenliang123 in https://github.com/apache/incubator-kyuubi/pull/3308 seems to be what we are looking for.
pull 3308 has a complete runnable patch for this feature. It's been marked as a draft for the reason of unit test and related rule preparation. You may try this out to see whether it works fine for you and send us your feedback or suggestion if possible. @GerbenvdHuizen
Code of Conduct
Search before asking
Describe the feature
User group based policies from Ranger are not working as expectedly. User can be binded to multiple user groups in Ranger Admin. But in privileage checking, user group is identified by plugin it self. In Authz, User group param setting in AccessRequest currently relies on
UserGroupInformation
returned bygetAuthzUgi
method ofAuthZUtils
. RangerPlugin is plainly use the value of it to check policies conditions.I suggest,
Motivation
No response
Describe the solution
No response
Additional context
No response
Are you willing to submit PR?