[FEATURE] [AUTHZ] Support overriding usergroup with UserStore in AccessRequest

[bowenliang123]

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

Search before asking

• [x] I have searched in the issues and found no similar issues.

Describe the feature

User group based policies from Ranger are not working as expectedly. User can be binded to multiple user groups in Ranger Admin. But in privileage checking, user group is identified by plugin it self. In Authz, User group param setting in AccessRequest currently relies on UserGroupInformation returned by getAuthzUgi method of AuthZUtils. RangerPlugin is plainly use the value of it to check policies conditions.

I suggest,

1. support overriding usergroup in AccessRequest by fetching user-group relation mapping from UserStore (which introduced since Ranger 2.3) in RangerBasePlugin. UserStore is loaded and refreshed by base plugin with user-group mapping and user/group attributes and used for policy evaluation.
2. add a switch config for it, disabled by default.

Motivation

No response

Describe the solution

No response

Additional context

No response

Are you willing to submit PR?

• [X] Yes I am willing to submit a PR!

[GerbenvdHuizen]

We are using the Ranger 2.3.0 performing access request via the AUTHZ Kyuubi plugin. We expected AUTHZ to be able to sync the groups with the Ranger UserStore, but this is currently not possible. As mentioned in this issue, the only option to fetch group info is via the Hadoop security module UserGroupInformation, but it would be nice if this was configurable. The solution suggested by @bowenliang123 in https://github.com/apache/incubator-kyuubi/pull/3308 seems to be what we are looking for.

[bowenliang123]

pull 3308 has a complete runnable patch for this feature. It's been marked as a draft for the reason of unit test and related rule preparation. You may try this out to see whether it works fine for you and send us your feedback or suggestion if possible. @GerbenvdHuizen