openLooKeng+Ranger+LDAP 认证鉴权能力演示

关注

发布于: 10 小时前

openLooKeng 可以对接 LDAP 完成认证，同时对接 Ranger 完成权限控制。本次演示使用的是我们的实验 openLooKeng 版本（开源 openLooKeng 的三层结构 catalog-schema-table，在实验版本中扩展为 catalog-vdb-schema-table4 层结构），你也可以采用开源 openLooKeng 达到完全相同的认证和鉴权的安全能力。

总体演示步骤：

LDAP 上已经配置好用户 tom，密码为：Huawei@123 在 Ranger 已经配置好用户 tom 的访问权限通过 openLooKeng Client 访问相应资源，检查是否符合策略配置

环境说明：

Testcases：

未认证用户 kobe 访问失败

root@slave2:/home/xdz# ./openLooKeng_cli --server https://xdz3:9090 --catalog mysql --keystore-path /home/xdz/key138/openLooKeng-public.store --keystore-password Huawei@123 --user kobe --passwordPassword: lk> select * from view."vdb02:schema02".view02;Error running command: Authentication failed: Access Denied: Invalid credentials

复制代码

在 LDAP 上创建用户 tom（密码：Huawei@123）

Ranger-usersync 即刻能同步到 LDAP 上新建用户的信息，可以在 Ranger-admin 上查询到：

未在 Ranger 上配置 tom 用户可访问的资源时，查询

root@slave2:/home/xdz# ./openLooKeng_cli --server https://xdz3:9090 --catalog mysql --keystore-path /home/xdz/key138/openLooKeng-public.store --keystore-password Huawei@123 --user tom --passwordPassword: lk > lk > show catalogs; Catalog --------- mysql    system   view    (3 rows) lk > show schemas from view;Query 20190723_024326_00005_frwmt failed: Access Denied: Cannot access catalog view

复制代码

在 Ranger 上配置 tom 访问 cataloge view 的权限，查询

lk > show schemas from view;       Schema       -------------------- information_schema  qqvdb               testschema          testvdb            (4 rows) Query 20190723_024637_00021_frwmt, FINISHED, 1 nodeSplits: 19 total, 19 done (100.00%)0:00 [4 rows, 60B] [20 rows/s, 310B/s]

复制代码

在 Ranger 上配置 tom 访问 cataloge mysql 的权限

tom 创建 view

a. 3 层结构

lk > create schema view.vdb01;CREATE SCHEMA lk > create view view.vdb01.view01 as select * from mysql.testdb.testtb;CREATE VIEW lk > select * from view.vdb01.view01; id |   name   | score | comments  ----+----------+-------+-----------  1 | zhangsan |    80 | normal      2 | lisi     |    85 | normal      3 | wangwu   |    99 | very good   4 | zhaoliu  |    55 | stupid    (4 rows) Query 20190723_031647_00029_frwmt, FINISHED, 1 nodeSplits: 17 total, 17 done (100.00%)0:00 [4 rows, 0B] [21 rows/s, 0B/s]

复制代码

b. 4 层结构

lk > create schema view.vdb02;CREATE SCHEMAlk > create schema view."vdb02:schema02";CREATE SCHEMAlk > create view view."vdb02:schema02".view02 as select * from mysql.testdb.testtb;CREATE VIEWlk > select * from view."vdb02:schema02".view02; id |   name   | score | comments  ----+----------+-------+-----------  1 | zhangsan |    80 | normal      2 | lisi     |    85 | normal      3 | wangwu   |    99 | very good   4 | zhaoliu  |    55 | stupid    (4 rows) Query 20190723_031827_00035_frwmt, FINISHED, 1 nodeSplits: 17 total, 17 done (100.00%)0:00 [4 rows, 0B] [20 rows/s, 0B/s] lk > create view view.vdb02.view03 as select * from mysql.testdb.testtb;CREATE VIEW

复制代码

授权 view 给另一个用户 jack（jack 已经在 LDAP 上创建好，密码为：jack）

a. 授权 view.vdb01.view01 给 jack

root@slave2:/home/xdz# ./openLooKeng_cli --server https://xdz3:9090 --catalog mysql --keystore-path /home/xdz/key138/openLooKeng-public.store --keystore-password Huawei@123 --user jack --passwordPassword: lk > select * from view.vdb01.view01; id |   name   | score | comments  ----+----------+-------+-----------  1 | zhangsan |    80 | normal      2 | lisi     |    85 | normal      3 | wangwu   |    99 | very good   4 | zhaoliu  |    55 | stupid    (4 rows) Query 20190723_033521_00044_frwmt, FINISHED, 1 nodeSplits: 17 total, 17 done (100.00%)0:00 [4 rows, 0B] [22 rows/s, 0B/s] lk > select * from view."vdb02:schema02".view02;Query 20190723_033821_00049_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view02 lk > select * from view.vdb02.view03;Query 20190723_055918_00064_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view03

复制代码

b. 授权 view."vdb02:schema02".view02 给 jack

lk > select * from view."vdb02:schema02".view02; id |   name   | score | comments  ----+----------+-------+-----------  1 | zhangsan |    80 | normal      2 | lisi     |    85 | normal      3 | wangwu   |    99 | very good   4 | zhaoliu  |    55 | stupid    (4 rows) Query 20190723_060319_00066_frwmt, FINISHED, 1 nodeSplits: 17 total, 17 done (100.00%)0:00 [4 rows, 0B] [27 rows/s, 0B/s] lk > select * from view.vdb01.view01;Query 20190723_060322_00067_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view01 lk > select * from view.vdb02.view03;Query 20190723_060316_00065_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view03

复制代码

c. 授权 view.vdb02 给 jack，即包含 view.vdb02.view03 和 view."vdb02:schema02".view02

lk > select * from view."vdb02:schema02".view02; id |   name   | score | comments  ----+----------+-------+-----------  1 | zhangsan |    80 | normal      2 | lisi     |    85 | normal      3 | wangwu   |    99 | very good   4 | zhaoliu  |    55 | stupid    (4 rows) Query 20190723_061024_00088_frwmt, FINISHED, 1 nodeSplits: 17 total, 17 done (100.00%)0:00 [4 rows, 0B] [45 rows/s, 0B/s] lk > select * from view.vdb02.view03; id |   name   | score | comments  ----+----------+-------+-----------  1 | zhangsan |    80 | normal      2 | lisi     |    85 | normal      3 | wangwu   |    99 | very good   4 | zhaoliu  |    55 | stupid    (4 rows) Query 20190723_061022_00087_frwmt, FINISHED, 1 nodeSplits: 17 total, 17 done (100.00%)0:00 [4 rows, 0B] [32 rows/s, 0B/s] lk > select * from view.vdb01.view01;Query 20190723_061020_00086_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view01

复制代码

如果您有任何想要交流的，欢迎在社区代码仓内提 Issue；也欢迎加小助手微信，进入专属技术交流群。

发布于: 10 小时前阅读数: 5

原文链接:【http://xie.infoq.cn/article/282bf38488f2b1f0fb072d6d4】。文章转载请联系作者。

openLooKeng

关注

愿景：让大数据更简单 2021.04.14 加入

openLooKeng是一款高效的数据虚拟化引擎，提供统一SQL接口，具备跨数据源/数据中心分析能力，致力于为用户提供极简的数据分析体验。社区官网：https://openlookeng.io

发布

暂无评论

创作场景

openLooKeng+Ranger+LDAP 认证鉴权能力演示

总体演示步骤：

环境说明：

Testcases：

openLooKeng

评论