写点什么

openLooKeng+Ranger+LDAP 认证鉴权能力演示

用户头像
openLooKeng
关注
发布于: 10 小时前
openLooKeng+Ranger+LDAP 认证鉴权能力演示

openLooKeng 可以对接 LDAP 完成认证,同时对接 Ranger 完成权限控制。本次演示使用的是我们的实验 openLooKeng 版本(开源 openLooKeng 的三层结构 catalog-schema-table,在实验版本中扩展为 catalog-vdb-schema-table4 层结构),你也可以采用开源 openLooKeng 达到完全相同的认证和鉴权的安全能力。

总体演示步骤:

LDAP 上已经配置好用户 tom,密码为:Huawei@123 在 Ranger 已经配置好用户 tom 的访问权限 通过 openLooKeng Client 访问相应资源,检查是否符合策略配置

环境说明: 



Testcases:

  1. 未认证用户 kobe 访问失败

root@slave2:/home/xdz# ./openLooKeng_cli --server https://xdz3:9090 --catalog mysql --keystore-path /home/xdz/key138/openLooKeng-public.store --keystore-password Huawei@123 --user kobe --passwordPassword: lk> select * from view."vdb02:schema02".view02;Error running command: Authentication failed: Access Denied: Invalid credentials
复制代码
  1. 在 LDAP 上创建用户 tom(密码:Huawei@123)




Ranger-usersync 即刻能同步到 LDAP 上新建用户的信息,可以在 Ranger-admin 上查询到:



  1. 未在 Ranger 上配置 tom 用户可访问的资源时,查询

root@slave2:/home/xdz# ./openLooKeng_cli --server https://xdz3:9090 --catalog mysql --keystore-path /home/xdz/key138/openLooKeng-public.store --keystore-password Huawei@123 --user tom --passwordPassword: lk > lk > show catalogs; Catalog --------- mysql    system   view    (3 rows) lk > show schemas from view;Query 20190723_024326_00005_frwmt failed: Access Denied: Cannot access catalog view
复制代码
  1. 在 Ranger 上配置 tom 访问 cataloge view 的权限,查询




lk > show schemas from view;       Schema       -------------------- information_schema  qqvdb               testschema          testvdb            (4 rows) Query 20190723_024637_00021_frwmt, FINISHED, 1 nodeSplits: 19 total, 19 done (100.00%)0:00 [4 rows, 60B] [20 rows/s, 310B/s]
复制代码
  1. 在 Ranger 上配置 tom 访问 cataloge mysql 的权限


 


  1. tom 创建 view

  • a. 3 层结构

lk > create schema view.vdb01;CREATE SCHEMA lk > create view view.vdb01.view01 as select * from mysql.testdb.testtb;CREATE VIEW lk > select * from view.vdb01.view01; id |   name   | score | comments  ----+----------+-------+-----------  1 | zhangsan |    80 | normal      2 | lisi     |    85 | normal      3 | wangwu   |    99 | very good   4 | zhaoliu  |    55 | stupid    (4 rows) Query 20190723_031647_00029_frwmt, FINISHED, 1 nodeSplits: 17 total, 17 done (100.00%)0:00 [4 rows, 0B] [21 rows/s, 0B/s] 
复制代码
  • b. 4 层结构

lk > create schema view.vdb02;CREATE SCHEMAlk > create schema view."vdb02:schema02";CREATE SCHEMAlk > create view view."vdb02:schema02".view02 as select * from mysql.testdb.testtb;CREATE VIEWlk > select * from view."vdb02:schema02".view02; id |   name   | score | comments  ----+----------+-------+-----------  1 | zhangsan |    80 | normal      2 | lisi     |    85 | normal      3 | wangwu   |    99 | very good   4 | zhaoliu  |    55 | stupid    (4 rows) Query 20190723_031827_00035_frwmt, FINISHED, 1 nodeSplits: 17 total, 17 done (100.00%)0:00 [4 rows, 0B] [20 rows/s, 0B/s] lk > create view view.vdb02.view03 as select * from mysql.testdb.testtb;CREATE VIEW 
复制代码
  1. 授权 view 给另一个用户 jack(jack 已经在 LDAP 上创建好,密码为:jack)

  • a. 授权 view.vdb01.view01 给 jack 

  •  


root@slave2:/home/xdz# ./openLooKeng_cli --server https://xdz3:9090 --catalog mysql --keystore-path /home/xdz/key138/openLooKeng-public.store --keystore-password Huawei@123 --user jack --passwordPassword: lk > select * from view.vdb01.view01; id |   name   | score | comments  ----+----------+-------+-----------  1 | zhangsan |    80 | normal      2 | lisi     |    85 | normal      3 | wangwu   |    99 | very good   4 | zhaoliu  |    55 | stupid    (4 rows) Query 20190723_033521_00044_frwmt, FINISHED, 1 nodeSplits: 17 total, 17 done (100.00%)0:00 [4 rows, 0B] [22 rows/s, 0B/s] lk > select * from view."vdb02:schema02".view02;Query 20190723_033821_00049_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view02 lk > select * from view.vdb02.view03;Query 20190723_055918_00064_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view03
复制代码
  • b. 授权 view."vdb02:schema02".view02 给 jack


 


lk > select * from view."vdb02:schema02".view02; id |   name   | score | comments  ----+----------+-------+-----------  1 | zhangsan |    80 | normal      2 | lisi     |    85 | normal      3 | wangwu   |    99 | very good   4 | zhaoliu  |    55 | stupid    (4 rows) Query 20190723_060319_00066_frwmt, FINISHED, 1 nodeSplits: 17 total, 17 done (100.00%)0:00 [4 rows, 0B] [27 rows/s, 0B/s] lk > select * from view.vdb01.view01;Query 20190723_060322_00067_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view01 lk > select * from view.vdb02.view03;Query 20190723_060316_00065_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view03
复制代码
  • c. 授权 view.vdb02 给 jack,即包含 view.vdb02.view03 和 view."vdb02:schema02".view02


 


lk > select * from view."vdb02:schema02".view02; id |   name   | score | comments  ----+----------+-------+-----------  1 | zhangsan |    80 | normal      2 | lisi     |    85 | normal      3 | wangwu   |    99 | very good   4 | zhaoliu  |    55 | stupid    (4 rows) Query 20190723_061024_00088_frwmt, FINISHED, 1 nodeSplits: 17 total, 17 done (100.00%)0:00 [4 rows, 0B] [45 rows/s, 0B/s] lk > select * from view.vdb02.view03; id |   name   | score | comments  ----+----------+-------+-----------  1 | zhangsan |    80 | normal      2 | lisi     |    85 | normal      3 | wangwu   |    99 | very good   4 | zhaoliu  |    55 | stupid    (4 rows) Query 20190723_061022_00087_frwmt, FINISHED, 1 nodeSplits: 17 total, 17 done (100.00%)0:00 [4 rows, 0B] [32 rows/s, 0B/s] lk > select * from view.vdb01.view01;Query 20190723_061020_00086_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view01
复制代码

如果您有任何想要交流的,欢迎在社区代码仓内提 Issue;也欢迎加小助手微信,进入专属技术交流群。



发布于: 10 小时前阅读数: 5
用户头像

openLooKeng

关注

愿景:让大数据更简单 2021.04.14 加入

openLooKeng是一款高效的数据虚拟化引擎,提供统一SQL接口,具备跨数据源/数据中心分析能力,致力于为用户提供极简的数据分析体验。社区官网:https://openlookeng.io

评论

发布
暂无评论
openLooKeng+Ranger+LDAP 认证鉴权能力演示