Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ranger]Different versions use different configuration files #1677

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[ranger]Different versions use different configuration files #1677

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d1a0502
1
zddr Dec 30, 2024
c94f707
1
zddr Dec 30, 2024
2e9fb55
1
zddr Dec 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 35 additions & 7 deletions docs/admin-manual/auth/ranger.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,20 +239,48 @@ Afterwards, you can see the created service in the Apache Doris plug-in on the S
## Best Practices

### Configuring Permissions

1. Create `user1` in Doris.
2. Using the `admin` user in Doris, create a Catalog named `hive`.
3. Create `user1` in Ranger.
4. Add a Policy in Ranger named `show_hive_catalog`

![ranger3](/images/ranger/ranger3.png)
#### Global Priv
Equivalent to Doris' internal authorization statement `grant select_priv on *.*.* to user1`;
- The global option can be found in the dropdown menu of the same level in the catalog
- Only `*` can be entered in the input box

![global](/images/ranger/global.png)

#### Catalog Priv
Equivalent to Doris' internal authorization statement `grant select_priv on hive.*.* to user1`;

![catalog](/images/ranger/catalog.png)

#### Database Priv
Equivalent to Doris' internal authorization statement `grant select_priv on hive.tpch.* to user1`;

![database](/images/ranger/database.png)

#### Table Priv
Equivalent to Doris' internal authorization statement `grant select_priv on hive.tpch.user to user1`;

![table](/images/ranger/table.png)

#### Column Priv
Equivalent to Doris' internal authorization statement `grant select_priv(name,age) on hive.tpch.user to user1`;

![column](/images/ranger/column.png)

#### Resource Priv
Equivalent to Doris' internal authorization statement `grant usage_priv on resource 'resource1' to user1`;
- The resource option can be found in the dropdown menu of the same level in the catalog

5. Log in to Doris as `user1` and execute `show catalogs`; only the `hive` catalog should be visible.
6. Add a Policy in Ranger named `select_hive_catalog`
![resource](/images/ranger/resource.png)

!4ranger3](/images/ranger/ranger4.png)
#### Workload Group Priv
Equivalent to Doris' internal authorization statement `grant usage_priv on workload group 'group1' to user1`;
- The workload group option can be found in the dropdown menu of the same level in the catalog

7. Log in to Doris as `user1`. This user can now view or query all tables under any database starting with `tpch` in the `hive` catalog.
![group1](/images/ranger/group1.png)

### Row Policy Example

Expand Down
42 changes: 35 additions & 7 deletions i18n/zh-CN/docusaurus-plugin-content-docs/current/admin-manual/auth/ranger.md
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Original file line number Diff line number Diff line change
Expand Up @@ -239,20 +239,48 @@ Config Properties 部分参数含义如下:
## 最佳实践

### 配置权限

1. 在 Doris 中创建 `user1`。
2. 在 Doris 中,先使用 `admin` 用户创建一个 Catalog:`hive`。
3. 在 Ranger 中创建 `user1`。
4. 在 Ranger 中添加一个 Policy:`show_hive_catalog`

![ranger3](/images/ranger/ranger3.png)
#### 全局权限
相当于 Doris 内部授权语句的 `grant select_priv on *.*.* to user1`;
- catalog 同级下拉框可以找到 global 选项
- 输入框里只能输入 `*`

![global](/images/ranger/global.png)

#### Catalog 权限
相当于 Doris 内部授权语句的 `grant select_priv on hive.*.* to user1`;

![catalog](/images/ranger/catalog.png)

#### Database 权限
相当于 Doris 内部授权语句的 `grant select_priv on hive.tpch.* to user1`;

![database](/images/ranger/database.png)

#### Table 权限
相当于 Doris 内部授权语句的 `grant select_priv on hive.tpch.user to user1`;

![table](/images/ranger/table.png)

#### Column 权限
相当于 Doris 内部授权语句的 `grant select_priv(name,age) on hive.tpch.user to user1`;

![column](/images/ranger/column.png)

#### Resource 权限
相当于 Doris 内部授权语句的 `grant usage_priv on resource 'resource1' to user1`;
- catalog 同级下拉框可以找到 resource 选项

5. 使用 `user1` 登录 Doris,执行 `show catalogs`,只能看到 `hive` catalog。
6. 在 Ranger 中添加一个 Policy:`select_hive_catalog`
![resource](/images/ranger/resource.png)

![ranger4](/images/ranger/ranger4.png)
#### Workload Group 权限
相当于 Doris 内部授权语句的 `grant usage_priv on workload group 'group1' to user1`;
- catalog 同级下拉框可以找到 workload group 选项

7. 使用 `user1` 登录 Doris。该用户可以查看或查询 `hive` catalog 下,所有以 `tpch` 开头的 database 下的所有表。
![group1](/images/ranger/group1.png)

### Row Policy 示例

Expand Down
2 changes: 1 addition & 1 deletion i18n/zh-CN/docusaurus-plugin-content-docs/version-2.1/admin-manual/auth/ranger.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ Apache Ranger 是一个用来在 Hadoop 平台上进行监控,启用服务,

3. 重启 Ranger 服务。

4. 下载 [ranger-servicedef-doris.json](https://github.com/morningman/ranger/blob/doris-plugin/agents-common/src/main/resources/service-defs/ranger-servicedef-doris.json)
4. 下载 [ranger-servicedef-doris.json](https://github.com/morningman/ranger/blob/doris-ranger-plugin-2.1/agents-common/src/main/resources/service-defs/ranger-servicedef-doris.json)

5. 执行以下命令上传定义文件到 Ranger 服务:

Expand Down
44 changes: 36 additions & 8 deletions i18n/zh-CN/docusaurus-plugin-content-docs/version-3.0/admin-manual/auth/ranger.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ Apache Ranger 是一个用来在 Hadoop 平台上进行监控,启用服务,

3. 重启 Ranger 服务。

4. 下载 [ranger-servicedef-doris.json](https://github.com/morningman/ranger/blob/doris-plugin/agents-common/src/main/resources/service-defs/ranger-servicedef-doris.json)
4. 下载 [ranger-servicedef-doris.json](https://github.com/morningman/ranger/blob/doris-ranger-plugin-3.0/agents-common/src/main/resources/service-defs/ranger-servicedef-doris.json)

5. 执行以下命令上传定义文件到 Ranger 服务:

Expand Down Expand Up @@ -239,20 +239,48 @@ Config Properties 部分参数含义如下:
## 最佳实践

### 配置权限

1. 在 Doris 中创建 `user1`。
2. 在 Doris 中,先使用 `admin` 用户创建一个 Catalog:`hive`。
3. 在 Ranger 中创建 `user1`。
4. 在 Ranger 中添加一个 Policy:`show_hive_catalog`

![ranger3](/images/ranger/ranger3.png)
#### 全局权限
相当于 Doris 内部授权语句的 `grant select_priv on *.*.* to user1`;
- catalog 同级下拉框可以找到 global 选项
- 输入框里只能输入 `*`

![global](/images/ranger/global.png)

#### Catalog 权限
相当于 Doris 内部授权语句的 `grant select_priv on hive.*.* to user1`;

![catalog](/images/ranger/catalog.png)

#### Database 权限
相当于 Doris 内部授权语句的 `grant select_priv on hive.tpch.* to user1`;

![database](/images/ranger/database.png)

#### Table 权限
相当于 Doris 内部授权语句的 `grant select_priv on hive.tpch.user to user1`;

![table](/images/ranger/table.png)

#### Column 权限
相当于 Doris 内部授权语句的 `grant select_priv(name,age) on hive.tpch.user to user1`;

![column](/images/ranger/column.png)

#### Resource 权限
相当于 Doris 内部授权语句的 `grant usage_priv on resource 'resource1' to user1`;
- catalog 同级下拉框可以找到 resource 选项

5. 使用 `user1` 登录 Doris,执行 `show catalogs`,只能看到 `hive` catalog。
6. 在 Ranger 中添加一个 Policy:`select_hive_catalog`
![resource](/images/ranger/resource.png)

![ranger4](/images/ranger/ranger4.png)
#### Workload Group 权限
相当于 Doris 内部授权语句的 `grant usage_priv on workload group 'group1' to user1`;
- catalog 同级下拉框可以找到 workload group 选项

7. 使用 `user1` 登录 Doris。该用户可以查看或查询 `hive` catalog 下,所有以 `tpch` 开头的 database 下的所有表。
![group1](/images/ranger/group1.png)

### Row Policy 示例

Expand Down
Binary file added static/images/ranger/catalog.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/images/ranger/column.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/images/ranger/database.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/images/ranger/global.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/images/ranger/group1.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/images/ranger/resource.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added static/images/ranger/table.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 1 addition & 1 deletion versioned_docs/version-2.1/admin-manual/auth/ranger.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ In version 2.1.0, Doris supports unified permission management by integrating Ap

3. Restart the Ranger service.

4. Download [ranger-servicedef-doris.json](https://github.com/morningman/ranger/blob/doris-plugin/agents-common/src/main/resources/service-defs/ranger-servicedef-doris.json)
4. Download [ranger-servicedef-doris.json](https://github.com/morningman/ranger/blob/doris-ranger-plugin-2.1/agents-common/src/main/resources/service-defs/ranger-servicedef-doris.json)

5. Execute the following command to upload the definition file to the Ranger service:

Expand Down
44 changes: 36 additions & 8 deletions versioned_docs/version-3.0/admin-manual/auth/ranger.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ In version 2.1.0, Doris supports unified permission management by integrating Ap

3. Restart the Ranger service.

4. Download [ranger-servicedef-doris.json](https://github.com/morningman/ranger/blob/doris-plugin/agents-common/src/main/resources/service-defs/ranger-servicedef-doris.json)
4. Download [ranger-servicedef-doris.json](https://github.com/morningman/ranger/blob/doris-ranger-plugin-3.0/agents-common/src/main/resources/service-defs/ranger-servicedef-doris.json)

5. Execute the following command to upload the definition file to the Ranger service:

Expand Down Expand Up @@ -239,20 +239,48 @@ Afterwards, you can see the created service in the Apache Doris plug-in on the S
## Best Practices

### Configuring Permissions

1. Create `user1` in Doris.
2. Using the `admin` user in Doris, create a Catalog named `hive`.
3. Create `user1` in Ranger.
4. Add a Policy in Ranger named `show_hive_catalog`

![ranger3](/images/ranger/ranger3.png)
#### Global Priv
Equivalent to Doris' internal authorization statement `grant select_priv on *.*.* to user1`;
- The global option can be found in the dropdown menu of the same level in the catalog
- Only `*` can be entered in the input box

![global](/images/ranger/global.png)

#### Catalog Priv
Equivalent to Doris' internal authorization statement `grant select_priv on hive.*.* to user1`;

![catalog](/images/ranger/catalog.png)

#### Database Priv
Equivalent to Doris' internal authorization statement `grant select_priv on hive.tpch.* to user1`;

![database](/images/ranger/database.png)

#### Table Priv
Equivalent to Doris' internal authorization statement `grant select_priv on hive.tpch.user to user1`;

![table](/images/ranger/table.png)

#### Column Priv
Equivalent to Doris' internal authorization statement `grant select_priv(name,age) on hive.tpch.user to user1`;

![column](/images/ranger/column.png)

#### Resource Priv
Equivalent to Doris' internal authorization statement `grant usage_priv on resource 'resource1' to user1`;
- The resource option can be found in the dropdown menu of the same level in the catalog

5. Log in to Doris as `user1` and execute `show catalogs`; only the `hive` catalog should be visible.
6. Add a Policy in Ranger named `select_hive_catalog`
![resource](/images/ranger/resource.png)

![ranger4](/images/ranger/ranger4.png)
#### Workload Group Priv
Equivalent to Doris' internal authorization statement `grant usage_priv on workload group 'group1' to user1`;
- The workload group option can be found in the dropdown menu of the same level in the catalog

7. Log in to Doris as `user1`. This user can now view or query all tables under any database starting with `tpch` in the `hive` catalog.
![group1](/images/ranger/group1.png)

### Row Policy Example

Expand Down
Loading