tessl/maven-org-apache-ranger--ranger-plugins-common
Common library for Apache Ranger plugins providing shared functionality, models, and utilities for security policy enforcement across various big data components.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-apache-ranger--ranger-plugins-common@2.7.0index.mddocs/
Apache Ranger Plugins Common
Apache Ranger Plugins Common is a foundational Java library that provides shared functionality for all Apache Ranger plugins. It enables consistent security policy enforcement across diverse big data ecosystems through a comprehensive set of common components including plugin architecture, administrative client interfaces, policy models, context enrichers, audit facilities, and authorization utilities.
Package Information
- Package Name: ranger-plugins-common
- Package Type: maven
- Language: Java
- Group ID: org.apache.ranger
- Artifact ID: ranger-plugins-common
- Installation: Add to pom.xml:
<dependency>
<groupId>org.apache.ranger</groupId>
<artifactId>ranger-plugins-common</artifactId>
<version>2.7.0</version>
</dependency>Core Imports
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.admin.client.RangerAdminClient;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerServiceDef;Basic Usage
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
// Initialize plugin
RangerBasePlugin plugin = new RangerBasePlugin("hdfs", "MyHDFSPlugin");
plugin.init();
// Create access request
RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue("path", "/user/data/file.txt");
RangerAccessRequestImpl request = new RangerAccessRequestImpl();
request.setResource(resource);
request.setAccessType("read");
request.setUser("alice");
// Evaluate access
RangerAccessResult result = plugin.isAccessAllowed(request);
if (result.getIsAllowed()) {
System.out.println("Access granted");
} else {
System.out.println("Access denied: " + result.getReason());
}
// Note: Auditing is handled automatically during access evaluation
// Access results contain audit information processed by the plugin's audit providersArchitecture
Apache Ranger Plugins Common is built around several key architectural components:
- Plugin Framework: Core plugin architecture with
RangerBasePluginproviding lifecycle management, policy evaluation, and audit logging - Policy Engine:
RangerPolicyEnginefor evaluating access policies with support for different policy types (access, data masking, row filtering) - Admin Client:
RangerAdminClientinterface and implementations for communicating with Ranger Admin server - Model Objects: Rich domain models (
RangerPolicy,RangerServiceDef,RangerRole) representing security policies and service definitions - Context Enrichment: Pluggable context enrichers for attribute-based access control and dynamic policy evaluation
- Resource Matching: Flexible resource matching framework supporting wildcards, regex, and custom matchers
- Audit Framework: Comprehensive audit logging with pluggable audit handlers and event processing
Capabilities
Plugin Services
Core plugin framework providing the main entry point for Ranger plugins, with lifecycle management, policy evaluation, and audit integration.
public class RangerBasePlugin {
public RangerBasePlugin(String serviceType, String appId);
public RangerBasePlugin(String serviceType, String serviceName, String appId);
public RangerBasePlugin(RangerPluginConfig pluginConfig);
public void init();
public RangerAccessResult isAccessAllowed(RangerAccessRequest request);
public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAccessResultProcessor resultProcessor);
public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor);
public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor);
public RangerResourceACLs getResourceACLs(RangerAccessRequest request);
public void refreshPoliciesAndTags();
}Policy Engine
Policy evaluation engine that processes access requests against configured policies, supporting access control, data masking, and row filtering policies.
public interface RangerPolicyEngine {
RangerAccessResult evaluatePolicies(RangerAccessRequest request, int policyType, RangerAccessResultProcessor resultProcessor);
Collection<RangerAccessResult> evaluatePolicies(Collection<RangerAccessRequest> requests, int policyType, RangerAccessResultProcessor resultProcessor);
RangerResourceACLs getResourceACLs(RangerAccessRequest request);
}
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles);
}Admin Client
Client interface for communicating with Ranger Admin server to retrieve policies, roles, and service definitions, and to perform administrative operations.
public interface RangerAdminClient {
void init(String serviceName, String appId, String configPropertyPrefix, Configuration config);
ServicePolicies getServicePoliciesIfUpdated(long lastKnownVersion, long lastActivationTimeInMillis) throws Exception;
RangerRoles getRolesIfUpdated(long lastKnownRoleVersion, long lastActivationTimeInMills) throws Exception;
void grantAccess(GrantRevokeRequest request) throws Exception;
void revokeAccess(GrantRevokeRequest request) throws Exception;
}
public class RangerAdminRESTClient extends AbstractRangerAdminClient {
public void init(String serviceName, String appId, String propertyPrefix, Configuration config);
}Policy Models
Rich domain models representing policies, service definitions, roles, and other security constructs with full serialization support.
public class RangerPolicy extends RangerBaseModelObject {
public static final int POLICY_TYPE_ACCESS = 0;
public static final int POLICY_TYPE_DATAMASK = 1;
public static final int POLICY_TYPE_ROWFILTER = 2;
public String getService();
public String getName();
public Integer getPolicyType();
public Map<String, RangerPolicyResource> getResources();
public List<RangerPolicyItem> getPolicyItems();
}
public class RangerServiceDef extends RangerBaseModelObject {
public String getName();
public List<RangerResourceDef> getResources();
public List<RangerAccessTypeDef> getAccessTypes();
}Context Enrichment
Pluggable context enrichment framework for enhancing access requests with additional attributes for policy evaluation.
public interface RangerContextEnricher {
void init();
void enrich(RangerAccessRequest request);
}
public abstract class RangerAbstractContextEnricher implements RangerContextEnricher {
// Base implementation with common functionality
}
public class RangerTagEnricher extends RangerAbstractContextEnricher {
// Tag-based context enrichment
}Resource Matching
Flexible resource matching framework supporting various matching strategies including wildcards, regular expressions, and custom matchers.
public interface RangerResourceMatcher {
void init();
boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext);
boolean isCompleteMatch(RangerAccessResource resource, Map<String, Object> evalContext);
}
public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher {
// Default wildcard-based matching
}
public class RangerPathResourceMatcher extends RangerAbstractResourceMatcher {
// Path-specific matching with hierarchy support
}Authentication & Security
Kerberos authentication support and security utilities for secure communication and credential management.
public class SecureClientLogin {
public static Subject loginUserFromKeytab(String user, String path) throws IOException;
public static Subject loginUserWithPassword(String user, String password) throws IOException;
public static boolean isKerberosCredentialExists(String principal, String keytabPath);
}Types
Core Request/Response Types
public interface RangerAccessRequest {
RangerAccessResource getResource();
String getAccessType();
String getUser();
Set<String> getUserGroups();
Set<String> getUserRoles();
Date getAccessTime();
String getClientIPAddress();
Map<String, Object> getContext();
}
public class RangerAccessRequestImpl implements RangerAccessRequest {
public RangerAccessRequestImpl();
public RangerAccessRequestImpl(RangerAccessResource resource, String accessType, String user, Set<String> userGroups, Set<String> userRoles);
}
public interface RangerAccessResource {
String getOwnerUser();
boolean exists(String name);
String getValue(String name);
String[] getValues(String name);
Set<String> getKeys();
Map<String, Object> getAsMap();
}
public class RangerAccessResult {
public String getServiceName();
public RangerAccessRequest getAccessRequest();
public boolean getIsAllowed();
public boolean getIsAudited();
public long getPolicyId();
public String getReason();
}Configuration Types
public class RangerPluginConfig extends RangerConfiguration {
public RangerPluginConfig(String serviceType, String serviceName, String appId, String clusterName, String clusterType, PolicyRefresher policyRefresher);
public String getServiceType();
public String getServiceName();
public String getAppId();
}
public class ServicePolicies {
public String getServiceName();
public Long getPolicyVersion();
public List<RangerPolicy> getPolicies();
public RangerServiceDef getServiceDef();
}Grant/Revoke Types
public class GrantRevokeRequest {
public String getGrantor();
public Map<String, String> getResource();
public Set<String> getUsers();
public Set<String> getGroups();
public Set<String> getAccessTypes();
public Boolean getIsRecursive();
}
public class GrantRevokeRoleRequest {
// Role-based grant/revoke operations
}