tessl/maven-org-apache-ranger--ranger-plugins-common
Common library for Apache Ranger plugins providing shared functionality, models, and utilities for security policy enforcement across various big data components.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
'%3e%3cpath%20d='m7.15%205.779.281.877c-.001.502.003.991.124%201.48l.116-.082.229-1.265c.723%201.422%202.78%203.325%202.53%205.008-.022.154-.082.3-.158.435.349-.014.375-.38.578-.56.187%201.005.17%201.975-.22%202.932l1.428%203.159c-.007.07-.626.285-.744.226-.087-.044-.629-1.506-.742-1.754-.103-.224-.457-1.044-.592-1.165-.592-.534-2.033-.183-2.773-.256l.488-.115.148-.109c-.68-.08-1.363-.34-1.85-.815.531.046%201.052.121%201.592.087.1-.006.378-.02.432-.114-1.338-.016-2.398-.569-3.16-1.62-1.03-1.422-1.646-3.215-2.658-4.662-.203-.289-.474-.68-.776-.847-.015-.092.076-.054.137-.049.375.034.778.157%201.148.234l1.26.462c-.404-.737-1.332-.637-1.984-.994-.759-.416-1.2-1.386-1.487-2.149-.258-.68-.536-1.495-.492-2.217.282.262.529.573.896.73.087-.102-.838-1.102-.867-1.323C-.051.673.656-.051%201.328.003c1.128.09%202.44%201.953%202.87%202.886.074.069.145-.23.149-.25.029-.154.01-.306.054-.452.67.932%201.64%201.722%202.122%202.768l.626%201.778V5.78Z'/%3e%3cpath%20d='m10.851%206.733.626-1.778c.483-1.047%201.451-1.836%202.122-2.769.045.147.025.299.054.452.005.021.075.32.149.25.43-.932%201.742-2.796%202.87-2.885.672-.054%201.38.67%201.294%201.31-.03.22-.954%201.221-.867%201.322.367-.156.614-.467.896-.729.044.722-.234%201.536-.49%202.218-.288.763-.73%201.733-1.488%202.149-.652.356-1.58.256-1.984.993l1.26-.461c.37-.077.772-.2%201.148-.234.06-.006.152-.044.136.049-.301.166-.573.557-.775.847-.794%201.135-1.347%202.488-2.049%203.68-.635%201.081-1.285%202.087-2.613%202.432.148-.768.005-1.562-.173-2.316l-.32-.092c-.219-1.088-.84-2.001-1.466-2.908l.919-1.475.229%201.265.116.082c.12-.489.125-.979.123-1.48l.283-.877v.955ZM8.017%2014.984c-.238.57-.531%201.119-.78%201.686-.089.204-.446%201.24-.518%201.295-.145.114-.622-.087-.777-.2l1.207-2.78h.868ZM12.008%2013.75c-.059.174-.949.7-1.04.617l.12-.5.92-.117Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h18v18H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/maven-org-apache-ranger--ranger-plugins-common@2.7.00
# Apache Ranger Plugins Common
1
2
Apache Ranger Plugins Common is a foundational Java library that provides shared functionality for all Apache Ranger plugins. It enables consistent security policy enforcement across diverse big data ecosystems through a comprehensive set of common components including plugin architecture, administrative client interfaces, policy models, context enrichers, audit facilities, and authorization utilities.
3
4
## Package Information
5
6
- **Package Name**: ranger-plugins-common
7
- **Package Type**: maven
8
- **Language**: Java
9
- **Group ID**: org.apache.ranger
10
- **Artifact ID**: ranger-plugins-common
11
- **Installation**: Add to pom.xml:
12
13
```xml
14
<dependency>
15
<groupId>org.apache.ranger</groupId>
16
<artifactId>ranger-plugins-common</artifactId>
17
<version>2.7.0</version>
18
</dependency>
19
```
20
21
## Core Imports
22
23
```java
24
import org.apache.ranger.plugin.service.RangerBasePlugin;
25
import org.apache.ranger.admin.client.RangerAdminClient;
26
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
27
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
28
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
29
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
30
import org.apache.ranger.plugin.model.RangerPolicy;
31
import org.apache.ranger.plugin.model.RangerServiceDef;
32
```
33
34
## Basic Usage
35
36
```java
37
import org.apache.ranger.plugin.service.RangerBasePlugin;
38
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
39
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
40
41
// Initialize plugin
42
RangerBasePlugin plugin = new RangerBasePlugin("hdfs", "MyHDFSPlugin");
43
plugin.init();
44
45
// Create access request
46
RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
47
resource.setValue("path", "/user/data/file.txt");
48
49
RangerAccessRequestImpl request = new RangerAccessRequestImpl();
50
request.setResource(resource);
51
request.setAccessType("read");
52
request.setUser("alice");
53
54
// Evaluate access
55
RangerAccessResult result = plugin.isAccessAllowed(request);
56
if (result.getIsAllowed()) {
57
System.out.println("Access granted");
58
} else {
59
System.out.println("Access denied: " + result.getReason());
60
}
61
62
// Note: Auditing is handled automatically during access evaluation
63
// Access results contain audit information processed by the plugin's audit providers
64
```
65
66
## Architecture
67
68
Apache Ranger Plugins Common is built around several key architectural components:
69
70
- **Plugin Framework**: Core plugin architecture with `RangerBasePlugin` providing lifecycle management, policy evaluation, and audit logging
71
- **Policy Engine**: `RangerPolicyEngine` for evaluating access policies with support for different policy types (access, data masking, row filtering)
72
- **Admin Client**: `RangerAdminClient` interface and implementations for communicating with Ranger Admin server
73
- **Model Objects**: Rich domain models (`RangerPolicy`, `RangerServiceDef`, `RangerRole`) representing security policies and service definitions
74
- **Context Enrichment**: Pluggable context enrichers for attribute-based access control and dynamic policy evaluation
75
- **Resource Matching**: Flexible resource matching framework supporting wildcards, regex, and custom matchers
76
- **Audit Framework**: Comprehensive audit logging with pluggable audit handlers and event processing
77
78
## Capabilities
79
80
### Plugin Services
81
82
Core plugin framework providing the main entry point for Ranger plugins, with lifecycle management, policy evaluation, and audit integration.
83
84
```java { .api }
85
public class RangerBasePlugin {
86
public RangerBasePlugin(String serviceType, String appId);
87
public RangerBasePlugin(String serviceType, String serviceName, String appId);
88
public RangerBasePlugin(RangerPluginConfig pluginConfig);
89
public void init();
90
public RangerAccessResult isAccessAllowed(RangerAccessRequest request);
91
public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests, RangerAccessResultProcessor resultProcessor);
92
public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor);
93
public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor);
94
public RangerResourceACLs getResourceACLs(RangerAccessRequest request);
95
public void refreshPoliciesAndTags();
96
}
97
```
98
99
[Plugin Services](./plugin-services.md)
100
101
### Policy Engine
102
103
Policy evaluation engine that processes access requests against configured policies, supporting access control, data masking, and row filtering policies.
104
105
```java { .api }
106
public interface RangerPolicyEngine {
107
RangerAccessResult evaluatePolicies(RangerAccessRequest request, int policyType, RangerAccessResultProcessor resultProcessor);
108
Collection<RangerAccessResult> evaluatePolicies(Collection<RangerAccessRequest> requests, int policyType, RangerAccessResultProcessor resultProcessor);
109
RangerResourceACLs getResourceACLs(RangerAccessRequest request);
110
}
111
112
public class RangerPolicyEngineImpl implements RangerPolicyEngine {
113
public RangerPolicyEngineImpl(ServicePolicies servicePolicies, RangerPluginContext pluginContext, RangerRoles roles);
114
}
115
```
116
117
[Policy Engine](./policy-engine.md)
118
119
### Admin Client
120
121
Client interface for communicating with Ranger Admin server to retrieve policies, roles, and service definitions, and to perform administrative operations.
122
123
```java { .api }
124
public interface RangerAdminClient {
125
void init(String serviceName, String appId, String configPropertyPrefix, Configuration config);
126
ServicePolicies getServicePoliciesIfUpdated(long lastKnownVersion, long lastActivationTimeInMillis) throws Exception;
127
RangerRoles getRolesIfUpdated(long lastKnownRoleVersion, long lastActivationTimeInMills) throws Exception;
128
void grantAccess(GrantRevokeRequest request) throws Exception;
129
void revokeAccess(GrantRevokeRequest request) throws Exception;
130
}
131
132
public class RangerAdminRESTClient extends AbstractRangerAdminClient {
133
public void init(String serviceName, String appId, String propertyPrefix, Configuration config);
134
}
135
```
136
137
[Admin Client](./admin-client.md)
138
139
### Policy Models
140
141
Rich domain models representing policies, service definitions, roles, and other security constructs with full serialization support.
142
143
```java { .api }
144
public class RangerPolicy extends RangerBaseModelObject {
145
public static final int POLICY_TYPE_ACCESS = 0;
146
public static final int POLICY_TYPE_DATAMASK = 1;
147
public static final int POLICY_TYPE_ROWFILTER = 2;
148
149
public String getService();
150
public String getName();
151
public Integer getPolicyType();
152
public Map<String, RangerPolicyResource> getResources();
153
public List<RangerPolicyItem> getPolicyItems();
154
}
155
156
public class RangerServiceDef extends RangerBaseModelObject {
157
public String getName();
158
public List<RangerResourceDef> getResources();
159
public List<RangerAccessTypeDef> getAccessTypes();
160
}
161
```
162
163
[Policy Models](./policy-models.md)
164
165
### Context Enrichment
166
167
Pluggable context enrichment framework for enhancing access requests with additional attributes for policy evaluation.
168
169
```java { .api }
170
public interface RangerContextEnricher {
171
void init();
172
void enrich(RangerAccessRequest request);
173
}
174
175
public abstract class RangerAbstractContextEnricher implements RangerContextEnricher {
176
// Base implementation with common functionality
177
}
178
179
public class RangerTagEnricher extends RangerAbstractContextEnricher {
180
// Tag-based context enrichment
181
}
182
```
183
184
[Context Enrichment](./context-enrichment.md)
185
186
### Resource Matching
187
188
Flexible resource matching framework supporting various matching strategies including wildcards, regular expressions, and custom matchers.
189
190
```java { .api }
191
public interface RangerResourceMatcher {
192
void init();
193
boolean isMatch(RangerAccessResource resource, Map<String, Object> evalContext);
194
boolean isCompleteMatch(RangerAccessResource resource, Map<String, Object> evalContext);
195
}
196
197
public class RangerDefaultResourceMatcher extends RangerAbstractResourceMatcher {
198
// Default wildcard-based matching
199
}
200
201
public class RangerPathResourceMatcher extends RangerAbstractResourceMatcher {
202
// Path-specific matching with hierarchy support
203
}
204
```
205
206
[Resource Matching](./resource-matching.md)
207
208
### Authentication & Security
209
210
Kerberos authentication support and security utilities for secure communication and credential management.
211
212
```java { .api }
213
public class SecureClientLogin {
214
public static Subject loginUserFromKeytab(String user, String path) throws IOException;
215
public static Subject loginUserWithPassword(String user, String password) throws IOException;
216
public static boolean isKerberosCredentialExists(String principal, String keytabPath);
217
}
218
```
219
220
[Authentication & Security](./authentication-security.md)
221
222
## Types
223
224
### Core Request/Response Types
225
226
```java { .api }
227
public interface RangerAccessRequest {
228
RangerAccessResource getResource();
229
String getAccessType();
230
String getUser();
231
Set<String> getUserGroups();
232
Set<String> getUserRoles();
233
Date getAccessTime();
234
String getClientIPAddress();
235
Map<String, Object> getContext();
236
}
237
238
public class RangerAccessRequestImpl implements RangerAccessRequest {
239
public RangerAccessRequestImpl();
240
public RangerAccessRequestImpl(RangerAccessResource resource, String accessType, String user, Set<String> userGroups, Set<String> userRoles);
241
}
242
243
public interface RangerAccessResource {
244
String getOwnerUser();
245
boolean exists(String name);
246
String getValue(String name);
247
String[] getValues(String name);
248
Set<String> getKeys();
249
Map<String, Object> getAsMap();
250
}
251
252
public class RangerAccessResult {
253
public String getServiceName();
254
public RangerAccessRequest getAccessRequest();
255
public boolean getIsAllowed();
256
public boolean getIsAudited();
257
public long getPolicyId();
258
public String getReason();
259
}
260
```
261
262
### Configuration Types
263
264
```java { .api }
265
public class RangerPluginConfig extends RangerConfiguration {
266
public RangerPluginConfig(String serviceType, String serviceName, String appId, String clusterName, String clusterType, PolicyRefresher policyRefresher);
267
public String getServiceType();
268
public String getServiceName();
269
public String getAppId();
270
}
271
272
public class ServicePolicies {
273
public String getServiceName();
274
public Long getPolicyVersion();
275
public List<RangerPolicy> getPolicies();
276
public RangerServiceDef getServiceDef();
277
}
278
```
279
280
### Grant/Revoke Types
281
282
```java { .api }
283
public class GrantRevokeRequest {
284
public String getGrantor();
285
public Map<String, String> getResource();
286
public Set<String> getUsers();
287
public Set<String> getGroups();
288
public Set<String> getAccessTypes();
289
public Boolean getIsRecursive();
290
}
291
292
public class GrantRevokeRoleRequest {
293
// Role-based grant/revoke operations
294
}
295
```