tessl/maven-org-apache-ranger--ranger-plugins-common
Common library for Apache Ranger plugins providing shared functionality, models, and utilities for security policy enforcement across various big data components.
—
Pending
plugin-services.mddocs/
Plugin Services
Core plugin framework providing the main entry point for Apache Ranger plugins. This module handles plugin lifecycle management, policy evaluation, audit logging, and integration with the broader Ranger ecosystem.
Capabilities
RangerBasePlugin
The primary class that all Ranger plugins extend. Provides comprehensive plugin functionality including policy evaluation, audit logging, and lifecycle management.
/**
* Core plugin implementation that handles policy evaluation, auditing, and plugin lifecycle
*/
public class RangerBasePlugin {
/**
* Constructor for plugins with default service name
* @param serviceType - Type of service (e.g., "hdfs", "hive", "hbase")
* @param appId - Application identifier for this plugin instance
*/
public RangerBasePlugin(String serviceType, String appId);
/**
* Constructor for plugins with explicit service name
* @param serviceType - Type of service (e.g., "hdfs", "hive", "hbase")
* @param serviceName - Name of the service instance
* @param appId - Application identifier for this plugin instance
*/
public RangerBasePlugin(String serviceType, String serviceName, String appId);
/**
* Constructor with full plugin configuration
* @param pluginConfig - Complete plugin configuration
*/
public RangerBasePlugin(RangerPluginConfig pluginConfig);
/**
* Initialize the plugin - must be called before use
*/
public void init();
/**
* Cleanup plugin resources - called during shutdown
*/
public void cleanup();
/**
* Evaluate access request against policies
* @param request - Access request to evaluate
* @return Access result with allow/deny decision and audit info
*/
public RangerAccessResult isAccessAllowed(RangerAccessRequest request);
/**
* Evaluate multiple access requests
* @param requests - Collection of access requests
* @return Collection of access results
*/
public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> requests);
/**
* Evaluate data masking policies
* @param request - Access request to evaluate
* @param resultProcessor - Optional result processor for custom handling
* @return Access result with masking information
*/
public RangerAccessResult evalDataMaskPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor);
/**
* Evaluate row filtering policies
* @param request - Access request to evaluate
* @param resultProcessor - Optional result processor for custom handling
* @return Access result with row filter information
*/
public RangerAccessResult evalRowFilterPolicies(RangerAccessRequest request, RangerAccessResultProcessor resultProcessor);
/**
* Evaluate audit policies for access result
* @param result - Access result to evaluate for auditing
* @return Audit policy evaluation result
*/
public RangerAccessResult evalAuditPolicies(RangerAccessResult result);
/**
* Get resource ACLs for a request
* @param request - Access request
* @return Resource ACLs
*/
public RangerResourceACLs getResourceACLs(RangerAccessRequest request);
/**
* Get the service name for this plugin
* @return Service name
*/
public String getServiceName();
/**
* Get the service definition
* @return Service definition
*/
public RangerServiceDef getServiceDef();
/**
* Get current policy version
* @return Policy version number (nullable)
*/
public Long getPolicyVersion();
/**
* Get current roles version
* @return Roles version number
*/
public Long getRolesVersion();
/**
* Set policies for this plugin
* @param policies - Service policies to set
*/
public void setPolicies(ServicePolicies policies);
/**
* Refresh policies and tags from admin server
*/
public void refreshPoliciesAndTags();
}Usage Examples:
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import java.util.*;
import java.util.Arrays;
// Basic plugin setup
public class MyHDFSRangerPlugin extends RangerBasePlugin {
public MyHDFSRangerPlugin() {
super("hdfs", "MyHDFSApp");
}
@Override
public void init() {
super.init();
// Plugin-specific initialization
System.out.println("HDFS Ranger Plugin initialized");
}
}
// Initialize and use plugin
MyHDFSRangerPlugin plugin = new MyHDFSRangerPlugin();
plugin.init();
// Plugin is ready to use after init() - no separate start() method needed
// Create access request
RangerAccessResourceImpl resource = new RangerAccessResourceImpl();
resource.setValue("path", "/user/alice/data.txt");
RangerAccessRequestImpl request = new RangerAccessRequestImpl();
request.setResource(resource);
request.setAccessType("read");
request.setUser("alice");
request.setUserGroups(new HashSet<>(Arrays.asList("users", "data-analysts")));
// Evaluate access
RangerAccessResult result = plugin.isAccessAllowed(request);
if (result.getIsAllowed()) {
System.out.println("Access granted to " + request.getUser());
} else {
System.out.println("Access denied: " + result.getReason());
}
// Auditing is handled automatically during access evaluation
// Audit policies can be evaluated separately if needed:
// RangerAccessResult auditResult = plugin.evalAuditPolicies(result);RangerBaseService
Base service implementation providing common service functionality.
/**
* Base service implementation with common functionality
*/
public class RangerBaseService {
// Common service implementation methods
}RangerChainedPlugin
Plugin implementation that supports chaining multiple policy engines.
/**
* Plugin implementation supporting policy engine chaining
*/
public class RangerChainedPlugin {
// Chained plugin functionality
}RangerDefaultRequestProcessor
Default implementation for processing access requests.
/**
* Default request processor implementation
*/
public class RangerDefaultRequestProcessor {
// Default request processing logic
}RangerAuthContext
Authentication context for plugin operations.
/**
* Authentication context for plugin operations
*/
public class RangerAuthContext {
// Authentication context methods
}RangerAuthContextListener
Listener interface for authentication context changes.
/**
* Listener for authentication context changes
*/
public interface RangerAuthContextListener {
// Authentication context change notifications
}ResourceLookupContext
Context for resource lookup operations.
/**
* Context for resource lookup operations
*/
public class ResourceLookupContext {
// Resource lookup context methods
}Plugin Lifecycle
The typical lifecycle of a Ranger plugin:
- Construction: Create plugin instance with service type and app ID
- Initialization: Call
init()to initialize configuration and connections - Starting: Call
start()to begin plugin services - Operation: Process access requests using
isAccessAllowed() - Auditing: Log all access decisions using
logAudit() - Shutdown: Call
stop()to cleanup resources
Thread Safety
RangerBasePluginis thread-safe for concurrent access evaluation- Multiple threads can safely call
isAccessAllowed()simultaneously - Audit logging is thread-safe and can be called from multiple threads
- Plugin lifecycle methods (
init(),start(),stop()) should be called from a single thread
Performance Considerations
- Cache
RangerBasePlugininstances - initialization is expensive - Use batch evaluation methods when processing multiple requests
- Plugin instances are designed to be long-lived and reused
- Policy refresh operations are optimized to minimize performance impact
Install with Tessl CLI
npx tessl i tessl/maven-org-apache-ranger--ranger-plugins-common