Hive Ranger security plugin

presto-docs/src/main/sphinx/connector/hive-security.rst

@@ -39,6 +39,10 @@ Property Value                                     Description
                                                    To alter these privileges, use the :doc:`/sql/grant` and
                                                    :doc:`/sql/revoke` commands.
                                                    See :ref:`hive-sql-standard-based-authorization` for details.
+
+``ranger``                                         Users are permitted to perform the operations as per the
+                                                   authorization policies configured in Ranger Hive service.
+                                                   See :ref:`hive-ranger-based-authorization` for details.
 ================================================== ============================================================
 
 .. _hive-sql-standard-based-authorization:
@@ -522,6 +526,96 @@ See below for an example.
       ]
     }
 
+.. _hive-ranger-based-authorization:
+
+Ranger Based Authorization
+==========================
+
+Apache Ranger is a widely used framework for providing centralized security
+administration and management.
+Ranger supports various components plugin to allow authorization policy
+management and verification by integrating with components.
+Ranger Hive plugin is used to extend authorization for Hive clients such as
+Beeline.
+Presto ranger plugin for Hive connector can be integrated with Ranger
+as a access control system to perform authorization for presto hive connector
+queries configure with polices defined Ranger Hive component . When a query is
+submitted to Presto, Presto parses and analyzes the query to understand the
+privileges required by the user to access objects such as schemas and tables.
+Once a list of these objects is created, Presto communicates with the Ranger
+service to determine if the request is valid. If the request is valid, the
+query continues to execute. If the request is invalid, because the user does
+not have the necessary privileges to query an object, an error is returned.
+Ranger policies are cached in Presto to improve performance.
+
+Authentication is handled outside of Ranger, for example using LDAP, and
+Ranger uses the authenticated user and user groups to associate with the
+policy definition.
+
+Requirements
+------------
+
+Before you configure Presto for any integration with Apache Ranger,
+verify the following prerequisites:
+
+Presto coordinator and workers have the appropriate network access to
+communicate with the Ranger service. Typically this is port 6080.
+
+Apache Ranger 2.1.0 or higher must be used
+
+Policies
+--------
+
+A policy is a combination of set of resources and the associated privileges.
+Ranger provides a user interface, or optionally a REST API, to create
+and manage these access control policies.
+
+Users, groups, and roles
+------------------------
+
+Apache Ranger has UserGroups sync mechanism by which Users, groups, and
+roles are sourced from your configured authentication system with Apache
+Ranger.
+
+Supported authorizations
+------------------------
+
+Ranger Hive service allows to configure privileges at schema, table, column
+level. Note to restrict access to specific user and groups ranger policies
+needs to configure with explict deny conditions.
+
+Access for listing schema, show tables metadata & configuring session
+properties are enabled by default.
+
+Configuration properties
+------------------------
+
+================================================== ============================================================ ============
+Property Name                                      Description                                                  Default
+================================================== ============================================================ ============
+``hive.ranger.rest-endpoint``                      URL address of the Ranger REST service. Kerberos
+                                                   authentication is not supported yet.
+
+``hive.ranger.refresh-policy-period``              Interval at which cached policies are refreshed              60s
+
+``hive.ranger.policy.hive-servicename``            Ranger Hive plugin service name
+
+``hive.ranger.service.basic-auth-username``        Ranger Hive plugin username configured with
+                                                   for Basic HTTP auth.
+
+``hive.ranger.service.basic-auth-password``        Ranger Hive plugin password configured with
+                                                   for Basic HTTP auth.
+
+``hive.ranger.service.keystore.path``              Ranger SSL configuration - client keystore file path
+
+``hive.ranger.service.keystore.password``          Ranger SSL configuration - client keystore password
+
+``hive.ranger.service.truststore.path``            Ranger SSL configuration - client trust-store file path
+
+``hive.ranger.service.truststore.password``        Ranger SSL configuration - client trust-store password
+
+================================================== ============================================================ ============
+
 HDFS wire encryption
 --------------------
 

presto-hive/pom.xml

@@ -79,6 +79,11 @@
             <scope>provided</scope>
         </dependency>
 
+        <dependency>
+            <groupId>com.facebook.presto</groupId>
+            <artifactId>presto-client</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>com.facebook.presto.hive</groupId>
             <artifactId>hive-apache</artifactId>
@@ -246,6 +251,178 @@
             <artifactId>zstd-jni</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.ranger</groupId>
+            <artifactId>ranger-plugins-common</artifactId>
+            <version>2.1.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>log4j</groupId>
+                    <artifactId>log4j</artifactId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>commons-beanutils</artifactId>
+                    <groupId>commons-beanutils-core</groupId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.hadoop</groupId>
+                    <artifactId>hadoop-common</artifactId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>kafka_2.10</artifactId>
+                    <groupId>org.apache.kafka</groupId>
+                </exclusion>
+                <exclusion>
+                    <groupId>commons-logging</groupId>
+                    <artifactId>commons-logging</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>commons-logging</groupId>
+                    <artifactId>commons-logging-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.codehaus.jackson</groupId>
+                    <artifactId>jackson-jaxrs</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.eclipse.persistence</groupId>
+                    <artifactId>eclipselink</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.solr</groupId>
+                    <artifactId>solr-solrj</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.eclipse.persistence</groupId>
+                    <artifactId>javax.persistence</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-databind</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-annotations</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>joda-time</groupId>
+                    <artifactId>joda-time</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.httpcomponents</groupId>
+                    <artifactId>httpclient</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.httpcomponents</groupId>
+                    <artifactId>httpcore</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.httpcomponents</groupId>
+                    <artifactId>httpcore-nio</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.httpcomponents</groupId>
+                    <artifactId>httpasyncclient</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>commons-codec</groupId>
+                    <artifactId>commons-codec</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.slf4j</groupId>
+                    <artifactId>slf4j-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.datatype</groupId>
+                    <artifactId>jackson-datatype-jdk8</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.dataformat</groupId>
+                    <artifactId>jackson-dataformat-cbor</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.kafka</groupId>
+                    <artifactId>kafka-clients</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.lucene</groupId>
+                    <artifactId>lucene-analyzers-common</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.zookeeper</groupId>
+                    <artifactId>zookeeper</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.carrotsearch</groupId>
+                    <artifactId>hppc</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>net.sf.jopt-simple</groupId>
+                    <artifactId>jopt-simple</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>net.java.dev.jna</groupId>
+                    <artifactId>jna</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.scala-lang</groupId>
+                    <artifactId>scala-library</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.scala-lang</groupId>
+                    <artifactId>scala-reflect</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.sun.jersey</groupId>
+                    <artifactId>jersey-bundle</artifactId>
+                </exclusion>
+                <exclusion>
+                    <artifactId>jna-platform</artifactId>
+                    <groupId>net.java.dev.jna</groupId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>com.sun.jersey</groupId>
+            <artifactId>jersey-client</artifactId>
+            <version>1.19</version>
+            <scope>runtime</scope>
+            <exclusions>
+                <exclusion>
+                    <groupId>javax.ws.rs</groupId>
+                    <artifactId>javax.ws.rs-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>javax.ws.rs</groupId>
+                    <artifactId>jsr311-api</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp</artifactId>
+        </dependency>
+
+        <!-- commons lang dependency -->
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.6</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.2.2</version>
+            <scope>runtime</scope>
+        </dependency>
+
         <!-- used by tests but also needed transitively -->
         <dependency>
             <groupId>com.facebook.airlift</groupId>

presto-hive/src/main/java/com/facebook/presto/hive/security/HiveSecurityModule.java

@@ -14,6 +14,7 @@
 package com.facebook.presto.hive.security;
 
 import com.facebook.airlift.configuration.AbstractConfigurationAwareModule;
+import com.facebook.presto.hive.security.ranger.RangerBasedAccessControlModule;
 import com.facebook.presto.plugin.base.security.FileBasedAccessControlModule;
 import com.facebook.presto.plugin.base.security.ReadOnlySecurityModule;
 import com.google.inject.Binder;
@@ -31,6 +32,7 @@ protected void setup(Binder binder)
         bindSecurityModule("file", new FileBasedAccessControlModule());
         bindSecurityModule("read-only", new ReadOnlySecurityModule());
         bindSecurityModule("sql-standard", new SqlStandardSecurityModule());
+        bindSecurityModule("ranger", new RangerBasedAccessControlModule());
     }
 
     private void bindSecurityModule(String name, Module module)