Skip to content

Commit 0cf0465

Browse files
maltesandermaltesander
committed
started docs
1 parent 2fe3b8c commit 0cf0465

File tree

1 file changed

+114
-0
lines changed

1 file changed

+114
-0
lines changed

docs/modules/hive/pages/usage-guide/security.adoc

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,3 +45,117 @@ The `kerberos.secretClass` is used to give Hive the possibility to request keyta
4545
=== 5. Access Hive
4646
In case you want to access Hive it is recommended to start up a client Pod that connects to Hive, rather than shelling into the master.
4747
We have an https://github.com/stackabletech/hive-operator/blob/main/tests/templates/kuttl/kerberos/70-install-access-hive.yaml.j2[integration test] for this exact purpose, where you can see how to connect and get a valid keytab.
48+
49+
50+
== Authorization
51+
The Stackable Operator for Apache Hive supports the following authorization methods.
52+
53+
=== Open Policy Agent (OPA)
54+
The Apache Hive metastore can be configured to delegate authorization decisions to an Open Policy Agent (OPA) instance.
55+
More information on the setup and configuration of OPA can be found in the xref:opa:index.adoc[OPA Operator documentation].
56+
A Hive cluster can be configured using OPA authorization by adding this section to the configuration:
57+
58+
[source,yaml]
59+
----
60+
spec:
61+
clusterConfig:
62+
authorization:
63+
opa:
64+
configMapName: opa # <1>
65+
package: hms # <2>
66+
----
67+
<1> The name of your OPA Stacklet (`opa` in this case)
68+
<2> The rego rule package to use for policy decisions.
69+
This is optional and defaults to the name of the Hive Stacklet.
70+
71+
==== Defining rego rules
72+
For a general explanation of how rules are written, please refer to the {opa-rego-docs}[OPA documentation].
73+
Authorization with OPA is done using the https://github.com/boschglobal/hive-metastore-opa-authorizer[hive-metastore-opa-authorizer] plugin.
74+
75+
===== OPA Inputs
76+
The payload sent by Hive with each request to OPA, that is accessible within the rego rules, has the following structure:
77+
78+
[source,json]
79+
----
80+
{
81+
"identity": {
82+
"username": "<user>",
83+
"groups": ["<group1>", "<group2>"]
84+
},
85+
"resources": {
86+
"database": null,
87+
"table": null,
88+
"partition": null,
89+
"columns": ["col1", "col2"]
90+
},
91+
"privileges": {
92+
"readRequiredPriv": [],
93+
"writeRequiredPriv": [],
94+
"inputs": null,
95+
"outputs": null
96+
}
97+
}
98+
----
99+
* `identity`: Contains user information.
100+
** `username`: The name of the user.
101+
** `groups`: A list of groups the user belongs to.
102+
* `resources`: Specifies the resources involved in the request.
103+
** `database`: The database object.
104+
** `table`: The table object.
105+
** `partition`: The partition object.
106+
** `columns`: A list of column names involved in the request.
107+
* `privileges`: Details the privileges required for the request.
108+
** `readRequiredPriv`: A list of required read privileges.
109+
** `writeRequiredPriv`: A list of required write privileges.
110+
** `inputs`: Input tables for the request.
111+
** `outputs`: Output tables for the request.
112+
113+
===== Example OPA Rego Rule
114+
Below is a basic rego rule that demonstrates how to handle input dictionary sent from the hive authorizer to OPA:
115+
116+
[source,rego]
117+
----
118+
package hms
119+
120+
default database_allow = false
121+
default table_allow = false
122+
default column_allow = false
123+
default partition_allow = false
124+
default user_allow = false
125+
126+
database_allow if {
127+
input.identity.username == "stackable"
128+
input.resources.database.name == "test_db"
129+
}
130+
131+
table_allow if {
132+
input.identity.username == "stackable"
133+
input.resources.table.dbName == "test_db"
134+
input.resources.table.tableName == "test_table"
135+
input.privileges.readRequiredPriv[0].priv == "SELECT"
136+
}
137+
138+
table_allow if {
139+
input.identity.username == "stackable"
140+
input.resources.table.dbName == "test_db"
141+
input.privileges.writeRequiredPriv[0].priv == "CREATE"
142+
}
143+
----
144+
* `database_allow` grants access if the user is `stackable` and the database is `test_db`.
145+
* `table_allow` grants access if the user is `stackable`, the database is `test_db` and:
146+
** the table is `test_table` and the required read privilege is `SELECT`.
147+
** the required write privilege is `CREATE` without any table restriction.
148+
149+
==== Configuring policy URLs
150+
151+
The `database_allow`, `table_allow`, `column_allow`, `partition_allow`, and `user_allow` policy URLs can be (config) overriden using the properties in `hive-site.xml`:
152+
* `com.bosch.bdps.opa.authorization.policy.url.database`
153+
* `com.bosch.bdps.opa.authorization.policy.url.table`
154+
* `com.bosch.bdps.opa.authorization.policy.url.column`
155+
* `com.bosch.bdps.opa.authorization.policy.url.partition`
156+
* `com.bosch.bdps.opa.authorization.policy.url.user`
157+
158+
==== TLS secured OPA cluster
159+
160+
Stackable OPA clusters secured via TLS are supported and no further configuration is required.
161+
The Stackable Hive operator automatically adds the certificate from the SecretClass used to secure the OPA cluster to its trust.

0 commit comments

Comments
 (0)