Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

 

 

Goals

  1. Explore CDAP entities and integrate them with Cloudera Hue

  2. Use Hue's admin interface to manage ACL for Apache Sentry

Checklist

  • User stories documented (Shenggu)
  • User stories reviewed (Nitin)
  • Design documented (Shenggu)
  • Design reviewed (Andreas)
  • Feature merged (Shenggu)
  • Integration tests (Shenggu)
  • Documentation for feature (Shenggu)
  • Blog post (Shenggu)

User Stories

  • As a Hue admin, I should be able to easily configure CDAP as a plugin app in the Hue system
  • As a CDAP admin, I should be able to explore all the entities of CDAP (ex: Namespaces, Streams, Programs etc.) in Cloudera Hue's admin UI.
  • As a CDAP admin, I should be able to perform all the ACL management operations provided by Apache Sentry also in Cloudera Hue's admin UI.

Scenerios


Design

The system utilize the Cloudera Hue's interface to manage the access control configuration between CDAP and Apache Sentry. The Hue itself does not store any state during this process.

Logic view of the system

 

As shown in the above diagram, the CDAP and SENTRY support are configured as a plugin app installed in the Hue system. Hue's front system is implemented in Django, which provides good isolation and extension for multiple apps running together in a web service. A separate panel section will be created in the Hue's default UI for related operations. This app will communicate with the CDAP system through CDAP's restful api service. All the live entities will be displayed in Hue's UI. Communication with Apache SENTRY is enabled by SENTRY's thrift service. When admin grants/ evokes certain privileges through the Hue UI, it will be propagated to the SENTRY system and take effects on the further request coming from CDAP. 

 

UI Mockup

One possible UI layout is shown below. All the entities in CDAP can be listed hierarchically in the left. When click on one specific entity, user is able to view the detailed properties of this entity and manage the acl rules associated with this entity. The actual UI may vary in colors and relative layout of elements but stick to this concept.

Configuration

To configure the CDAP app in HUE, simply run ''' '''

interface AuthEnforcer {
	/**
     * Enforces authorization for the specified {@link Principal} for the specified {@link Action} on the specified {@link EntityId}.
     *
     * @param principal the principal that performs the actions. This could be a user, group or a role
     * @param entity the entity on which an action is being performed
     * @param action the action being performed
     * @throws AuthorizationException if the principal is not authorized to perform action on the entity
     */
	void enforce(Principal principal, EntityId entity, Action action) throws AuthorizationException;
}

Prototype


 

 

  • No labels