openLooKeng+Ranger+LDAP 认证鉴权能力演示

openLooKeng可以对接LDAP完成认证，同时对接Ranger完成权限控制。本次演示使用的是我们的实验openLooKeng版本（开源openLooKeng的三层结构catalog-schema-table，在实验版本中扩展为catalog-vdb-schema-table4层结构），你也可以采用开源openLooKeng达到完全相同的认证和鉴权的安全能力。

总体演示步骤：

LDAP上已经配置好用户tom，密码为：Huawei@123 在Ranger已经配置好用户tom的访问权限 通过openLooKeng Client访问相应资源，检查是否符合策略配置

环境说明： 

Testcases：

1. 未认证用户kobe访问失败

root@slave2:/home/xdz# ./openLooKeng_cli --server https://xdz3:9090 --catalog mysql --keystore-path /home/xdz/key138/openLooKeng-public.store --keystore-password Huawei@123 --user kobe --password
Password: 
lk> select * from view."vdb02:schema02".view02;
Error running command: Authentication failed: Access Denied: Invalid credentials

2. 在LDAP上创建用户tom（密码：Huawei@123）

Ranger-usersync即刻能同步到LDAP上新建用户的信息，可以在Ranger-admin上查询到：

3. 未在Ranger上配置tom用户可访问的资源时，查询

root@slave2:/home/xdz# ./openLooKeng_cli --server https://xdz3:9090 --catalog mysql --keystore-path /home/xdz/key138/openLooKeng-public.store --keystore-password Huawei@123 --user tom --password
Password: 
lk > 
lk > show catalogs;
 Catalog 
---------
 mysql   
 system  
 view    
(3 rows)
 
lk > show schemas from view;
Query 20190723_024326_00005_frwmt failed: Access Denied: Cannot access catalog view

4. 在Ranger上配置tom访问cataloge view的权限，查询

lk > show schemas from view;
       Schema       
--------------------
 information_schema 
 qqvdb              
 testschema         
 testvdb            
(4 rows)
 
Query 20190723_024637_00021_frwmt, FINISHED, 1 node
Splits: 19 total, 19 done (100.00%)
0:00 [4 rows, 60B] [20 rows/s, 310B/s]

5. 在Ranger上配置tom访问cataloge mysql的权限

6. tom创建view

• a. 3层结构

lk > create schema view.vdb01;
CREATE SCHEMA
 
lk > create view view.vdb01.view01 as select * from mysql.testdb.testtb;
CREATE VIEW
 
lk > select * from view.vdb01.view01;
 id |   name   | score | comments  
----+----------+-------+-----------
  1 | zhangsan |    80 | normal    
  2 | lisi     |    85 | normal    
  3 | wangwu   |    99 | very good 
  4 | zhaoliu  |    55 | stupid    
(4 rows)
 
Query 20190723_031647_00029_frwmt, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
0:00 [4 rows, 0B] [21 rows/s, 0B/s]
 

• b. 4层结构

lk > create schema view.vdb02;
CREATE SCHEMA
lk > create schema view."vdb02:schema02";
CREATE SCHEMA
lk > create view view."vdb02:schema02".view02 as select * from mysql.testdb.testtb;
CREATE VIEW
lk > select * from view."vdb02:schema02".view02;
 id |   name   | score | comments  
----+----------+-------+-----------
  1 | zhangsan |    80 | normal    
  2 | lisi     |    85 | normal    
  3 | wangwu   |    99 | very good 
  4 | zhaoliu  |    55 | stupid    
(4 rows)
 
Query 20190723_031827_00035_frwmt, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
0:00 [4 rows, 0B] [20 rows/s, 0B/s]
 
lk > create view view.vdb02.view03 as select * from mysql.testdb.testtb;
CREATE VIEW
 

7. 授权view给另一个用户jack（jack已经在LDAP上创建好，密码为：jack）

• a. 授权view.vdb01.view01给jack

root@slave2:/home/xdz# ./openLooKeng_cli --server https://xdz3:9090 --catalog mysql --keystore-path /home/xdz/key138/openLooKeng-public.store --keystore-password Huawei@123 --user jack --password
Password: 
lk > select * from view.vdb01.view01;
 id |   name   | score | comments  
----+----------+-------+-----------
  1 | zhangsan |    80 | normal    
  2 | lisi     |    85 | normal    
  3 | wangwu   |    99 | very good 
  4 | zhaoliu  |    55 | stupid    
(4 rows)
 
Query 20190723_033521_00044_frwmt, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
0:00 [4 rows, 0B] [22 rows/s, 0B/s]
 
lk > select * from view."vdb02:schema02".view02;
Query 20190723_033821_00049_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view02
 
lk > select * from view.vdb02.view03;
Query 20190723_055918_00064_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view03

• b. 授权view.”vdb02:schema02″.view02给jack

lk > select * from view."vdb02:schema02".view02;
 id |   name   | score | comments  
----+----------+-------+-----------
  1 | zhangsan |    80 | normal    
  2 | lisi     |    85 | normal    
  3 | wangwu   |    99 | very good 
  4 | zhaoliu  |    55 | stupid    
(4 rows)
 
Query 20190723_060319_00066_frwmt, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
0:00 [4 rows, 0B] [27 rows/s, 0B/s]
 
lk > select * from view.vdb01.view01;
Query 20190723_060322_00067_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view01
 
lk > select * from view.vdb02.view03;
Query 20190723_060316_00065_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view03

• c. 授权view.vdb02给jack，即包含view.vdb02.view03和view.”vdb02:schema02″.view02

lk > select * from view."vdb02:schema02".view02;
 id |   name   | score | comments  
----+----------+-------+-----------
  1 | zhangsan |    80 | normal    
  2 | lisi     |    85 | normal    
  3 | wangwu   |    99 | very good 
  4 | zhaoliu  |    55 | stupid    
(4 rows)
 
Query 20190723_061024_00088_frwmt, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
0:00 [4 rows, 0B] [45 rows/s, 0B/s]
 
lk > select * from view.vdb02.view03;
 id |   name   | score | comments  
----+----------+-------+-----------
  1 | zhangsan |    80 | normal    
  2 | lisi     |    85 | normal    
  3 | wangwu   |    99 | very good 
  4 | zhaoliu  |    55 | stupid    
(4 rows)
 
Query 20190723_061022_00087_frwmt, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
0:00 [4 rows, 0B] [32 rows/s, 0B/s]
 
lk > select * from view.vdb01.view01;
Query 20190723_061020_00086_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view01

如果您有任何想要交流的，欢迎在社区代码仓内提Issue；也欢迎加小助手微信，进入专属技术交流群。