OpenLooKeng can be connected to LDAP for authentication and Ranger for permission control. This demo uses our experimental openLooKeng version (the open source three-layer structure of openLooKeng, catalog-schema-table, extended to the experimental version of the catalog-vdb-schema-Table4 layer structure). You can also use open source openLooKeng to achieve the exact same security capabilities for authentication and authentication.
General demonstration steps:
User Tom has been configured on LDAP. The password is Huawei@123. User Tom has been configured on Ranger to access related resources through the openLooKeng Client
Environment Description:
The Testcases:
- The unauthenticated user KOBE failed to access. Procedure
root@slave2:/home/xdz# ./openLooKeng_cli --server https://xdz3:9090 --catalog mysql --keystore-path /home/xdz/key138/openLooKeng-public.store --keystore-password Huawei@123 --user kobe --password
Password:
lk> select * from view."vdb02:schema02".view02;
Error running command: Authentication failed: Access Denied: Invalid credentials
Copy the code
- Create user Tom on LDAP (password: Huawei@123)
Range-usersync instantly synchronizes information about new users on LDAP, which can be queried on range-admin:
- Query if no resources accessible to user Tom are configured on Ranger
root@slave2:/home/xdz# ./openLooKeng_cli --server https://xdz3:9090 --catalog mysql --keystore-path /home/xdz/key138/openLooKeng-public.store --keystore-password Huawei@123 --user tom --password
Password:
lk >
lk > show catalogs;
Catalog
---------
mysql
system
view
(3 rows)
lk > show schemas from view;
Query 20190723_024326_00005_frwmt failed: Access Denied: Cannot access catalog view
Copy the code
- Configure Tom’s access to cataloge View on Ranger, query
lk > show schemas from view; Schema -------------------- information_schema qqvdb testschema testvdb (4 rows) Query 20190723_024637_00021_frwmt, The FINISHED, 1 node Splits: 0 total, 0 done (0.00%) -0 [4 rows, 60B]Copy the code
- Configure Tom’s access to Cataloge mysql on Ranger
- Tom creates the view
- A. 3-layer structure
lk > create schema view.vdb01;
CREATE SCHEMA
lk > create view view.vdb01.view01 as select * from mysql.testdb.testtb;
CREATE VIEW
lk > select * from view.vdb01.view01;
id | name | score | comments
----+----------+-------+-----------
1 | zhangsan | 80 | normal
2 | lisi | 85 | normal
3 | wangwu | 99 | very good
4 | zhaoliu | 55 | stupid
(4 rows)
Query 20190723_031647_00029_frwmt, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
0:00 [4 rows, 0B] [21 rows/s, 0B/s]
Copy the code
- B. 4-layer structure
lk > create schema view.vdb02;
CREATE SCHEMA
lk > create schema view."vdb02:schema02";
CREATE SCHEMA
lk > create view view."vdb02:schema02".view02 as select * from mysql.testdb.testtb;
CREATE VIEW
lk > select * from view."vdb02:schema02".view02;
id | name | score | comments
----+----------+-------+-----------
1 | zhangsan | 80 | normal
2 | lisi | 85 | normal
3 | wangwu | 99 | very good
4 | zhaoliu | 55 | stupid
(4 rows)
Query 20190723_031827_00035_frwmt, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
0:00 [4 rows, 0B] [20 rows/s, 0B/s]
lk > create view view.vdb02.view03 as select * from mysql.testdb.testtb;
CREATE VIEW
Copy the code
- Authorize the view to another user jack (jack has been created on LDAP with password: Jack)
- A. Grant view.vdb01.view01 to Jack
root@slave2:/home/xdz# ./openLooKeng_cli --server https://xdz3:9090 --catalog mysql --keystore-path /home/xdz/key138/openLooKeng-public.store --keystore-password Huawei@123 --user jack --password Password: lk > select * from view.vdb01.view01; id | name | score | comments ----+----------+-------+----------- 1 | zhangsan | 80 | normal 2 | lisi | 85 | normal 3 | wangwu | 99 | very good 4 | zhaoliu | 55 | stupid (4 rows) Query 20190723_033521_00044_frwmt, FINISHED, 1 node Splits: 17 total, 17 done (100.00%) 0:00 [4 rows, 0B] [22 rows/s, 0B/s] LK > select * from view."vdb02:schema02". Query 20190723_033821_00049_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view02 lk > select * from view.vdb02.view03; Query 20190723_055918_00064_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view03Copy the code
- B. Grant view.”vdb02:schema02″. View02 to Jack
lk > select * from view."vdb02:schema02".view02;
id | name | score | comments
----+----------+-------+-----------
1 | zhangsan | 80 | normal
2 | lisi | 85 | normal
3 | wangwu | 99 | very good
4 | zhaoliu | 55 | stupid
(4 rows)
Query 20190723_060319_00066_frwmt, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
0:00 [4 rows, 0B] [27 rows/s, 0B/s]
lk > select * from view.vdb01.view01;
Query 20190723_060322_00067_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view01
lk > select * from view.vdb02.view03;
Query 20190723_060316_00065_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view03
Copy the code
- C. Grant view.vdb02 to Jack, including view.vdb02.view03 and view.”vdb02:schema02″.view02
lk > select * from view."vdb02:schema02".view02;
id | name | score | comments
----+----------+-------+-----------
1 | zhangsan | 80 | normal
2 | lisi | 85 | normal
3 | wangwu | 99 | very good
4 | zhaoliu | 55 | stupid
(4 rows)
Query 20190723_061024_00088_frwmt, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
0:00 [4 rows, 0B] [45 rows/s, 0B/s]
lk > select * from view.vdb02.view03;
id | name | score | comments
----+----------+-------+-----------
1 | zhangsan | 80 | normal
2 | lisi | 85 | normal
3 | wangwu | 99 | very good
4 | zhaoliu | 55 | stupid
(4 rows)
Query 20190723_061022_00087_frwmt, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
0:00 [4 rows, 0B] [32 rows/s, 0B/s]
lk > select * from view.vdb01.view01;
Query 20190723_061020_00086_frwmt failed: Access Denied: Cannot select from columns [score, comments, name, id] in table or view view01
Copy the code
If you have anything you want to communicate, feel free to post an Issue in the community code storehouse. Also welcome to add small assistant wechat, into the exclusive technical exchange group.