Make PrivilegesEvaluator extensible through config (Contribute to the repo)

Hi all,

I want to make the PrivilegesEvaluator flexible so that any user can use his/her own implementation of PrivilegesEvaluator
This is the idea

  1. Introduce a new property as to which evaluator is to be initialized
  2. Create an abstract class Evaluator. // Parent class of any evaluator
    PrivilegesEvaluator implements the abstract class (only override the evaluate() api)
  3. Similarly,
    create abstract class EvaluatorResponse // Parent class of any evaluatorResponse
  4. Create a EvaluatorFactory which returns the specified evaluator to be used when invoked.

Here are the links for PrivilegesEvaluator and PrivilegesEvaluatorResponse classes :

  1. https://github.com/opendistro-for-elasticsearch/security/blob/master/src/main/java/com/amazon/opendistroforelasticsearch/security/privileges/PrivilegesEvaluator.java
  2. https://github.com/opendistro-for-elasticsearch/security/blob/master/src/main/java/com/amazon/opendistroforelasticsearch/security/privileges/PrivilegesEvaluatorResponse.java

Is this design viable to be contributed or if not, please suggest changes?

1 Like

anyone? Please help…

Thanks Divyansh! We will get back to you in the next few days. Apologies for the delay.

Sure! Please do get back asap as I have already started working on this. Any suggestions would be valuable.

Hi Divyansh, can you provide a concrete use case for extending PrivilegesEvaluator class? What functionality is missing in the existing PrivilegesEvaluator?

Hi Vlad, I want to integrate security with apache ranger, so I can provide the permissions using ranger ui. For this I need to write a custom evaluator which uses the ranger api to check authorization through ranger (like we can for hive, hbase, kafka, hdfs etc). Also I don’t want to overwrite the existing implementation so I came up with this solution. If evaluator is configurable I can just use my implementation through a config change.

An article on what I’ll be using to achieve this:
https://bryanbende.com/development/2016/04/25/building-a-plugin-for-apache-ranger

1 Like

Hi Divyansh, the use case looks valid to me and it will be great to support it. Please open a new issue on github for the security plugin and feel free to open a PR to discuss code changes.

Thank you,

Vlad

2 Likes