REST API Level authorization with Apache Knox + Ranger

Question

I am developing a server application in django REST framework which in turn uses apache knox REST APIs to work with spark sessions (create session, get session, cancel session, ...). Apache Knox supports service level authorization but I need the API level authorization which authorizes the user whether she has permission to call the given REST API. Some suggested me to use the Apache Ranger but it has no support for the REST API authorization. Is there a way so that Knox and Ranger work together for the purpose of REST API level authorization?

Thanks for any help

Answer 1

Currently Apache Ranger doesn't support spark authorization. You have to rely on spark ACL's for now.

However, there is a feature request raised for spark sql so in future you can make use of it for other spark sql operations but for operations like create, get, cancel, you have to rely on spark ACL's

Answer 2

REST API authorization is probably not exactly what you want here - though it can easily be mapped to it. The design in play here is one of a layered approach to security. The gateway is providing service level authorization at the edge. Finer grained authorization should be available at or closer to the resource itself. Ranger plugins exist throughout the ecosystem and will allow for the same policies to be enforced regardless of path to the resource. Considering that the Knox gateway is only one way to access the proxied resources and that the same resources are available within the cluster with direct access shows how it is insufficient to enforce at the gateway. However, you can limit external actors from taxing the resources within the system with finer grained permission checks if they don't have access to the service at all.

That said, the Apache Knox gateway is very extensible and you could write your own authorization provider or extend the acls provider to do what you want. Just don't forget to protect the other paths to the same resources.