|
@@ -65,6 +65,8 @@ poyee 的鉴权体系有两条并行的入口链路,共用同一套 Ranger 策
|
|
|
|
|
|
|
|
## 2. 认证授权审计链路
|
|
## 2. 认证授权审计链路
|
|
|
|
|
|
|
|
|
|
+**链路 A:Hue / HiveServer2(身份 = LDAP)**
|
|
|
|
|
+
|
|
|
```mermaid
|
|
```mermaid
|
|
|
sequenceDiagram
|
|
sequenceDiagram
|
|
|
participant U as User(Analyst)
|
|
participant U as User(Analyst)
|
|
@@ -92,6 +94,33 @@ sequenceDiagram
|
|
|
NN->>HDFS: 写审计日志
|
|
NN->>HDFS: 写审计日志
|
|
|
```
|
|
```
|
|
|
|
|
|
|
|
|
|
+**链路 B:PySpark / spark-submit / DS JOB(身份 = Unix 账号)**
|
|
|
|
|
+
|
|
|
|
|
+```mermaid
|
|
|
|
|
+sequenceDiagram
|
|
|
|
|
+ participant D as Dev / DS tenant
|
|
|
|
|
+ participant PS as PySpark / spark-submit
|
|
|
|
|
+ participant YARN as YARN ResourceManager
|
|
|
|
|
+ participant HMS as Hive Metastore (Ranger Hive Plugin)
|
|
|
|
|
+ participant RAdmin as Ranger Admin
|
|
|
|
|
+ participant NN as NameNode (Ranger HDFS Plugin)
|
|
|
|
|
+ participant HDFS as HDFS / Solr
|
|
|
|
|
+
|
|
|
|
|
+ D->>PS: ssh / ds tenant 发起(Unix 账号:bigdata / dolphinscheduler / 个人 unix)
|
|
|
|
|
+ PS->>YARN: 提交 application(spark.yarn.principal = 提交者 Unix 账号)
|
|
|
|
|
+ YARN-->>PS: 分配 Driver / Executor
|
|
|
|
|
+ PS->>HMS: 读 / 写 Hive 元数据(user=Unix 账号)
|
|
|
|
|
+ HMS->>RAdmin: 拉取策略(缓存)
|
|
|
|
|
+ HMS->>HMS: Ranger Hive 插件 库/表/列 授权
|
|
|
|
|
+ HMS-->>PS: 元数据 / 位置信息
|
|
|
|
|
+ PS->>NN: 直读 / 直写 HDFS(user=Unix 账号,无 doAs)
|
|
|
|
|
+ NN->>RAdmin: 拉取策略(缓存)
|
|
|
|
|
+ NN->>NN: Ranger HDFS 插件 路径授权
|
|
|
|
|
+ NN-->>PS: 允许 / 拒绝
|
|
|
|
|
+ HMS->>HDFS: 写审计日志到 /ranger/audit
|
|
|
|
|
+ NN->>HDFS: 写审计日志
|
|
|
|
|
+```
|
|
|
|
|
+
|
|
|
## 3. 账号体系(开发视角)
|
|
## 3. 账号体系(开发视角)
|
|
|
|
|
|
|
|
| 账号类型 | 来源 | 用途 |
|
|
| 账号类型 | 来源 | 用途 |
|
