I want to make the PrivilegesEvaluator flexible so that any user can use his/her own implementation of PrivilegesEvaluator
This is the idea
- Introduce a new property as to which evaluator is to be initialized
- Create an abstract class Evaluator. // Parent class of any evaluator
PrivilegesEvaluator implements the abstract class (only override the evaluate() api)
create abstract class EvaluatorResponse // Parent class of any evaluatorResponse
- Create a EvaluatorFactory which returns the specified evaluator to be used when invoked.
Here are the links for PrivilegesEvaluator and PrivilegesEvaluatorResponse classes :
- security/PrivilegesEvaluator.java at main · opendistro-for-elasticsearch/security · GitHub
- security/PrivilegesEvaluatorResponse.java at main · opendistro-for-elasticsearch/security · GitHub
Is this design viable to be contributed or if not, please suggest changes?
Thanks Divyansh! We will get back to you in the next few days. Apologies for the delay.
Sure! Please do get back asap as I have already started working on this. Any suggestions would be valuable.
Hi Divyansh, can you provide a concrete use case for extending PrivilegesEvaluator class? What functionality is missing in the existing PrivilegesEvaluator?
Hi Vlad, I want to integrate security with apache ranger, so I can provide the permissions using ranger ui. For this I need to write a custom evaluator which uses the ranger api to check authorization through ranger (like we can for hive, hbase, kafka, hdfs etc). Also I don’t want to overwrite the existing implementation so I came up with this solution. If evaluator is configurable I can just use my implementation through a config change.
An article on what I’ll be using to achieve this:
Hi Divyansh, the use case looks valid to me and it will be great to support it. Please open a new issue on github for the security plugin and feel free to open a PR to discuss code changes.