raz-client 1.1.0

boto3 plugin for S3 Ranger authorization

RAZ Client

RAZ Client python package provides plugin to boto3 library to use Apache Ranger for granular authorization for S3 access

Prerequisites

• Python 3.8 or higher
• Protocol Buffers version 4.25

---

Installation

To install using pip from the raz_client PyPI project:

$ pip install raz_client

---

Usage

• The client assumes a kinited user session and will use the same principle to negotiate the authentication with the RAZ server.
• Create a boto3 client of type s3.

  client = boto3.client("s3")
  

• Create a configuration object of type configuration by importing it from the raz_python package.

  conf = Configuration()
  

• Add the basic raz server configs by adding them via script or using a hadoop configuration file. Examples for both are present in the examples folder.
• Configure the boto3 client by calling the configure_ranger_raz(client, conf) method from the raz_client lib.
• The client is ready to be used as it is now.

---

Example

Look at the example directory for example usage of different options and different APIs.

Basic startup code for usage:

import boto3
import raz_client

client = boto3.client("s3")

# configure the client. The client uses the kerberos credentials of the logged in user for authorization
raz_client.configure_ranger_raz(client)

# To configure SSL certificate,
# 1. Download the certificate: CDP UI -> environment -> FreeIPA -> Get FreeIPA certificate
# 2. Configure the certificate path: 
# raz_client.configure_ranger_raz(client, ssl_file="<ssl_filepath>")
 
# list objects in bucket
result = client.list_objects(Bucket="<bucket name>", Prefix="/")
print(result)

---

List of Supported Operations

• abort_multipart_upload

• complete_multipart_upload

• copy

• copy_object

• create_multipart_upload

• delete_object

• delete_objects

• download_file

• download_fileobj

• get_bucket_acl

• get_bucket_location

• get_object

• head_bucket

• head_object

• list_buckets(in process)

• list_multipart_uploads

• list_objects

• List_objects_v2

• list_parts

• put_object

• select_object_content

• upload_file

• upload_fileobj

• upload_part

• upload_part_copy

---

Configuration

The Configuration object provided can be used to pass additional parameters to the client. The user specified configs will override the raz server default configs.

Raz Constant	Key	Description
RAZ_URL_KEY	fs.s3a.ext.raz.rest.host.url	URL for the RAZ server along with port. There is no default value for this and is required by the user. Eg: https://raz_node:6082/
USE_SSL_VERIFICATION	raz.client.use.ssl.verification	Enable ssl verification on the client for talking to raz server for additional security. This config expects a True or False value. It is turned off by default.
SSL_CERT_LOCATION	raz.client.ssl.cert.location	Path to the SSL cert location. If the path is not set but USE_SSL_VERIFICATION is set to true the client will throw an error. For more info on the SSL Cert kind refer to this. This config expects the absolute path to the file.
RAZ_CLIENT_USE_DELEGATION_TOKEN	raz.client.use.delegation.token	Use delegation token for authenticating requests to RAZ Server. This means that on every request there won't be a kerberos handshake, making the authorization faster. Kerberos' authentication will still be required at the time of token creation and renewal. This config expects a True or False value.
RAZ_DELEGATION_TOKEN_VALIDITY	raz.client.delegation.token.validity	Validity of the delegation token, it is by default set to 15 minutes and can be increased or decreased. The client doesn't renew the delegation token asynchronously instead it renews the token on the request made after the expiry time. The value is set in seconds. Eg: To renew delegation token at 10 minutes set it to 10 * 60
RAZ_CLIENT_ENABLE_DEBUG_MODE	raz.client.enable.debug.mode	Enables the debug mode on the client. Set it to True to print all the debug info of the client.

---

License

Copyright (c) 2023 Cloudera, Inc. All Rights Reserved. This software and any associated use of this software is governed exclusively by the Cloudera Standard License included in the accompanying LICENSE.txt file or found at Cloudera License