GitLocker: The Coding Marketplace

Description:

razclient 1.0.2

RAZ Client
RAZ Client python package provides plugin to boto3 library to use Apache Ranger for granular authorization for S3 access
Prerequisites

Python 3.6 or higher
Protocol Buffers version 4.21

Installation
To install using pip from the
raz_client PyPI project:
$ pip install raz_client

Usage

The client assumes a kinited user session and will use the same principle to negotiate the authentication with the RAZ server.

Create a boto3 client of type s3.
client = boto3.client("s3")

Create a configuration object of type configuration by importing it from the raz_python package.
conf = Configuration()

Add the basic raz server configs by adding them via script or using a hadoop configuration file. Examples for both
are present in the examples folder.

Configure the boto3 client by calling the configure_ranger_raz(client, conf) method from the raz_client lib.

The client is ready to be used as it is now.

Example
Look at the example directory for example usage of different options and different APIs.
Basic startup code for usage:
import boto3
import raz_client

client = boto3.client("s3")

# configure the client. The client uses the kerberos credentials of the logged in user for authorization
raz_client.configure_ranger_raz(client)

# To configure SSL certificate,
# 1. Download the certificate: CDP UI -> environment -> FreeIPA -> Get FreeIPA certificate
# 2. Configure the certificate path:
# raz_client.configure_ranger_raz(client, ssl_file="<ssl_filepath>")

# list objects in bucket
result = client.list_objects(Bucket="<bucket name>", Prefix="/")
print(result)

Configuration
The Configuration object provided can be used to pass additional parameters to the client. The user specified configs
will override the raz server default configs.

Raz Constant
Key
Description

RAZ_URL_KEY
fs.s3a.ext.raz.rest.host.url
URL for the RAZ server along with port. There is no default value for this and is required
by the user.
Eg: https://raz_node:6082/

USE_SSL_VERIFICATION
raz.client.use.ssl.verification
Enable ssl verification on the client for talking to raz server
for additional security. This config expects a True or False value. It is turned off by default.

SSL_CERT_LOCATION
raz.client.ssl.cert.location
Path to the SSL cert location. If the path is not set but USE_SSL_VERIFICATION
is set to true the client will throw an error. For more info on the SSL Cert kind refer to
this.
This config expects the absolute path to the file.

RAZ_CLIENT_USE_DELEGATION_TOKEN
raz.client.use.delegation.token
Use delegation token for authenticating requests to RAZ Server. This means that on every request there
won't be a kerberos handshake, making the authorization faster. Kerberos' authentication will still be required
at the time of token creation and renewal. This config expects a True or False value.

RAZ_DELEGATION_TOKEN_VALIDITY
raz.client.delegation.token.validity
Validity of the delegation token, it is by default set to 15 minutes and can be increased or decreased.
The client doesn't renew the delegation token asynchronously instead it renews the token on the request made after
the expiry time. The value is set in seconds. Eg: To renew delegation token at 10 minutes set it to 10 * 60

RAZ_CLIENT_ENABLE_DEBUG_MODE
raz.client.enable.debug.mode
Enables the debug mode on the client.
Set it to True to print all the debug info of the client.

License
Copyright (c) 2023 Cloudera, Inc. All Rights Reserved.
This software and any associated use of this software is governed exclusively
by the Cloudera Standard License included in the accompanying LICENSE.txt file or found at
Cloudera License