feat(security): Use Apache Ranger for access control

[WHBANG]

What problem does this PR solve?

#1054

What is changed and how does it work?

1. The class diagram
   

First, you need to add ACL related configurations. The client configuration has not changed, the server has added new configurations:

enable_ranger_acl: indicates whether to use ranger for acl
ranger_service_url： ranger server url
ranger_service_name: use ranger policy name
mandatory_enable_acl: mandatory use range policy, currently used for testing

The details are as follows:

server
[security]
  update_ranger_policy_interval_sec
[ranger]
  ranger_service_url
  ranger_service_name
  ranger_legacy_table_database_mapping_rule
  mandatory_enable_acl
[security]
  enable_auth = true
  krb5_keytab = /root/apache/pegasus.keytab
  krb5_config = /etc/krb5.conf
  krb5_principal = XXXXX
  sasl_plugin_path = /root/apache/incubator-pegasus/thirdparty/output/lib/sasl2
  service_fqdn = XXXXX
  service_name = XXXXX
  mandatory_auth = true
  enable_acl = true
  super_users =
  meta_acl_rpc_allow_list =
  enable_ranger_acl = true

java client
java
meta_servers = 127.0.0.1:34601,127.0.0.1:34602,127.0.0.1:34603
operation_timeout = 5000
async_workers = 4
enable_perf_counter = false
perf_counter_tags = cluster=onebox,app=unit_test
push_counter_interval_secs = 10
meta_query_timeout = 5000
auth_protocol = kerberos
kerberos_service_name = XXXXX
kerberos_service_fqdn = XXXXX
kerberos_keytab = /root/apache/pegasus.keytab
kerberos_principal = XXXXX

shell
[security]
  enable_auth = true
  krb5_keytab = /root/apache/pegasus.keytab
  krb5_config = /etc/krb5.conf
  krb5_principal = XXXXX
  sasl_plugin_path = /root/apache/incubator-pegasus/thirdparty/output/lib/sasl2
  service_fqdn = XXXXX
  service_name = XXXXX

Second compatibility:
Retained the old ACL mode

1. Use the old ACL

enable_acl = true
enable_ranger_acl = false

2. user ranger for ACL

enable_acl = true
enable_ranger_acl = true

3. Third, define the ranger policy

• Pegasus resources can be divided into multiple types, and the operation types of each resource can also be divided. One operation type corresponds to one ACL symbol

• ACLs on each type of resource correspond to specific rpc_code

4. pegasus+ranger

After completing the integration of ranger with pegasus, you can set permissions on the ranger web page according to your own needs

Checklist

Tests

• Manual test (add detailed scripts or steps below)

Code changes

• Has exported function/method change
• Has exported variable/fields change
• Has interface methods change
• Has persistent data change

Side effects

• Possible performance regression
• Increased code complexity
• Breaking backward compatibility

[acelyc111]

Thanks, as we disscused elsewhere, let's prepare more about the patch.

[acelyc111]

@WHBANG Thanks for the contribution! It's a wonderful feature for Pegasus.

This is a big change near 2k lines changed, could you please list the small points of this patch and split it into small patches, then achieve the goal step by step. It's meaningful to ensure code quality and make it easier to review.

Thanks!

[acelyc111]

Implementing by other patches, close this one.