(doris) branch branch-2.1 updated: [enhance](auth)support cache ranger datamask and row filter (#37723) (#38575)

morningman Thu, 01 Aug 2024 23:59:45 -0700

This is an automated email from the ASF dual-hosted git repository.

morningman pushed a commit to branch branch-2.1
in repository https://gitbox.apache.org/repos/asf/doris.git



The following commit(s) were added to refs/heads/branch-2.1 by this push:
     new 2425730609d [enhance](auth)support cache ranger datamask and row 
filter (#37723) (#38575)
2425730609d is described below

commit 2425730609dfa80b6d15f208aae8a5d4abfc4ef6
Author: zhangdong <[email protected]>
AuthorDate: Fri Aug 2 14:59:32 2024 +0800

    [enhance](auth)support cache ranger datamask and row filter (#37723) 
(#38575)
    
    pick: https://github.com/apache/doris/pull/37723
---
 .../main/java/org/apache/doris/common/Config.java  |   6 ++
 .../ranger/cache/CatalogCacheAccessController.java |  84 ++++++++++++++++
 .../authorizer/ranger/cache/DatamaskCacheKey.java  |  89 +++++++++++++++++
 .../authorizer/ranger/cache/RangerCache.java       | 107 +++++++++++++++++++++
 .../RangerCacheInvalidateListener.java}            |  25 +++--
 .../authorizer/ranger/cache/RowFilterCacheKey.java |  82 ++++++++++++++++
 .../doris/RangerCacheDorisAccessController.java    |  44 +++++++++
 .../ranger/doris/RangerDorisAccessController.java  |   7 +-
 .../authorizer/ranger/doris/RangerDorisPlugin.java |   6 ++
 ...y.java => RangerCacheHiveAccessController.java} |  25 ++++-
 .../ranger/hive/RangerHiveAccessController.java    |   8 +-
 .../hive/RangerHiveAccessControllerFactory.java    |   2 +-
 .../authorizer/ranger/hive/RangerHivePlugin.java   |   6 ++
 .../mysql/privilege/AccessControllerManager.java   |   4 +-
 14 files changed, 479 insertions(+), 16 deletions(-)

diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java 
b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
index 5803468e8b9..d55ac52ebfd 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
@@ -2256,6 +2256,12 @@ public class Config extends ConfigBase {
     @ConfField
     public static long stats_cache_size = 50_0000;
 
+    /**
+     * This config used for ranger cache data mask/row policy
+     */
+    @ConfField
+    public static long ranger_cache_size = 10000;
+
     /**
      * This configuration is used to enable the statistics of query 
information, which will record
      * the access status of databases, tables, and columns, and can be used to 
guide the
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java
 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java
new file mode 100644
index 00000000000..163410b7cd7
--- /dev/null
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java
@@ -0,0 +1,84 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.catalog.authorizer.ranger.cache;
+
+import org.apache.doris.analysis.UserIdentity;
+import org.apache.doris.common.AuthorizationException;
+import org.apache.doris.mysql.privilege.CatalogAccessController;
+import org.apache.doris.mysql.privilege.DataMaskPolicy;
+import org.apache.doris.mysql.privilege.PrivPredicate;
+import org.apache.doris.mysql.privilege.RowFilterPolicy;
+
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+
+public abstract class CatalogCacheAccessController implements 
CatalogAccessController {
+    public abstract CatalogAccessController getProxyController();
+
+    public abstract RangerCache getCache();
+
+
+    @Override
+    public boolean checkGlobalPriv(UserIdentity currentUser, PrivPredicate 
wanted) {
+        return getProxyController().checkGlobalPriv(currentUser, wanted);
+    }
+
+    @Override
+    public boolean checkCtlPriv(UserIdentity currentUser, String ctl, 
PrivPredicate wanted) {
+        return getProxyController().checkCtlPriv(currentUser, ctl, wanted);
+    }
+
+    @Override
+    public boolean checkDbPriv(UserIdentity currentUser, String ctl, String 
db, PrivPredicate wanted) {
+        return getProxyController().checkDbPriv(currentUser, ctl, db, wanted);
+    }
+
+    @Override
+    public boolean checkTblPriv(UserIdentity currentUser, String ctl, String 
db, String tbl, PrivPredicate wanted) {
+        return getProxyController().checkTblPriv(currentUser, ctl, db, tbl, 
wanted);
+    }
+
+    @Override
+    public boolean checkResourcePriv(UserIdentity currentUser, String 
resourceName, PrivPredicate wanted) {
+        return getProxyController().checkResourcePriv(currentUser, 
resourceName, wanted);
+    }
+
+    @Override
+    public boolean checkWorkloadGroupPriv(UserIdentity currentUser, String 
workloadGroupName, PrivPredicate wanted) {
+        return getProxyController().checkWorkloadGroupPriv(currentUser, 
workloadGroupName, wanted);
+    }
+
+    @Override
+    public void checkColsPriv(UserIdentity currentUser, String ctl, String db, 
String tbl, Set<String> cols,
+            PrivPredicate wanted) throws AuthorizationException {
+        getProxyController().checkColsPriv(currentUser, ctl, db, tbl, cols, 
wanted);
+    }
+
+    @Override
+    public Optional<DataMaskPolicy> evalDataMaskPolicy(UserIdentity 
currentUser, String ctl, String db, String tbl,
+            String col) {
+        return getCache().getDataMask(new DatamaskCacheKey(currentUser, ctl, 
db, tbl, col));
+    }
+
+    @Override
+    public List<? extends RowFilterPolicy> evalRowFilterPolicies(UserIdentity 
currentUser, String ctl, String db,
+            String tbl) {
+        return getCache().getRowFilters(new RowFilterCacheKey(currentUser, 
ctl, db, tbl));
+    }
+}
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java
 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java
new file mode 100644
index 00000000000..d2262d094f9
--- /dev/null
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java
@@ -0,0 +1,89 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.catalog.authorizer.ranger.cache;
+
+import org.apache.doris.analysis.UserIdentity;
+
+import com.google.common.base.Objects;
+
+public class DatamaskCacheKey {
+    private UserIdentity userIdentity;
+    private String ctl;
+    private String db;
+    private String tbl;
+    private String col;
+
+    public DatamaskCacheKey(UserIdentity userIdentity, String ctl, String db, 
String tbl, String col) {
+        this.userIdentity = userIdentity;
+        this.ctl = ctl;
+        this.db = db;
+        this.tbl = tbl;
+        this.col = col;
+    }
+
+    public UserIdentity getUserIdentity() {
+        return userIdentity;
+    }
+
+    public String getCtl() {
+        return ctl;
+    }
+
+    public String getDb() {
+        return db;
+    }
+
+    public String getTbl() {
+        return tbl;
+    }
+
+    public String getCol() {
+        return col;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        DatamaskCacheKey that = (DatamaskCacheKey) o;
+        return Objects.equal(userIdentity, that.userIdentity)
+                && Objects.equal(ctl, that.ctl) && Objects.equal(db, that.db)
+                && Objects.equal(tbl, that.tbl) && Objects.equal(col,
+                that.col);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hashCode(userIdentity, ctl, db, tbl, col);
+    }
+
+    @Override
+    public String toString() {
+        return "DatamaskCacheKey{"
+                + "userIdentity=" + userIdentity
+                + ", ctl='" + ctl + '\''
+                + ", db='" + db + '\''
+                + ", tbl='" + tbl + '\''
+                + ", col='" + col + '\''
+                + '}';
+    }
+}
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java
 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java
new file mode 100644
index 00000000000..29c068b1aff
--- /dev/null
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java
@@ -0,0 +1,107 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.catalog.authorizer.ranger.cache;
+
+import org.apache.doris.common.Config;
+import org.apache.doris.datasource.CacheException;
+import org.apache.doris.mysql.privilege.CatalogAccessController;
+import org.apache.doris.mysql.privilege.DataMaskPolicy;
+import org.apache.doris.mysql.privilege.RowFilterPolicy;
+
+import com.google.common.cache.CacheBuilder;
+import com.google.common.cache.CacheLoader;
+import com.google.common.cache.LoadingCache;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.concurrent.ExecutionException;
+
+public class RangerCache {
+    private static final Logger LOG = 
LoggerFactory.getLogger(RangerCache.class);
+
+    private CatalogAccessController controller;
+    private LoadingCache<DatamaskCacheKey, Optional<DataMaskPolicy>> 
datamaskCache = CacheBuilder.newBuilder()
+            .maximumSize(Config.ranger_cache_size)
+            .build(new CacheLoader<DatamaskCacheKey, 
Optional<DataMaskPolicy>>() {
+                @Override
+                public Optional<DataMaskPolicy> load(DatamaskCacheKey key) {
+                    return loadDataMask(key);
+                }
+            });
+
+    private LoadingCache<RowFilterCacheKey, List<? extends RowFilterPolicy>> 
rowFilterCache = CacheBuilder.newBuilder()
+            .maximumSize(Config.ranger_cache_size)
+            .build(new CacheLoader<RowFilterCacheKey, List<? extends 
RowFilterPolicy>>() {
+                @Override
+                public List<? extends RowFilterPolicy> load(RowFilterCacheKey 
key) {
+                    return loadRowFilter(key);
+                }
+            });
+
+    public RangerCache() {
+    }
+
+    public void init(CatalogAccessController controller) {
+        this.controller = controller;
+    }
+
+    private Optional<DataMaskPolicy> loadDataMask(DatamaskCacheKey key) {
+        Objects.requireNonNull(controller, "controller can not be null");
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("load datamask: {}", key);
+        }
+        return controller.evalDataMaskPolicy(key.getUserIdentity(), 
key.getCtl(), key.getDb(), key.getTbl(),
+                key.getCol());
+    }
+
+    private List<? extends RowFilterPolicy> loadRowFilter(RowFilterCacheKey 
key) {
+        Objects.requireNonNull(controller, "controller can not be null");
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("load row filter: {}", key);
+        }
+        return controller.evalRowFilterPolicies(key.getUserIdentity(), 
key.getCtl(), key.getDb(), key.getTbl());
+    }
+
+    public void invalidateDataMaskCache() {
+        datamaskCache.invalidateAll();
+    }
+
+    public void invalidateRowFilterCache() {
+        rowFilterCache.invalidateAll();
+    }
+
+    public Optional<DataMaskPolicy> getDataMask(DatamaskCacheKey key) {
+        try {
+            return datamaskCache.get(key);
+        } catch (ExecutionException e) {
+            throw new CacheException("failed to get datamask for:" + key, e);
+        }
+    }
+
+    public List<? extends RowFilterPolicy> getRowFilters(RowFilterCacheKey 
key) {
+        try {
+            return rowFilterCache.get(key);
+        } catch (ExecutionException e) {
+            throw new CacheException("failed to get row filter for:" + key, e);
+        }
+    }
+
+}
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java
 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java
similarity index 52%
copy from 
fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java
copy to 
fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java
index 3e9f11d9f8e..4af56a8ff1b 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java
@@ -15,16 +15,27 @@
 // specific language governing permissions and limitations
 // under the License.
 
-package org.apache.doris.catalog.authorizer.ranger.hive;
+package org.apache.doris.catalog.authorizer.ranger.cache;
 
-import org.apache.doris.mysql.privilege.AccessControllerFactory;
-import org.apache.doris.mysql.privilege.CatalogAccessController;
+import 
org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController;
 
-import java.util.Map;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.apache.ranger.plugin.service.RangerAuthContextListener;
+
+public class RangerCacheInvalidateListener implements 
RangerAuthContextListener {
+    private static final Logger LOG = 
LogManager.getLogger(RangerDorisAccessController.class);
+
+    private RangerCache cache;
+
+    public RangerCacheInvalidateListener(RangerCache cache) {
+        this.cache = cache;
+    }
 
-public class RangerHiveAccessControllerFactory implements 
AccessControllerFactory {
     @Override
-    public CatalogAccessController createAccessController(Map<String, String> 
prop) {
-        return new RangerHiveAccessController(prop);
+    public void contextChanged() {
+        LOG.info("ranger context changed");
+        cache.invalidateDataMaskCache();
+        cache.invalidateRowFilterCache();
     }
 }
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java
 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java
new file mode 100644
index 00000000000..08afcb40fcb
--- /dev/null
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java
@@ -0,0 +1,82 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.catalog.authorizer.ranger.cache;
+
+import org.apache.doris.analysis.UserIdentity;
+
+import com.google.common.base.Objects;
+
+public class RowFilterCacheKey {
+    private UserIdentity userIdentity;
+    private String ctl;
+    private String db;
+    private String tbl;
+
+    public RowFilterCacheKey(UserIdentity userIdentity, String ctl, String db, 
String tbl) {
+        this.userIdentity = userIdentity;
+        this.ctl = ctl;
+        this.db = db;
+        this.tbl = tbl;
+    }
+
+    public UserIdentity getUserIdentity() {
+        return userIdentity;
+    }
+
+    public String getCtl() {
+        return ctl;
+    }
+
+    public String getDb() {
+        return db;
+    }
+
+    public String getTbl() {
+        return tbl;
+    }
+
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        RowFilterCacheKey that = (RowFilterCacheKey) o;
+        return Objects.equal(userIdentity, that.userIdentity)
+                && Objects.equal(ctl, that.ctl) && Objects.equal(db, that.db)
+                && Objects.equal(tbl, that.tbl);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hashCode(userIdentity, ctl, db, tbl);
+    }
+
+    @Override
+    public String toString() {
+        return "DatamaskCacheKey{"
+                + "userIdentity=" + userIdentity
+                + ", ctl='" + ctl + '\''
+                + ", db='" + db + '\''
+                + ", tbl='" + tbl + '\''
+                + '}';
+    }
+}
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java
 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java
new file mode 100644
index 00000000000..2cbc8111d52
--- /dev/null
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java
@@ -0,0 +1,44 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.catalog.authorizer.ranger.doris;
+
+import 
org.apache.doris.catalog.authorizer.ranger.cache.CatalogCacheAccessController;
+import org.apache.doris.catalog.authorizer.ranger.cache.RangerCache;
+import 
org.apache.doris.catalog.authorizer.ranger.cache.RangerCacheInvalidateListener;
+import org.apache.doris.mysql.privilege.CatalogAccessController;
+
+public class RangerCacheDorisAccessController extends 
CatalogCacheAccessController {
+    private CatalogAccessController proxyController;
+    private RangerCache cache;
+
+    public RangerCacheDorisAccessController(String serviceName) {
+        this.cache = new RangerCache();
+        this.proxyController = new RangerDorisAccessController(serviceName, 
new RangerCacheInvalidateListener(cache));
+        this.cache.init(proxyController);
+    }
+
+    @Override
+    public CatalogAccessController getProxyController() {
+        return proxyController;
+    }
+
+    @Override
+    public RangerCache getCache() {
+        return cache;
+    }
+}
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
index fdf9064a5f7..53e9455de88 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -32,6 +32,7 @@ import 
org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
+import org.apache.ranger.plugin.service.RangerAuthContextListener;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 
 import java.util.ArrayList;
@@ -49,7 +50,11 @@ public class RangerDorisAccessController extends 
RangerAccessController {
     // private RangerHiveAuditHandler auditHandler;
 
     public RangerDorisAccessController(String serviceName) {
-        dorisPlugin = new RangerDorisPlugin(serviceName);
+        this(serviceName, null);
+    }
+
+    public RangerDorisAccessController(String serviceName, 
RangerAuthContextListener rangerAuthContextListener) {
+        dorisPlugin = new RangerDorisPlugin(serviceName, 
rangerAuthContextListener);
         // auditHandler = new RangerHiveAuditHandler(dorisPlugin.getConfig());
         // start a timed log flusher
         // logFlushTimer.scheduleAtFixedRate(new 
RangerHiveAuditLogFlusher(auditHandler), 10, 20L, TimeUnit.SECONDS);
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisPlugin.java
 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisPlugin.java
index 34f098c8df8..0da65aaeb7f 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisPlugin.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisPlugin.java
@@ -17,11 +17,17 @@
 
 package org.apache.doris.catalog.authorizer.ranger.doris;
 
+import org.apache.ranger.plugin.service.RangerAuthContextListener;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 
 public class RangerDorisPlugin extends RangerBasePlugin {
     public RangerDorisPlugin(String serviceName) {
+        this(serviceName, null);
+    }
+
+    public RangerDorisPlugin(String serviceName, RangerAuthContextListener 
rangerAuthContextListener) {
         super(serviceName, null, null);
         super.init();
+        super.registerAuthContextEventListener(rangerAuthContextListener);
     }
 }
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java
 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java
similarity index 52%
copy from 
fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java
copy to 
fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java
index 3e9f11d9f8e..f4f510a12e6 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java
@@ -17,14 +17,31 @@
 
 package org.apache.doris.catalog.authorizer.ranger.hive;
 
-import org.apache.doris.mysql.privilege.AccessControllerFactory;
+import 
org.apache.doris.catalog.authorizer.ranger.cache.CatalogCacheAccessController;
+import org.apache.doris.catalog.authorizer.ranger.cache.RangerCache;
+import 
org.apache.doris.catalog.authorizer.ranger.cache.RangerCacheInvalidateListener;
 import org.apache.doris.mysql.privilege.CatalogAccessController;
 
 import java.util.Map;
 
-public class RangerHiveAccessControllerFactory implements 
AccessControllerFactory {
+public class RangerCacheHiveAccessController extends 
CatalogCacheAccessController {
+
+    private CatalogAccessController proxyController;
+    private RangerCache cache;
+
+    public RangerCacheHiveAccessController(Map<String, String> properties) {
+        this.cache = new RangerCache();
+        this.proxyController = new RangerHiveAccessController(properties, new 
RangerCacheInvalidateListener(cache));
+        this.cache.init(proxyController);
+    }
+
+    @Override
+    public CatalogAccessController getProxyController() {
+        return proxyController;
+    }
+
     @Override
-    public CatalogAccessController createAccessController(Map<String, String> 
prop) {
-        return new RangerHiveAccessController(prop);
+    public RangerCache getCache() {
+        return cache;
     }
 }
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java
 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java
index 6f4178d7716..03c0d463c71 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java
@@ -34,6 +34,7 @@ import 
org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
 import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+import org.apache.ranger.plugin.service.RangerAuthContextListener;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 
 import java.util.ArrayList;
@@ -54,8 +55,13 @@ public class RangerHiveAccessController extends 
RangerAccessController {
     private RangerHiveAuditHandler auditHandler;
 
     public RangerHiveAccessController(Map<String, String> properties) {
+        this(properties, null);
+    }
+
+    public RangerHiveAccessController(Map<String, String> properties,
+            RangerAuthContextListener rangerAuthContextListener) {
         String serviceName = properties.get("ranger.service.name");
-        hivePlugin = new RangerHivePlugin(serviceName);
+        hivePlugin = new RangerHivePlugin(serviceName, 
rangerAuthContextListener);
         auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
         // start a timed log flusher
         logFlushTimer.scheduleAtFixedRate(new 
RangerHiveAuditLogFlusher(auditHandler), 10, 20L, TimeUnit.SECONDS);
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java
 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java
index 3e9f11d9f8e..545e7a26836 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java
@@ -25,6 +25,6 @@ import java.util.Map;
 public class RangerHiveAccessControllerFactory implements 
AccessControllerFactory {
     @Override
     public CatalogAccessController createAccessController(Map<String, String> 
prop) {
-        return new RangerHiveAccessController(prop);
+        return new RangerCacheHiveAccessController(prop);
     }
 }
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHivePlugin.java
 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHivePlugin.java
index cf675b9a102..7ee393bae45 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHivePlugin.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHivePlugin.java
@@ -17,11 +17,17 @@
 
 package org.apache.doris.catalog.authorizer.ranger.hive;
 
+import org.apache.ranger.plugin.service.RangerAuthContextListener;
 import org.apache.ranger.plugin.service.RangerBasePlugin;
 
 public class RangerHivePlugin extends RangerBasePlugin {
     public RangerHivePlugin(String serviceName) {
+        super(serviceName, null);
+    }
+
+    public RangerHivePlugin(String serviceName, RangerAuthContextListener 
rangerAuthContextListener) {
         super(serviceName, null, null);
         super.init();
+        super.registerAuthContextEventListener(rangerAuthContextListener);
     }
 }
diff --git 
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
 
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
index 77d702f6da4..5980c869670 100644
--- 
a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
+++ 
b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java
@@ -21,7 +21,7 @@ import org.apache.doris.analysis.TableName;
 import org.apache.doris.analysis.UserIdentity;
 import org.apache.doris.catalog.AuthorizationInfo;
 import org.apache.doris.catalog.Env;
-import 
org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController;
+import 
org.apache.doris.catalog.authorizer.ranger.doris.RangerCacheDorisAccessController;
 import org.apache.doris.common.Config;
 import org.apache.doris.common.UserException;
 import org.apache.doris.datasource.CatalogIf;
@@ -57,7 +57,7 @@ public class AccessControllerManager {
     public AccessControllerManager(Auth auth) {
         this.auth = auth;
         if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) {
-            defaultAccessController = new RangerDorisAccessController("doris");
+            defaultAccessController = new 
RangerCacheDorisAccessController("doris");
         } else {
             defaultAccessController = new InternalAccessController(auth);
         }


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(doris) branch branch-2.1 updated: [enhance](auth)support cache ranger datamask and row filter (#37723) (#38575)

Reply via email to