jerqi commented on code in PR #4515: URL: https://github.com/apache/gravitino/pull/4515#discussion_r1724512836
########## authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java: ########## @@ -0,0 +1,998 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.gravitino.authorization.ranger; + +import com.google.common.annotations.VisibleForTesting; +import com.google.common.collect.ImmutableMap; +import com.google.common.collect.Lists; +import com.google.common.collect.Sets; +import com.google.errorprone.annotations.FormatMethod; +import com.google.errorprone.annotations.FormatString; +import java.io.IOException; +import java.time.Instant; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Objects; +import java.util.Set; +import java.util.stream.Collectors; +import org.apache.commons.lang3.StringUtils; +import org.apache.gravitino.MetadataObject; +import org.apache.gravitino.authorization.Group; +import org.apache.gravitino.authorization.Owner; +import org.apache.gravitino.authorization.Privilege; +import org.apache.gravitino.authorization.Role; +import org.apache.gravitino.authorization.RoleChange; +import org.apache.gravitino.authorization.SecurableObject; +import org.apache.gravitino.authorization.SecurableObjects; +import org.apache.gravitino.authorization.User; +import org.apache.gravitino.authorization.ranger.defines.VXGroup; +import org.apache.gravitino.authorization.ranger.defines.VXGroupList; +import org.apache.gravitino.authorization.ranger.defines.VXUser; +import org.apache.gravitino.authorization.ranger.defines.VXUserList; +import org.apache.gravitino.connector.AuthorizationPropertiesMeta; +import org.apache.gravitino.connector.authorization.AuthorizationPlugin; +import org.apache.gravitino.exceptions.AuthorizationPluginException; +import org.apache.gravitino.meta.AuditInfo; +import org.apache.gravitino.meta.GroupEntity; +import org.apache.gravitino.meta.UserEntity; +import org.apache.gravitino.utils.PrincipalUtils; +import org.apache.ranger.RangerServiceException; +import org.apache.ranger.plugin.model.RangerPolicy; +import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem; +import org.apache.ranger.plugin.model.RangerRole; +import org.apache.ranger.plugin.util.GrantRevokeRoleRequest; +import org.apache.ranger.plugin.util.SearchFilter; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** Ranger authorization operations plugin abstract class. */ +public abstract class RangerAuthorizationPlugin implements AuthorizationPlugin { + private static final Logger LOG = LoggerFactory.getLogger(RangerAuthorizationPlugin.class); + + protected String catalogProvider; + protected RangerClientExtend rangerClient; + protected String rangerServiceName; + /** Mapping Gravitino privilege name to the underlying authorization system privileges. */ + protected Map<Privilege.Name, Set<String>> privilegesMapping = null; + // The owner privileges, the owner can do anything on the metadata object + protected Set<String> ownerPrivileges = null; + + /** + * Because Ranger doesn't support the precise filter, Ranger will return the policy meets the + * wildcard(*,?) conditions, just like `*.*.*` policy will match `db1.table1.column1` So we need + * to manually precisely filter the policies. + */ + // Search Ranger policy filter keys + protected List<String> policyFilterKeys = null; + // Search Ranger policy precise filter keys + protected List<String> policyPreciseFilterKeys = null; + + public static final String MANAGED_BY_GRAVITINO = "MANAGED_BY_GRAVITINO"; + + // TODO: Maybe need to move to the configuration in the future + public static final String RANGER_ADMIN_NAME = "admin"; + + public RangerAuthorizationPlugin(String catalogProvider, Map<String, String> config) { + super(); + this.catalogProvider = catalogProvider; + String rangerUrl = config.get(AuthorizationPropertiesMeta.RANGER_ADMIN_URL); + String authType = config.get(AuthorizationPropertiesMeta.RANGER_AUTH_TYPE); + String username = config.get(AuthorizationPropertiesMeta.RANGER_USERNAME); + // Apache Ranger Password should be minimum 8 characters with min one alphabet and one numeric. + String password = config.get(AuthorizationPropertiesMeta.RANGER_PASSWORD); + rangerServiceName = config.get(AuthorizationPropertiesMeta.RANGER_SERVICE_NAME); + check(rangerUrl != null, "Ranger admin URL is required"); + check(authType != null, "Ranger auth type is required"); + check(username != null, "Ranger username is required"); + check(password != null, "Ranger password is required"); + check(rangerServiceName != null, "Ranger service name is required"); + + rangerClient = new RangerClientExtend(rangerUrl, authType, username, password); + + initMapPrivileges(); + initOwnerPrivileges(); + initPolicyFilterKeys(); + initPreciseFilterKeys(); + } + + /** + * Different underlying permission system may have different privilege names, this function is + * used to initialize the privilege mapping. + */ + protected abstract void initMapPrivileges(); + + /** + * Different underlying permission system may have different owner privilege names, this function + * is used to initialize the owner privilege mapping. + */ + protected abstract void initOwnerPrivileges(); + + // Initial Ranger policy filter keys + protected abstract void initPolicyFilterKeys(); + // Initial Ranger policy precise filter keys + protected abstract void initPreciseFilterKeys(); + + /** + * Translate the privilege name to the corresponding privilege name in the underlying permission + * + * @param name The privilege name to translate + * @return The corresponding privilege name in the underlying permission system + */ + public Set<String> translatePrivilege(Privilege.Name name) { + return privilegesMapping.get(name); + } + + /** + * Whether this privilege is underlying permission system supported + * + * @param name The privilege name to check + * @return true if the privilege is supported, otherwise false + */ + protected boolean checkPrivilege(Privilege.Name name) { + return privilegesMapping.containsKey(name); + } + + @FormatMethod + protected void check(boolean condition, @FormatString String message, Object... args) { + if (!condition) { + throw new AuthorizationPluginException(message, args); + } + } + + @VisibleForTesting + public List<String> getOwnerPrivileges() { + return Lists.newArrayList(ownerPrivileges); + } + + /** + * Because Ranger does not have a Role concept, Each metadata object will have a unique Ranger + * policy. we can use one or more Ranger policy to simulate the role. <br> + * 1. Create a policy for each metadata object. <br> + * 2. Save role name in the Policy properties. <br> + * 3. Set `MANAGED_BY_GRAVITINO` label in the policy. <br> + * 4. For easy manage, each privilege will create a RangerPolicyItemAccess in the policy. <br> + * 5. The policy will only have one user, the user is the {OWNER} of the policy. <br> + * 6. The policy will not have group. <br> + */ + @Override + public Boolean onRoleCreated(Role role) throws RuntimeException { + createRangerRoleIfNotExists(role.name()); + return onRoleUpdated( + role, + role.securableObjects().stream() + .map(securableObject -> RoleChange.addSecurableObject(role.name(), securableObject)) + .toArray(RoleChange[]::new)); + } + + @Override + public Boolean onRoleAcquired(Role role) throws RuntimeException { + try { + return role.securableObjects().stream().allMatch(object -> findManagedPolicy(object) != null); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + + /** + * Because one Ranger policy maybe contain multiple securable objects, so we didn't directly Review Comment: ```suggestion * Because a Ranger policy maybe contains multiple securable objects, so we didn't directly ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
