xunliu commented on code in PR #4651:
URL: https://github.com/apache/gravitino/pull/4651#discussion_r1730493414
##########
authorizations/authorization-ranger/build.gradle.kts:
##########
@@ -69,24 +75,34 @@ dependencies {
exclude("org.elasticsearch")
exclude("org.elasticsearch.client")
exclude("org.elasticsearch.plugin")
+ exclude("javax.ws.rs")
}
+ testImplementation(libs.javax.ws.rs.api)
Review Comment:
Fixed
##########
core/src/main/java/org/apache/gravitino/utils/IsolatedClassLoader.java:
##########
@@ -39,6 +39,11 @@
* controlled loading of classes from specified jars and shared classes from
the base class loader.
*/
public class IsolatedClassLoader implements Closeable {
+ // Gravitino have two compound (catalog and authorization) types use
isolated class loader
Review Comment:
Fixed
##########
core/src/main/java/org/apache/gravitino/connector/BaseCatalog.java:
##########
@@ -181,53 +182,64 @@ public CatalogOperations ops() {
public AuthorizationPlugin getAuthorizationPlugin() {
if (authorization == null) {
- synchronized (this) {
- if (authorization == null) {
- BaseAuthorization<?> baseAuthorization =
createAuthorizationPluginInstance();
- if (baseAuthorization == null) {
- return null;
- }
- authorization = baseAuthorization;
- }
- }
+ return null;
}
return authorization.plugin(provider(), this.conf);
}
- private BaseAuthorization<?> createAuthorizationPluginInstance() {
+ public void initAuthorizationPluginInstance(IsolatedClassLoader classLoader)
{
+ if (authorization != null) {
+ return;
+ }
+
String authorizationProvider =
catalogPropertiesMetadata().containsProperty(AUTHORIZATION_PROVIDER)
? (String) catalogPropertiesMetadata().getOrDefault(conf,
AUTHORIZATION_PROVIDER)
: null;
if (authorizationProvider == null) {
LOG.info("Authorization provider is not set!");
- return null;
+ return;
}
- ServiceLoader<AuthorizationProvider> loader =
- ServiceLoader.load(
- AuthorizationProvider.class,
Thread.currentThread().getContextClassLoader());
-
- List<Class<? extends AuthorizationProvider>> providers =
- Streams.stream(loader.iterator())
- .filter(p -> p.shortName().equalsIgnoreCase(authorizationProvider))
- .map(AuthorizationProvider::getClass)
- .collect(Collectors.toList());
- if (providers.isEmpty()) {
- throw new IllegalArgumentException(
- "No authorization provider found for: " + authorizationProvider);
- } else if (providers.size() > 1) {
- throw new IllegalArgumentException(
- "Multiple authorization providers found for: " +
authorizationProvider);
- }
+ BaseAuthorization<?> baseAuthorization;
try {
- return (BaseAuthorization<?>)
-
Iterables.getOnlyElement(providers).getDeclaredConstructor().newInstance();
+ baseAuthorization =
+ classLoader.withClassLoader(
+ cl -> {
+ try {
+ ServiceLoader<AuthorizationProvider> loader =
+ ServiceLoader.load(AuthorizationProvider.class, cl);
+
+ List<Class<? extends AuthorizationProvider>> providers =
+ Streams.stream(loader.iterator())
+ .filter(p ->
p.shortName().equalsIgnoreCase(authorizationProvider))
+ .map(AuthorizationProvider::getClass)
+ .collect(Collectors.toList());
+ if (providers.isEmpty()) {
+ throw new IllegalArgumentException(
+ "No authorization provider found for: " +
authorizationProvider);
+ } else if (providers.size() > 1) {
+ throw new IllegalArgumentException(
+ "Multiple authorization providers found for: " +
authorizationProvider);
+ }
+ return (BaseAuthorization<?>)
+
Iterables.getOnlyElement(providers).getDeclaredConstructor().newInstance();
+ } catch (Exception e) {
+ LOG.error("Failed to create authorization instance", e);
+ throw new RuntimeException(e);
+ }
+ });
} catch (Exception e) {
- LOG.error("Failed to create authorization instance", e);
+ LOG.error("Failed to load authorization with class loader", e);
throw new RuntimeException(e);
}
+
+ if (baseAuthorization == null) {
Review Comment:
Removed these codes.
##########
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java:
##########
@@ -50,16 +54,25 @@ public class RangerITEnv {
protected static final String RANGER_HDFS_REPO_NAME = "hdfsDev";
private static final String RANGER_HDFS_TYPE = "hdfs";
protected static RangerClient rangerClient;
-
+ private static volatile Boolean initRangerService = Boolean.FALSE;
Review Comment:
Fixed.
##########
core/src/main/java/org/apache/gravitino/connector/BaseCatalog.java:
##########
@@ -181,53 +182,64 @@ public CatalogOperations ops() {
public AuthorizationPlugin getAuthorizationPlugin() {
if (authorization == null) {
- synchronized (this) {
- if (authorization == null) {
- BaseAuthorization<?> baseAuthorization =
createAuthorizationPluginInstance();
- if (baseAuthorization == null) {
- return null;
- }
- authorization = baseAuthorization;
- }
- }
+ return null;
}
return authorization.plugin(provider(), this.conf);
}
- private BaseAuthorization<?> createAuthorizationPluginInstance() {
+ public void initAuthorizationPluginInstance(IsolatedClassLoader classLoader)
{
+ if (authorization != null) {
+ return;
+ }
+
String authorizationProvider =
catalogPropertiesMetadata().containsProperty(AUTHORIZATION_PROVIDER)
? (String) catalogPropertiesMetadata().getOrDefault(conf,
AUTHORIZATION_PROVIDER)
: null;
if (authorizationProvider == null) {
LOG.info("Authorization provider is not set!");
- return null;
+ return;
Review Comment:
Yes, the Authorization plugin is an option in the Catalog. It may or may not
be configured.
##########
.github/workflows/authorization-integration-test.yml:
##########
@@ -0,0 +1,110 @@
+name: Authorization Integration Test
Review Comment:
I think the authorization module is very important, and testing depends on
many Docker containers (hive, ranger, MySQL, IAM, ...) , So I think better to
split to a single CI pipeline.
Don't worry, I also disable the authorization IT test in the backend tests.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
