Re: [PR] [#4698] feat(auth-ranger): Extended Ranger authorization by configuration [gravitino]

Thu, 29 Aug 2024 23:34:36 -0700 


yuqi1129 commented on code in PR #4744:
URL: https://github.com/apache/gravitino/pull/4744#discussion_r1738028447


##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java:
##########
@@ -56,83 +55,124 @@ public class RangerHelper {
   private static final Logger LOG = 
LoggerFactory.getLogger(RangerHelper.class);
 
   public static final String MANAGED_BY_GRAVITINO = "MANAGED_BY_GRAVITINO";
-  RangerAuthorizationPlugin rangerAuthorizationPlugin;
 
   /** Mapping Gravitino privilege name to the underlying authorization system 
privileges. */
-  protected Map<Privilege.Name, Set<String>> privilegesMapping = null;
+  protected Map<Privilege.Name, Set<RangerPrivilege>> privilegesMapping = new 
HashMap<>();
   /** The owner privileges, the owner can do anything on the metadata object */
-  protected Set<String> ownerPrivileges = null;
+  private Set<RangerPrivilege> ownerPrivileges = new HashSet<>();
 
   /**
    * Because Ranger doesn't support the precise search, Ranger will return the 
policy meets the
    * wildcard(*,?) conditions, If you use `db.table` condition to search 
policy, the Ranger will
    * match `db1.table1`, `db1.table2`, `db*.table*`, So we need to manually 
precisely filter this
    * research results. <br>
    * policySearchKeys: The search Ranger policy condition key defines. <br>
-   * policyPreciseFilterKeys: The precise filter Ranger search results key 
defines <br>
+   * policyResourceDefines: The Ranger policy resource defines. <br>
    */
-  protected List<String> policySearchKeys = null;
-
-  protected List<String> policyPreciseFilterKeys = null;
-
-  public RangerHelper(RangerAuthorizationPlugin rangerAuthorizationPlugin, 
String catalogProvider) {
-    this.rangerAuthorizationPlugin = rangerAuthorizationPlugin;
-    switch (catalogProvider) {
-      case "hive":
-        initPrivilegesMapping();
-        initOwnerPrivileges();
-        initPolicySearchKeys();
-        initPreciseFilterKeys();
-        break;
-      default:
-        throw new IllegalArgumentException(
-            "Authorization plugin unsupported catalog provider: " + 
catalogProvider);
-    }
+  private List<String> policySearchKeys = new ArrayList<>();
+
+  private List<String> policyResourceDefines = new ArrayList<>();
+
+  private final RangerClientExtend rangerClient;
+  private final String rangerAdminName;
+  private final String rangerServiceName;
+  private AuthorizationConfig authorizationConfig = null;
+
+  public RangerHelper(
+      String catalogProvider,
+      RangerClientExtend rangerClient,
+      String rangerAdminName,
+      String rangerServiceName) {
+    this.rangerClient = rangerClient;
+    this.rangerAdminName = rangerAdminName;
+    this.rangerServiceName = rangerServiceName;
+
+    this.authorizationConfig = AuthorizationConfig.loadConfig(catalogProvider);
+    initAuthorizationConfig(authorizationConfig);
   }
 
-  /** Initial mapping Gravitino privilege name to the underlying authorization 
system privileges. */
-  private void initPrivilegesMapping() {
-    privilegesMapping =
-        ImmutableMap.<Privilege.Name, Set<String>>builder()
-            .put(
-                Privilege.Name.CREATE_SCHEMA,
-                ImmutableSet.of(RangerDefines.ACCESS_TYPE_HIVE_CREATE))
-            .put(
-                Privilege.Name.CREATE_TABLE, 
ImmutableSet.of(RangerDefines.ACCESS_TYPE_HIVE_CREATE))
-            .put(
-                Privilege.Name.MODIFY_TABLE,
-                ImmutableSet.of(
-                    RangerDefines.ACCESS_TYPE_HIVE_UPDATE,
-                    RangerDefines.ACCESS_TYPE_HIVE_ALTER,
-                    RangerDefines.ACCESS_TYPE_HIVE_WRITE))
-            .put(
-                Privilege.Name.SELECT_TABLE,
-                ImmutableSet.of(
-                    RangerDefines.ACCESS_TYPE_HIVE_READ, 
RangerDefines.ACCESS_TYPE_HIVE_SELECT))
-            .build();
+  @VisibleForTesting
+  RangerHelper(AuthorizationConfig authorizationConfig) {
+    this.rangerClient = null;
+    this.rangerAdminName = null;
+    this.rangerServiceName = null;
+
+    this.authorizationConfig = authorizationConfig;
+    initAuthorizationConfig(authorizationConfig);
   }
 
-  /** Initial Owner privileges */
-  private void initOwnerPrivileges() {
-    ownerPrivileges = ImmutableSet.of(RangerDefines.ACCESS_TYPE_HIVE_ALL);
+  /**
+   * Initial mapping Gravitino privilege name to the underlying authorization 
system privileges.
+   * <br>
+   * Initial Owner privileges. <br>
+   * Initial Ranger policy search key defines. <br>
+   * Initial precise filter key defines. <br>
+   */
+  private void initAuthorizationConfig(AuthorizationConfig 
authorizationConfig) {

Review Comment:
   Should we provide default values as before, it's too complicated to set the 
mapping for most users and only those users that have special requirement will 
configure this value. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to