This is an automated email from the ASF dual-hosted git repository.
jshao pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new aa988e158 [#4698] feat(auth-ranger): Extended Ranger authorization by
rules (#4744)
aa988e158 is described below
commit aa988e158f196e8574017e84c9660f09d8c7d626
Author: Xun <[email protected]>
AuthorDate: Thu Sep 19 11:08:00 2024 +0800
[#4698] feat(auth-ranger): Extended Ranger authorization by rules (#4744)
### What changes were proposed in this pull request?
1. Added interface `RangerPrivilegesMappingProvider`, we can use it to
map Gravitino privileges to the Ranger privileges.
2. Added abstract class `RangerAuthorizationPlugin`, we can use it to
extend another Ranger authorization plugin.
### Why are the changes needed?
Fix: #4698
### Does this PR introduce _any_ user-facing change?
NA
### How was this patch tested?
CI Passed.
---
.../authorization-ranger/build.gradle.kts | 6 +-
.../authorization/ranger/RangerAuthorization.java | 7 +-
.../ranger/RangerAuthorizationHivePlugin.java | 75 +++++++++
.../ranger/RangerAuthorizationPlugin.java | 38 ++---
...lientExtend.java => RangerClientExtension.java} | 6 +-
.../authorization/ranger/RangerHelper.java | 167 ++++++++-------------
.../authorization/ranger/RangerPrivilege.java | 81 ++++++++++
.../authorization/ranger/RangerPrivileges.java | 42 ++++++
...n.java => RangerPrivilegesMappingProvider.java} | 28 ++--
.../ranger/reference/RangerDefines.java | 77 +++-------
.../ranger/integration/test/RangerHiveE2EIT.java | 4 +-
.../ranger/integration/test/RangerHiveIT.java | 106 ++++---------
.../ranger/integration/test/RangerITEnv.java | 69 ++++++---
docs/security/authorization-pushdown.md | 6 +-
integration-test-common/build.gradle.kts | 1 +
.../test/container/RangerContainer.java | 6 +-
16 files changed, 410 insertions(+), 309 deletions(-)
diff --git a/authorizations/authorization-ranger/build.gradle.kts
b/authorizations/authorization-ranger/build.gradle.kts
index efc20e6c8..47ec7eba5 100644
--- a/authorizations/authorization-ranger/build.gradle.kts
+++ b/authorizations/authorization-ranger/build.gradle.kts
@@ -96,7 +96,7 @@ tasks {
}
val copyAuthorizationLibs by registering(Copy::class) {
- dependsOn("jar", "runtimeJars")
+ dependsOn("jar", runtimeJars)
from("build/libs") {
exclude("guava-*.jar")
exclude("log4j-*.jar")
@@ -108,6 +108,10 @@ tasks {
register("copyLibAndConfig", Copy::class) {
dependsOn(copyAuthorizationLibs)
}
+
+ jar {
+ dependsOn(runtimeJars)
+ }
}
tasks.test {
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
index 8a3db8efa..3fb74f288 100644
---
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
@@ -31,6 +31,11 @@ public class RangerAuthorization extends
BaseAuthorization<RangerAuthorization>
@Override
protected AuthorizationPlugin newPlugin(String catalogProvider, Map<String,
String> config) {
- return new RangerAuthorizationPlugin(catalogProvider, config);
+ switch (catalogProvider) {
+ case "hive":
+ return RangerAuthorizationHivePlugin.getInstance(config);
+ default:
+ throw new IllegalArgumentException("Unknown catalog provider: " +
catalogProvider);
+ }
}
}
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHivePlugin.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHivePlugin.java
new file mode 100644
index 000000000..a9b08c866
--- /dev/null
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHivePlugin.java
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.gravitino.authorization.ranger;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import org.apache.gravitino.authorization.Privilege;
+import
org.apache.gravitino.authorization.ranger.RangerPrivilege.RangerHivePrivilege;
+import
org.apache.gravitino.authorization.ranger.reference.RangerDefines.PolicyResource;
+
+public class RangerAuthorizationHivePlugin extends RangerAuthorizationPlugin {
+ private static volatile RangerAuthorizationHivePlugin instance = null;
+
+ private RangerAuthorizationHivePlugin(Map<String, String> config) {
+ super(config);
+ }
+
+ public static synchronized RangerAuthorizationHivePlugin
getInstance(Map<String, String> config) {
+ if (instance == null) {
+ synchronized (RangerAuthorizationHivePlugin.class) {
+ if (instance == null) {
+ instance = new RangerAuthorizationHivePlugin(config);
+ }
+ }
+ }
+ return instance;
+ }
+
+ /** Set the default mapping Gravitino privilege name to the Ranger rule */
+ public Map<Privilege.Name, Set<RangerPrivilege>> privilegesMappingRule() {
+ return ImmutableMap.of(
+ Privilege.Name.CREATE_SCHEMA,
+ ImmutableSet.of(RangerHivePrivilege.CREATE),
+ Privilege.Name.CREATE_TABLE,
+ ImmutableSet.of(RangerHivePrivilege.CREATE),
+ Privilege.Name.MODIFY_TABLE,
+ ImmutableSet.of(
+ RangerHivePrivilege.UPDATE, RangerHivePrivilege.ALTER,
RangerHivePrivilege.WRITE),
+ Privilege.Name.SELECT_TABLE,
+ ImmutableSet.of(RangerHivePrivilege.READ, RangerHivePrivilege.SELECT));
+ }
+
+ /** Set the default owner rule. */
+ public Set<RangerPrivilege> ownerMappingRule() {
+ return ImmutableSet.of(RangerHivePrivilege.ALL);
+ }
+
+ /** Set Ranger policy resource rule. */
+ public List<String> policyResourceDefinesRule() {
+ return ImmutableList.of(
+ PolicyResource.DATABASE.getName(),
+ PolicyResource.TABLE.getName(),
+ PolicyResource.COLUMN.getName());
+ }
+}
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
index 75692e987..3b503a3f9 100644
---
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
@@ -20,7 +20,6 @@ package org.apache.gravitino.authorization.ranger;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.Lists;
import java.io.IOException;
import java.time.Instant;
import java.util.Collections;
@@ -63,18 +62,16 @@ import org.slf4j.LoggerFactory;
* 4. The Ranger policy also supports multiple users and groups, But we only
use a user or group to
* implement Gravitino Owner concept. <br>
*/
-public class RangerAuthorizationPlugin implements AuthorizationPlugin {
+public abstract class RangerAuthorizationPlugin
+ implements AuthorizationPlugin, RangerPrivilegesMappingProvider {
private static final Logger LOG =
LoggerFactory.getLogger(RangerAuthorizationPlugin.class);
- protected String catalogProvider;
- protected String rangerServiceName;
- protected RangerClientExtend rangerClient;
- private RangerHelper rangerHelper;
+ protected final String rangerServiceName;
+ protected final RangerClientExtension rangerClient;
+ private final RangerHelper rangerHelper;
@VisibleForTesting public final String rangerAdminName;
- public RangerAuthorizationPlugin(String catalogProvider, Map<String, String>
config) {
- super();
- this.catalogProvider = catalogProvider;
+ protected RangerAuthorizationPlugin(Map<String, String> config) {
String rangerUrl =
config.get(AuthorizationPropertiesMeta.RANGER_ADMIN_URL);
String authType = config.get(AuthorizationPropertiesMeta.RANGER_AUTH_TYPE);
rangerAdminName = config.get(AuthorizationPropertiesMeta.RANGER_USERNAME);
@@ -86,23 +83,26 @@ public class RangerAuthorizationPlugin implements
AuthorizationPlugin {
RangerHelper.check(rangerAdminName != null, "Ranger username is required");
RangerHelper.check(password != null, "Ranger password is required");
RangerHelper.check(rangerServiceName != null, "Ranger service name is
required");
- rangerClient = new RangerClientExtend(rangerUrl, authType,
rangerAdminName, password);
- rangerHelper = new RangerHelper(this, catalogProvider);
+ rangerClient = new RangerClientExtension(rangerUrl, authType,
rangerAdminName, password);
+
+ rangerHelper =
+ new RangerHelper(
+ rangerClient,
+ rangerAdminName,
+ rangerServiceName,
+ privilegesMappingRule(),
+ ownerMappingRule(),
+ policyResourceDefinesRule());
}
/**
- * Translate the privilege name to the corresponding privilege name in the
underlying permission
+ * Translate the privilege name to the corresponding privilege name in the
Ranger
*
* @param name The privilege name to translate
- * @return The corresponding privilege name in the underlying permission
system
+ * @return The corresponding Ranger privilege name in the underlying
permission system
*/
public Set<String> translatePrivilege(Privilege.Name name) {
- return rangerHelper.privilegesMapping.get(name);
- }
-
- @VisibleForTesting
- public List<String> getOwnerPrivileges() {
- return Lists.newArrayList(rangerHelper.ownerPrivileges);
+ return rangerHelper.translatePrivilege(name);
}
/**
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerClientExtend.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerClientExtension.java
similarity index 97%
rename from
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerClientExtend.java
rename to
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerClientExtension.java
index 8cc23a66c..fd822559d 100644
---
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerClientExtend.java
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerClientExtension.java
@@ -40,8 +40,8 @@ import org.slf4j.LoggerFactory;
* The class extends the RangerClient class and provides additional methods to
create, search and
* delete users and groups
*/
-public class RangerClientExtend extends RangerClient {
- private static final Logger LOG =
LoggerFactory.getLogger(RangerClientExtend.class);
+public class RangerClientExtension extends RangerClient {
+ private static final Logger LOG =
LoggerFactory.getLogger(RangerClientExtension.class);
private static final String URI_USER_BASE = "/service/xusers/users";
private static final String URI_USER_BY_ID = URI_USER_BASE + "/%d";
private static final String URI_GROUP_BASE = "/service/xusers/groups";
@@ -75,7 +75,7 @@ public class RangerClientExtend extends RangerClient {
// private void callAPI(API api, Map<String, String> params) throws
RangerServiceException
private Method callAPIMethodNonResponse;
- public RangerClientExtend(String hostName, String authType, String username,
String password) {
+ public RangerClientExtension(String hostName, String authType, String
username, String password) {
super(hostName, authType, username, password, null);
// initialize callAPI method
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
index aad1ebe76..e34fe5685 100644
---
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
@@ -18,13 +18,10 @@
*/
package org.apache.gravitino.authorization.ranger;
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.google.errorprone.annotations.FormatMethod;
import com.google.errorprone.annotations.FormatString;
-import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -38,7 +35,6 @@ import org.apache.gravitino.authorization.Owner;
import org.apache.gravitino.authorization.Privilege;
import org.apache.gravitino.authorization.SecurableObject;
import org.apache.gravitino.authorization.SecurableObjects;
-import org.apache.gravitino.authorization.ranger.reference.RangerDefines;
import org.apache.gravitino.exceptions.AuthorizationPluginException;
import org.apache.ranger.RangerServiceException;
import org.apache.ranger.plugin.model.RangerPolicy;
@@ -56,83 +52,43 @@ public class RangerHelper {
private static final Logger LOG =
LoggerFactory.getLogger(RangerHelper.class);
public static final String MANAGED_BY_GRAVITINO = "MANAGED_BY_GRAVITINO";
- RangerAuthorizationPlugin rangerAuthorizationPlugin;
/** Mapping Gravitino privilege name to the underlying authorization system
privileges. */
- protected Map<Privilege.Name, Set<String>> privilegesMapping = null;
+ private final Map<Privilege.Name, Set<RangerPrivilege>> privilegesMapping;
/** The owner privileges, the owner can do anything on the metadata object */
- protected Set<String> ownerPrivileges = null;
+ private final Set<RangerPrivilege> ownerPrivileges;
+ /** The policy search keys */
+ private final List<String> policyResourceDefines;
+
+ private final RangerClientExtension rangerClient;
+ private final String rangerAdminName;
+ private final String rangerServiceName;
+
+ public RangerHelper(
+ RangerClientExtension rangerClient,
+ String rangerAdminName,
+ String rangerServiceName,
+ Map<Privilege.Name, Set<RangerPrivilege>> privilegesMapping,
+ Set<RangerPrivilege> ownerPrivileges,
+ List<String> resourceDefines) {
+ this.rangerClient = rangerClient;
+ this.rangerAdminName = rangerAdminName;
+ this.rangerServiceName = rangerServiceName;
+ this.privilegesMapping = privilegesMapping;
+ this.ownerPrivileges = ownerPrivileges;
+ this.policyResourceDefines = resourceDefines;
+ }
/**
- * Because Ranger doesn't support the precise search, Ranger will return the
policy meets the
- * wildcard(*,?) conditions, If you use `db.table` condition to search
policy, the Ranger will
- * match `db1.table1`, `db1.table2`, `db*.table*`, So we need to manually
precisely filter this
- * research results. <br>
- * policySearchKeys: The search Ranger policy condition key defines. <br>
- * policyPreciseFilterKeys: The precise filter Ranger search results key
defines <br>
+ * Translate the privilege name to the corresponding privilege name in the
Ranger
+ *
+ * @param name The privilege name to translate
+ * @return The corresponding Ranger privilege name in the underlying
permission system
*/
- protected List<String> policySearchKeys = null;
-
- protected List<String> policyPreciseFilterKeys = null;
-
- public RangerHelper(RangerAuthorizationPlugin rangerAuthorizationPlugin,
String catalogProvider) {
- this.rangerAuthorizationPlugin = rangerAuthorizationPlugin;
- switch (catalogProvider) {
- case "hive":
- initPrivilegesMapping();
- initOwnerPrivileges();
- initPolicySearchKeys();
- initPreciseFilterKeys();
- break;
- default:
- throw new IllegalArgumentException(
- "Authorization plugin unsupported catalog provider: " +
catalogProvider);
- }
- }
-
- /** Initial mapping Gravitino privilege name to the underlying authorization
system privileges. */
- private void initPrivilegesMapping() {
- privilegesMapping =
- ImmutableMap.<Privilege.Name, Set<String>>builder()
- .put(
- Privilege.Name.CREATE_SCHEMA,
- ImmutableSet.of(RangerDefines.ACCESS_TYPE_HIVE_CREATE))
- .put(
- Privilege.Name.CREATE_TABLE,
ImmutableSet.of(RangerDefines.ACCESS_TYPE_HIVE_CREATE))
- .put(
- Privilege.Name.MODIFY_TABLE,
- ImmutableSet.of(
- RangerDefines.ACCESS_TYPE_HIVE_UPDATE,
- RangerDefines.ACCESS_TYPE_HIVE_ALTER,
- RangerDefines.ACCESS_TYPE_HIVE_WRITE))
- .put(
- Privilege.Name.SELECT_TABLE,
- ImmutableSet.of(
- RangerDefines.ACCESS_TYPE_HIVE_READ,
RangerDefines.ACCESS_TYPE_HIVE_SELECT))
- .build();
- }
-
- /** Initial Owner privileges */
- private void initOwnerPrivileges() {
- ownerPrivileges = ImmutableSet.of(RangerDefines.ACCESS_TYPE_HIVE_ALL);
- }
-
- /** Initial Ranger policy search key defines */
- private void initPolicySearchKeys() {
- policySearchKeys =
- Arrays.asList(
- RangerDefines.SEARCH_FILTER_DATABASE,
- RangerDefines.SEARCH_FILTER_TABLE,
- RangerDefines.SEARCH_FILTER_COLUMN);
- }
-
- /** Initial precise filter key defines */
- private void initPreciseFilterKeys() {
- policyPreciseFilterKeys =
- Arrays.asList(
- RangerDefines.RESOURCE_DATABASE,
- RangerDefines.RESOURCE_TABLE,
- RangerDefines.RESOURCE_COLUMN);
+ public Set<String> translatePrivilege(Privilege.Name name) {
+ return privilegesMapping.get(name).stream()
+ .map(RangerPrivilege::getName)
+ .collect(Collectors.toSet());
}
/**
@@ -176,10 +132,9 @@ public class RangerHelper {
.forEach(
gravitinoPrivilege -> {
// Translate the Gravitino privilege to map Ranger privilege
- rangerAuthorizationPlugin
- .translatePrivilege(gravitinoPrivilege.name())
+ translatePrivilege(gravitinoPrivilege.name())
.forEach(
- mappedPrivilege -> {
+ rangerPrivilege -> {
// Find the policy item that matches Gravitino
privilege
List<RangerPolicy.RangerPolicyItem> matchPolicyItems =
policy.getPolicyItems().stream()
@@ -187,7 +142,7 @@ public class RangerHelper {
policyItem -> {
return policyItem.getAccesses().stream()
.anyMatch(
- access ->
access.getType().equals(mappedPrivilege));
+ access ->
access.getType().equals(rangerPrivilege));
})
.collect(Collectors.toList());
@@ -197,7 +152,7 @@ public class RangerHelper {
new RangerPolicy.RangerPolicyItem();
RangerPolicy.RangerPolicyItemAccess access =
new RangerPolicy.RangerPolicyItemAccess();
- access.setType(mappedPrivilege);
+ access.setType(rangerPrivilege);
policyItem.getAccesses().add(access);
policyItem.getRoles().add(roleName);
if (Privilege.Condition.ALLOW ==
gravitinoPrivilege.condition()) {
@@ -240,10 +195,7 @@ public class RangerHelper {
boolean matchPrivilege =
securableObject.privileges().stream()
.filter(Objects::nonNull)
- .flatMap(
- privilege ->
- rangerAuthorizationPlugin
-
.translatePrivilege(privilege.name()).stream())
+ .flatMap(privilege ->
translatePrivilege(privilege.name()).stream())
.filter(Objects::nonNull)
.anyMatch(
privilege -> {
@@ -297,17 +249,16 @@ public class RangerHelper {
Map<String, String> searchFilters = new HashMap<>();
Map<String, String> preciseFilters = new HashMap<>();
- searchFilters.put(
- RangerDefines.SEARCH_FILTER_SERVICE_NAME,
rangerAuthorizationPlugin.rangerServiceName);
+ searchFilters.put(SearchFilter.SERVICE_NAME, rangerServiceName);
searchFilters.put(SearchFilter.POLICY_LABELS_PARTIAL,
MANAGED_BY_GRAVITINO);
for (int i = 0; i < nsMetadataObj.size(); i++) {
- searchFilters.put(policySearchKeys.get(i), nsMetadataObj.get(i));
- preciseFilters.put(policyPreciseFilterKeys.get(i), nsMetadataObj.get(i));
+ searchFilters.put(
+ SearchFilter.RESOURCE_PREFIX + policyResourceDefines.get(i),
nsMetadataObj.get(i));
+ preciseFilters.put(policyResourceDefines.get(i), nsMetadataObj.get(i));
}
try {
- List<RangerPolicy> policies =
- rangerAuthorizationPlugin.rangerClient.findPolicies(searchFilters);
+ List<RangerPolicy> policies = rangerClient.findPolicies(searchFilters);
if (!policies.isEmpty()) {
/**
@@ -357,10 +308,7 @@ public class RangerHelper {
protected boolean checkRangerRole(String roleName) throws
AuthorizationPluginException {
try {
- rangerAuthorizationPlugin.rangerClient.getRole(
- roleName,
- rangerAuthorizationPlugin.rangerAdminName,
- rangerAuthorizationPlugin.rangerServiceName);
+ rangerClient.getRole(roleName, rangerAdminName, rangerServiceName);
} catch (RangerServiceException e) {
throw new AuthorizationPluginException(e);
}
@@ -377,7 +325,7 @@ public class RangerHelper {
GrantRevokeRoleRequest roleRequest = new GrantRevokeRoleRequest();
roleRequest.setUsers(users);
roleRequest.setGroups(groups);
- roleRequest.setGrantor(rangerAuthorizationPlugin.rangerAdminName);
+ roleRequest.setGrantor(rangerAdminName);
roleRequest.setTargetRoles(Sets.newHashSet(roleName));
return roleRequest;
}
@@ -386,11 +334,7 @@ public class RangerHelper {
protected RangerRole createRangerRoleIfNotExists(String roleName) {
RangerRole rangerRole = null;
try {
- rangerRole =
- rangerAuthorizationPlugin.rangerClient.getRole(
- roleName,
- rangerAuthorizationPlugin.rangerAdminName,
- rangerAuthorizationPlugin.rangerServiceName);
+ rangerRole = rangerClient.getRole(roleName, rangerAdminName,
rangerServiceName);
} catch (RangerServiceException e) {
// ignore exception, If the role does not exist, then create it.
LOG.warn("The role({}) does not exist in the Ranger!", roleName);
@@ -398,8 +342,7 @@ public class RangerHelper {
try {
if (rangerRole == null) {
rangerRole = new RangerRole(roleName,
RangerHelper.MANAGED_BY_GRAVITINO, null, null, null);
- rangerAuthorizationPlugin.rangerClient.createRole(
- rangerAuthorizationPlugin.rangerServiceName, rangerRole);
+ rangerClient.createRole(rangerServiceName, rangerRole);
}
} catch (RangerServiceException e) {
throw new RuntimeException(e);
@@ -416,7 +359,11 @@ public class RangerHelper {
return policyItem.getAccesses().stream()
.allMatch(
policyItemAccess -> {
- return
ownerPrivileges.contains(policyItemAccess.getType());
+ return ownerPrivileges.stream()
+ .anyMatch(
+ ownerPrivilege -> {
+ return
ownerPrivilege.equalsTo(policyItemAccess.getType());
+ });
});
})
.collect(Collectors.toList());
@@ -453,7 +400,7 @@ public class RangerHelper {
return policyItem.getAccesses().stream()
.anyMatch(
policyItemAccess -> {
- return
ownerPrivilege.equals(policyItemAccess.getType());
+ return
ownerPrivilege.equalsTo(policyItemAccess.getType());
});
});
})
@@ -461,7 +408,9 @@ public class RangerHelper {
// Add lost owner's privilege to the policy
ownerPrivilege -> {
RangerPolicy.RangerPolicyItem policyItem = new
RangerPolicy.RangerPolicyItem();
- policyItem.getAccesses().add(new
RangerPolicy.RangerPolicyItemAccess(ownerPrivilege));
+ policyItem
+ .getAccesses()
+ .add(new
RangerPolicy.RangerPolicyItemAccess(ownerPrivilege.getName()));
if (newOwner != null) {
if (newOwner.type() == Owner.Type.USER) {
policyItem.getUsers().add(newOwner.name());
@@ -486,7 +435,7 @@ public class RangerHelper {
protected RangerPolicy createPolicyAddResources(MetadataObject
metadataObject) {
RangerPolicy policy = new RangerPolicy();
- policy.setService(rangerAuthorizationPlugin.rangerServiceName);
+ policy.setService(rangerServiceName);
policy.setName(metadataObject.fullName());
policy.setPolicyLabels(Lists.newArrayList(RangerHelper.MANAGED_BY_GRAVITINO));
@@ -495,7 +444,7 @@ public class RangerHelper {
for (int i = 0; i < nsMetadataObject.size(); i++) {
RangerPolicy.RangerPolicyResource policyResource =
new RangerPolicy.RangerPolicyResource(nsMetadataObject.get(i));
- policy.getResources().put(policyPreciseFilterKeys.get(i),
policyResource);
+ policy.getResources().put(policyResourceDefines.get(i), policyResource);
}
return policy;
}
@@ -507,7 +456,9 @@ public class RangerHelper {
ownerPrivilege -> {
// Each owner's privilege will create one RangerPolicyItemAccess in
the policy
RangerPolicy.RangerPolicyItem policyItem = new
RangerPolicy.RangerPolicyItem();
- policyItem.getAccesses().add(new
RangerPolicy.RangerPolicyItemAccess(ownerPrivilege));
+ policyItem
+ .getAccesses()
+ .add(new
RangerPolicy.RangerPolicyItemAccess(ownerPrivilege.getName()));
if (newOwner != null) {
if (newOwner.type() == Owner.Type.USER) {
policyItem.getUsers().add(newOwner.name());
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerPrivilege.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerPrivilege.java
new file mode 100644
index 000000000..0953ac9a5
--- /dev/null
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerPrivilege.java
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.gravitino.authorization.ranger;
+
+/** RangerPrivilege interface is used to define the Ranger privileges. */
+public interface RangerPrivilege {
+ String getName();
+
+ boolean equalsTo(String value);
+
+ /** Ranger Hive privileges enumeration. */
+ enum RangerHivePrivilege implements RangerPrivilege {
+ ALL("all"),
+ SELECT("select"),
+ UPDATE("update"),
+ CREATE("create"),
+ DROP("drop"),
+ ALTER("alter"),
+ INDEX("index"),
+ LOCK("lock"),
+ READ("read"),
+ WRITE("write"),
+ REPLADMIN("repladmin"),
+ SERVICEADMIN("serviceadmin");
+
+ private final String name; // Access a type in the Ranger policy item
+
+ RangerHivePrivilege(String name) {
+ this.name = name;
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+
+ @Override
+ public boolean equalsTo(String value) {
+ return name.equalsIgnoreCase(value);
+ }
+ }
+
+ /** Ranger HDFS privileges enumeration. */
+ enum RangerHdfsPrivilege implements RangerPrivilege {
+ READ("read"),
+ WRITE("write"),
+ EXECUTE("execute");
+
+ private final String name; // Access a type in the Ranger policy item
+
+ RangerHdfsPrivilege(String name) {
+ this.name = name;
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+
+ @Override
+ public boolean equalsTo(String value) {
+ return name.equalsIgnoreCase(value);
+ }
+ }
+}
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerPrivileges.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerPrivileges.java
new file mode 100644
index 000000000..1dff01dc8
--- /dev/null
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerPrivileges.java
@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.gravitino.authorization.ranger;
+
+import com.google.common.collect.Lists;
+import java.util.List;
+
+public class RangerPrivileges {
+ static List<Class<? extends Enum<? extends RangerPrivilege>>>
allRangerPrivileges =
+ Lists.newArrayList(
+ RangerPrivilege.RangerHivePrivilege.class,
RangerPrivilege.RangerHdfsPrivilege.class);
+
+ public static RangerPrivilege valueOf(String string) {
+ RangerHelper.check(string != null, "Privilege name string cannot be
null!");
+
+ String strPrivilege = string.trim().toLowerCase();
+ for (Class<? extends Enum<? extends RangerPrivilege>> enumClass :
allRangerPrivileges) {
+ for (Enum<? extends RangerPrivilege> privilege :
enumClass.getEnumConstants()) {
+ if (((RangerPrivilege) privilege).equalsTo(strPrivilege)) {
+ return (RangerPrivilege) privilege;
+ }
+ }
+ }
+ throw new IllegalArgumentException("Unknown privilege string: " + string);
+ }
+}
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerPrivilegesMappingProvider.java
similarity index 55%
copy from
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
copy to
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerPrivilegesMappingProvider.java
index 8a3db8efa..c6a154d22 100644
---
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerPrivilegesMappingProvider.java
@@ -18,19 +18,23 @@
*/
package org.apache.gravitino.authorization.ranger;
+import java.util.List;
import java.util.Map;
-import org.apache.gravitino.connector.authorization.AuthorizationPlugin;
-import org.apache.gravitino.connector.authorization.BaseAuthorization;
+import java.util.Set;
+import org.apache.gravitino.authorization.Privilege;
-/** Implementation of a Ranger authorization in Gravitino. */
-public class RangerAuthorization extends
BaseAuthorization<RangerAuthorization> {
- @Override
- public String shortName() {
- return "ranger";
- }
+/**
+ * Ranger authorization use this provider to mapping Gravitino privilege to
the Ranger privileges.
+ * We can use this it to support the different Ranger authorization
components, such as Hive, HDFS,
+ * HBase, etc.
+ */
+public interface RangerPrivilegesMappingProvider {
+ /** Set the mapping Gravitino privilege name to the Ranger privileges rule.
*/
+ Map<Privilege.Name, Set<RangerPrivilege>> privilegesMappingRule();
+
+ /** Set the owner privileges rule. */
+ Set<RangerPrivilege> ownerMappingRule();
- @Override
- protected AuthorizationPlugin newPlugin(String catalogProvider, Map<String,
String> config) {
- return new RangerAuthorizationPlugin(catalogProvider, config);
- }
+ /** Set the policy resource defines rule. */
+ List<String> policyResourceDefinesRule();
}
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/reference/RangerDefines.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/reference/RangerDefines.java
index aa11ca215..b81fc3fdc 100644
---
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/reference/RangerDefines.java
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/reference/RangerDefines.java
@@ -18,72 +18,35 @@
*/
package org.apache.gravitino.authorization.ranger.reference;
-import org.apache.ranger.plugin.util.SearchFilter;
-
public class RangerDefines {
- // In the Ranger 2.4.0
- //
apache/ranger/security-admin/src/main/java/org/apache/ranger/service/RangerServiceDefService.java:L43
- public static final String IMPLICIT_CONDITION_EXPRESSION_NAME =
"_expression";
-
- // In the Ranger 2.4.0
- //
apache/ranger/security-admin/src/main/java/org/apache/ranger/common/RangerSearchUtil.java:L159
- // Search filter constants
- public static final String SEARCH_FILTER_SERVICE_NAME =
SearchFilter.SERVICE_NAME;
- // Hive resource database name
- public static final String RESOURCE_DATABASE = "database";
- // Hive resource table name
- public static final String RESOURCE_TABLE = "table";
- // Hive resource column name
- public static final String RESOURCE_COLUMN = "column";
- // HDFS resource path name
- public static final String RESOURCE_PATH = "path";
- // Search filter prefix database constants
- public static final String SEARCH_FILTER_DATABASE =
- SearchFilter.RESOURCE_PREFIX + RESOURCE_DATABASE;
- // Search filter prefix table constants
- public static final String SEARCH_FILTER_TABLE =
SearchFilter.RESOURCE_PREFIX + RESOURCE_TABLE;
- // Search filter prefix column constants
- public static final String SEARCH_FILTER_COLUMN =
SearchFilter.RESOURCE_PREFIX + RESOURCE_COLUMN;
- // Search filter prefix file path constants
- public static final String SEARCH_FILTER_PATH = SearchFilter.RESOURCE_PREFIX
+ RESOURCE_PATH;
// Ranger service type HDFS
public static final String SERVICE_TYPE_HDFS = "hdfs"; // HDFS service type
// Ranger service type Hive
public static final String SERVICE_TYPE_HIVE = "hive"; // Hive service type
+
+ // In the Ranger 2.4.0
+ //
agents-common/src/main/java/org/apache/ranger/plugin/util/SearchFilter.java
// {OWNER}: resource owner user variable
public static final String OWNER_USER = "{OWNER}";
// {USER}: current user variable
public static final String CURRENT_USER = "{USER}";
// public group
public static final String PUBLIC_GROUP = "public";
- // Read access type in the HDFS
- public static final String ACCESS_TYPE_HDFS_READ = "read";
- // Write access type in the HDFS
- public static final String ACCESS_TYPE_HDFS_WRITE = "write";
- // execute access type in the HDFS
- public static final String ACCESS_TYPE_HDFS_EXECUTE = "execute";
- // All access type in the Hive
- public static final String ACCESS_TYPE_HIVE_ALL = "all";
- // Select access type in the Hive
- public static final String ACCESS_TYPE_HIVE_SELECT = "select";
- // update access type in the Hive
- public static final String ACCESS_TYPE_HIVE_UPDATE = "update";
- // create access type in the Hive
- public static final String ACCESS_TYPE_HIVE_CREATE = "create";
- // drop access type in the Hive
- public static final String ACCESS_TYPE_HIVE_DROP = "drop";
- // alter access type in the Hive
- public static final String ACCESS_TYPE_HIVE_ALTER = "alter";
- // index access type in the Hive
- public static final String ACCESS_TYPE_HIVE_INDEX = "index";
- // lock access type in the Hive
- public static final String ACCESS_TYPE_HIVE_LOCK = "lock";
- // read access type in the Hive
- public static final String ACCESS_TYPE_HIVE_READ = "read";
- // write access type in the Hive
- public static final String ACCESS_TYPE_HIVE_WRITE = "write";
- // repladmin access type in the Hive
- public static final String ACCESS_TYPE_HIVE_REPLADMIN = "repladmin";
- // serviceadmin access type in the Hive
- public static final String ACCESS_TYPE_HIVE_SERVICEADMIN = "serviceadmin";
+
+ public enum PolicyResource {
+ // In the Ranger 2.4.0
agents-common/src/main/resources/service-defs/ranger-servicedef-hive.json
+ DATABASE("database"),
+ TABLE("table"),
+ COLUMN("column");
+
+ private final String name;
+
+ PolicyResource(String name) {
+ this.name = name;
+ }
+
+ public String getName() {
+ return name;
+ }
+ }
}
diff --git
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java
index 89ecbc849..1c57a0001 100644
---
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java
+++
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java
@@ -42,6 +42,7 @@ import org.apache.gravitino.authorization.Privileges;
import org.apache.gravitino.authorization.Role;
import org.apache.gravitino.authorization.SecurableObject;
import org.apache.gravitino.authorization.SecurableObjects;
+import org.apache.gravitino.authorization.ranger.RangerAuthorizationHivePlugin;
import org.apache.gravitino.authorization.ranger.RangerAuthorizationPlugin;
import org.apache.gravitino.catalog.hive.HiveConstants;
import org.apache.gravitino.client.GravitinoMetalake;
@@ -149,8 +150,7 @@ public class RangerHiveE2EIT extends AbstractIT {
private static void createCatalogAndRangerAuthPlugin() {
rangerAuthPlugin =
- new RangerAuthorizationPlugin(
- "hive",
+ RangerAuthorizationHivePlugin.getInstance(
ImmutableMap.of(
AuthorizationPropertiesMeta.RANGER_ADMIN_URL,
String.format(
diff --git
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
index 79f66ef28..7f5579c47 100644
---
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
+++
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
@@ -19,7 +19,9 @@
package org.apache.gravitino.authorization.ranger.integration.test;
import static org.apache.gravitino.authorization.SecurableObjects.DOT_SPLITTER;
+import static
org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.RESOURCE_DATABASE;
import static
org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.currentFunName;
+import static
org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.rangerClient;
import static
org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.verifyRoleInRanger;
import com.google.common.collect.ImmutableMap;
@@ -44,8 +46,11 @@ import org.apache.gravitino.authorization.Role;
import org.apache.gravitino.authorization.RoleChange;
import org.apache.gravitino.authorization.SecurableObject;
import org.apache.gravitino.authorization.SecurableObjects;
+import org.apache.gravitino.authorization.ranger.RangerAuthorizationHivePlugin;
import org.apache.gravitino.authorization.ranger.RangerAuthorizationPlugin;
import org.apache.gravitino.authorization.ranger.RangerHelper;
+import org.apache.gravitino.authorization.ranger.RangerPrivilege;
+import org.apache.gravitino.authorization.ranger.RangerPrivileges;
import org.apache.gravitino.authorization.ranger.reference.RangerDefines;
import org.apache.gravitino.connector.AuthorizationPropertiesMeta;
import org.apache.gravitino.integration.test.container.ContainerSuite;
@@ -101,8 +106,7 @@ public class RangerHiveIT {
adminUser)));
rangerAuthPlugin =
- new RangerAuthorizationPlugin(
- "hive",
+ RangerAuthorizationHivePlugin.getInstance(
ImmutableMap.of(
AuthorizationPropertiesMeta.RANGER_ADMIN_URL,
String.format(
@@ -117,7 +121,14 @@ public class RangerHiveIT {
RangerContainer.rangerPassword,
AuthorizationPropertiesMeta.RANGER_SERVICE_NAME,
RangerITEnv.RANGER_HIVE_REPO_NAME));
- rangerPolicyHelper = new RangerHelper(rangerAuthPlugin, "hive");
+ rangerPolicyHelper =
+ new RangerHelper(
+ rangerClient,
+ RangerContainer.rangerUserName,
+ RangerITEnv.RANGER_HIVE_REPO_NAME,
+ rangerAuthPlugin.privilegesMappingRule(),
+ rangerAuthPlugin.ownerMappingRule(),
+ rangerAuthPlugin.policyResourceDefinesRule());
// Create hive connection
String url =
@@ -280,8 +291,8 @@ public class RangerHiveIT {
new RangerPolicy.RangerPolicyResource(metaObjects.get(i));
policyResourceMap.put(
i == 0
- ? RangerDefines.RESOURCE_DATABASE
- : i == 1 ? RangerDefines.RESOURCE_TABLE :
RangerDefines.RESOURCE_COLUMN,
+ ? RangerITEnv.RESOURCE_DATABASE
+ : i == 1 ? RangerITEnv.RESOURCE_TABLE :
RangerITEnv.RESOURCE_COLUMN,
policyResource);
}
@@ -289,7 +300,8 @@ public class RangerHiveIT {
policyItem.setGroups(Arrays.asList(RangerDefines.PUBLIC_GROUP));
policyItem.setAccesses(
Arrays.asList(
- new
RangerPolicy.RangerPolicyItemAccess(RangerDefines.ACCESS_TYPE_HIVE_SELECT)));
+ new RangerPolicy.RangerPolicyItemAccess(
+ RangerPrivilege.RangerHivePrivilege.SELECT.toString())));
RangerITEnv.updateOrCreateRangerPolicy(
RangerDefines.SERVICE_TYPE_HIVE,
RangerITEnv.RANGER_HIVE_REPO_NAME,
@@ -1132,8 +1144,8 @@ public class RangerHiveIT {
.getResources()
.get(
i == 0
- ? RangerDefines.RESOURCE_DATABASE
- : i == 1 ? RangerDefines.RESOURCE_TABLE :
RangerDefines.RESOURCE_COLUMN)
+ ? RangerITEnv.RESOURCE_DATABASE
+ : i == 1 ? RangerITEnv.RESOURCE_TABLE :
RangerITEnv.RESOURCE_COLUMN)
.getValues()
.get(0));
}
@@ -1146,7 +1158,9 @@ public class RangerHiveIT {
return policyItem.getAccesses().stream()
.anyMatch(
access -> {
- return
rangerAuthPlugin.getOwnerPrivileges().contains(access.getType());
+ return rangerAuthPlugin
+ .ownerMappingRule()
+
.contains(RangerPrivileges.valueOf(access.getType()));
});
})
.anyMatch(
@@ -1195,69 +1209,6 @@ public class RangerHiveIT {
verifyOwnerInRanger(metadataObject, includeUsers, null, null, null);
}
- /** Currently we only test Ranger Hive, So wo Allow anyone to visit HDFS */
- static void allowAnyoneAccessHDFS() {
- String policyName = currentFunName();
- try {
- if (null !=
RangerITEnv.rangerClient.getPolicy(RangerDefines.SERVICE_TYPE_HDFS,
policyName)) {
- return;
- }
- } catch (RangerServiceException e) {
- // If the policy doesn't exist, we will create it
- }
-
- Map<String, RangerPolicy.RangerPolicyResource> policyResourceMap =
- ImmutableMap.of(RangerDefines.RESOURCE_PATH, new
RangerPolicy.RangerPolicyResource("/*"));
- RangerPolicy.RangerPolicyItem policyItem = new
RangerPolicy.RangerPolicyItem();
- policyItem.setUsers(Arrays.asList(RangerDefines.CURRENT_USER));
- policyItem.setAccesses(
- Arrays.asList(
- new
RangerPolicy.RangerPolicyItemAccess(RangerDefines.ACCESS_TYPE_HDFS_READ),
- new
RangerPolicy.RangerPolicyItemAccess(RangerDefines.ACCESS_TYPE_HDFS_WRITE),
- new
RangerPolicy.RangerPolicyItemAccess(RangerDefines.ACCESS_TYPE_HDFS_EXECUTE)));
- RangerITEnv.updateOrCreateRangerPolicy(
- RangerDefines.SERVICE_TYPE_HDFS,
- RangerITEnv.RANGER_HDFS_REPO_NAME,
- policyName,
- policyResourceMap,
- Collections.singletonList(policyItem));
- }
-
- /**
- * Hive must have this policy Allow anyone can access information schema to
show `database`,
- * `tables` and `columns`
- */
- static void allowAnyoneAccessInformationSchema() {
- String policyName = currentFunName();
- try {
- if (null !=
RangerITEnv.rangerClient.getPolicy(RangerDefines.SERVICE_TYPE_HIVE,
policyName)) {
- return;
- }
- } catch (RangerServiceException e) {
- // If the policy doesn't exist, we will create it
- }
-
- Map<String, RangerPolicy.RangerPolicyResource> policyResourceMap =
- ImmutableMap.of(
- RangerDefines.RESOURCE_DATABASE,
- new RangerPolicy.RangerPolicyResource("information_schema"),
- RangerDefines.RESOURCE_TABLE,
- new RangerPolicy.RangerPolicyResource("*"),
- RangerDefines.RESOURCE_COLUMN,
- new RangerPolicy.RangerPolicyResource("*"));
- RangerPolicy.RangerPolicyItem policyItem = new
RangerPolicy.RangerPolicyItem();
- policyItem.setGroups(Arrays.asList(RangerDefines.PUBLIC_GROUP));
- policyItem.setAccesses(
- Arrays.asList(
- new
RangerPolicy.RangerPolicyItemAccess(RangerDefines.ACCESS_TYPE_HIVE_SELECT)));
- RangerITEnv.updateOrCreateRangerPolicy(
- RangerDefines.SERVICE_TYPE_HIVE,
- RangerITEnv.RANGER_HIVE_REPO_NAME,
- policyName,
- policyResourceMap,
- Collections.singletonList(policyItem));
- }
-
@Test
public void testCreateDatabase() throws Exception {
String dbName = currentFunName().toLowerCase(); // Hive database name is
case-insensitive
@@ -1265,12 +1216,13 @@ public class RangerHiveIT {
// Only allow admin user to operation database `db1`
// Other users can't see the database `db1`
Map<String, RangerPolicy.RangerPolicyResource> policyResourceMap =
- ImmutableMap.of(
- RangerDefines.RESOURCE_DATABASE, new
RangerPolicy.RangerPolicyResource(dbName));
+ ImmutableMap.of(RESOURCE_DATABASE, new
RangerPolicy.RangerPolicyResource(dbName));
RangerPolicy.RangerPolicyItem policyItem = new
RangerPolicy.RangerPolicyItem();
policyItem.setUsers(Arrays.asList(adminUser));
policyItem.setAccesses(
- Arrays.asList(new
RangerPolicy.RangerPolicyItemAccess(RangerDefines.ACCESS_TYPE_HIVE_ALL)));
+ Arrays.asList(
+ new RangerPolicy.RangerPolicyItemAccess(
+ RangerPrivilege.RangerHivePrivilege.ALL.toString())));
RangerITEnv.updateOrCreateRangerPolicy(
RangerDefines.SERVICE_TYPE_HIVE,
RangerITEnv.RANGER_HIVE_REPO_NAME,
@@ -1300,7 +1252,9 @@ public class RangerHiveIT {
// Allow anonymous user to see the database `db1`
policyItem.setUsers(Arrays.asList(adminUser, anonymousUser));
policyItem.setAccesses(
- Arrays.asList(new
RangerPolicy.RangerPolicyItemAccess(RangerDefines.ACCESS_TYPE_HIVE_ALL)));
+ Arrays.asList(
+ new RangerPolicy.RangerPolicyItemAccess(
+ RangerPrivilege.RangerHivePrivilege.ALL.toString())));
RangerITEnv.updateOrCreateRangerPolicy(
RangerDefines.SERVICE_TYPE_HIVE,
RangerITEnv.RANGER_HIVE_REPO_NAME,
diff --git
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
index 2808a2b79..9a9d713f7 100644
---
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
+++
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
@@ -29,12 +29,13 @@ import java.util.Set;
import java.util.stream.Collectors;
import org.apache.gravitino.authorization.Role;
import org.apache.gravitino.authorization.ranger.RangerAuthorizationPlugin;
+import org.apache.gravitino.authorization.ranger.RangerClientExtension;
import org.apache.gravitino.authorization.ranger.RangerHelper;
+import org.apache.gravitino.authorization.ranger.RangerPrivilege;
import org.apache.gravitino.authorization.ranger.reference.RangerDefines;
import org.apache.gravitino.integration.test.container.ContainerSuite;
import org.apache.gravitino.integration.test.container.HiveContainer;
import org.apache.gravitino.integration.test.container.TrinoContainer;
-import org.apache.ranger.RangerClient;
import org.apache.ranger.RangerServiceException;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerRole;
@@ -53,10 +54,27 @@ public class RangerITEnv {
private static final String RANGER_HIVE_TYPE = "hive";
protected static final String RANGER_HDFS_REPO_NAME = "hdfsDev";
private static final String RANGER_HDFS_TYPE = "hdfs";
- protected static RangerClient rangerClient;
+ protected static RangerClientExtension rangerClient;
private static volatile boolean initRangerService = false;
private static final ContainerSuite containerSuite =
ContainerSuite.getInstance();
+ // Hive resource database name
+ public static final String RESOURCE_DATABASE = "database";
+ // Hive resource table name
+ public static final String RESOURCE_TABLE = "table";
+ // Hive resource column name
+ public static final String RESOURCE_COLUMN = "column";
+ // HDFS resource path name
+ public static final String RESOURCE_PATH = "path";
+ public static final String SEARCH_FILTER_DATABASE =
+ SearchFilter.RESOURCE_PREFIX + RESOURCE_DATABASE;
+ // Search filter prefix table constants
+ public static final String SEARCH_FILTER_TABLE =
SearchFilter.RESOURCE_PREFIX + RESOURCE_TABLE;
+ // Search filter prefix column constants
+ public static final String SEARCH_FILTER_COLUMN =
SearchFilter.RESOURCE_PREFIX + RESOURCE_COLUMN;
+ // Search filter prefix file path constants
+ public static final String SEARCH_FILTER_PATH = SearchFilter.RESOURCE_PREFIX
+ RESOURCE_PATH;
+
public static void setup() {
containerSuite.startRangerContainer();
rangerClient = containerSuite.getRangerContainer().rangerClient;
@@ -101,14 +119,17 @@ public class RangerITEnv {
}
Map<String, RangerPolicy.RangerPolicyResource> policyResourceMap =
- ImmutableMap.of(RangerDefines.RESOURCE_PATH, new
RangerPolicy.RangerPolicyResource("/*"));
+ ImmutableMap.of("path", new RangerPolicy.RangerPolicyResource("/*"));
RangerPolicy.RangerPolicyItem policyItem = new
RangerPolicy.RangerPolicyItem();
policyItem.setUsers(Arrays.asList(RangerDefines.CURRENT_USER));
policyItem.setAccesses(
Arrays.asList(
- new
RangerPolicy.RangerPolicyItemAccess(RangerDefines.ACCESS_TYPE_HDFS_READ),
- new
RangerPolicy.RangerPolicyItemAccess(RangerDefines.ACCESS_TYPE_HDFS_WRITE),
- new
RangerPolicy.RangerPolicyItemAccess(RangerDefines.ACCESS_TYPE_HDFS_EXECUTE)));
+ new RangerPolicy.RangerPolicyItemAccess(
+ RangerPrivilege.RangerHdfsPrivilege.READ.toString()),
+ new RangerPolicy.RangerPolicyItemAccess(
+ RangerPrivilege.RangerHdfsPrivilege.WRITE.toString()),
+ new RangerPolicy.RangerPolicyItemAccess(
+ RangerPrivilege.RangerHdfsPrivilege.EXECUTE.toString())));
updateOrCreateRangerPolicy(
RangerDefines.SERVICE_TYPE_HDFS,
RANGER_HDFS_REPO_NAME,
@@ -134,17 +155,18 @@ public class RangerITEnv {
Map<String, RangerPolicy.RangerPolicyResource> policyResourceMap =
ImmutableMap.of(
- RangerDefines.RESOURCE_DATABASE,
+ "database",
new RangerPolicy.RangerPolicyResource("information_schema"),
- RangerDefines.RESOURCE_TABLE,
+ "table",
new RangerPolicy.RangerPolicyResource("*"),
- RangerDefines.RESOURCE_COLUMN,
+ "column",
new RangerPolicy.RangerPolicyResource("*"));
RangerPolicy.RangerPolicyItem policyItem = new
RangerPolicy.RangerPolicyItem();
policyItem.setGroups(Arrays.asList(RangerDefines.PUBLIC_GROUP));
policyItem.setAccesses(
Arrays.asList(
- new
RangerPolicy.RangerPolicyItemAccess(RangerDefines.ACCESS_TYPE_HIVE_SELECT)));
+ new RangerPolicy.RangerPolicyItemAccess(
+ RangerPrivilege.RangerHivePrivilege.SELECT.toString())));
updateOrCreateRangerPolicy(
RangerDefines.SERVICE_TYPE_HIVE,
RANGER_HIVE_REPO_NAME,
@@ -176,7 +198,7 @@ public class RangerITEnv {
Assertions.assertNotNull(createdService);
Map<String, String> filter =
- ImmutableMap.of(RangerDefines.SEARCH_FILTER_SERVICE_NAME,
RANGER_TRINO_REPO_NAME);
+ ImmutableMap.of(SearchFilter.SERVICE_NAME, RANGER_TRINO_REPO_NAME);
List<RangerService> services = rangerClient.findServices(filter);
Assertions.assertEquals(RANGER_TRINO_TYPE, services.get(0).getType());
Assertions.assertEquals(RANGER_TRINO_REPO_NAME,
services.get(0).getName());
@@ -223,7 +245,7 @@ public class RangerITEnv {
Assertions.assertNotNull(createdService);
Map<String, String> filter =
- ImmutableMap.of(RangerDefines.SEARCH_FILTER_SERVICE_NAME,
RANGER_HIVE_REPO_NAME);
+ ImmutableMap.of(SearchFilter.SERVICE_NAME, RANGER_HIVE_REPO_NAME);
List<RangerService> services = rangerClient.findServices(filter);
Assertions.assertEquals(RANGER_HIVE_TYPE, services.get(0).getType());
Assertions.assertEquals(RANGER_HIVE_REPO_NAME,
services.get(0).getName());
@@ -280,7 +302,7 @@ public class RangerITEnv {
Assertions.assertNotNull(createdService);
Map<String, String> filter =
- ImmutableMap.of(RangerDefines.SEARCH_FILTER_SERVICE_NAME,
RANGER_HDFS_REPO_NAME);
+ ImmutableMap.of(SearchFilter.SERVICE_NAME, RANGER_HDFS_REPO_NAME);
List<RangerService> services = rangerClient.findServices(filter);
Assertions.assertEquals(RANGER_HDFS_TYPE, services.get(0).getType());
Assertions.assertEquals(RANGER_HDFS_REPO_NAME,
services.get(0).getName());
@@ -436,26 +458,26 @@ public class RangerITEnv {
Map<String, String> resourceFilter = new HashMap<>(); // use to match the
precise policy
Map<String, String> policyFilter = new HashMap<>();
- policyFilter.put(RangerDefines.SEARCH_FILTER_SERVICE_NAME, serviceName);
+ policyFilter.put(SearchFilter.SERVICE_NAME, serviceName);
policyFilter.put(SearchFilter.POLICY_LABELS_PARTIAL,
RangerHelper.MANAGED_BY_GRAVITINO);
final int[] index = {0};
policyResourceMap.forEach(
(k, v) -> {
if (type.equals(RANGER_HIVE_TYPE)) {
if (index[0] == 0) {
- policyFilter.put(RangerDefines.SEARCH_FILTER_DATABASE,
v.getValues().get(0));
- resourceFilter.put(RangerDefines.RESOURCE_DATABASE,
v.getValues().get(0));
+ policyFilter.put(SEARCH_FILTER_DATABASE, v.getValues().get(0));
+ resourceFilter.put(RESOURCE_DATABASE, v.getValues().get(0));
} else if (index[0] == 1) {
- policyFilter.put(RangerDefines.SEARCH_FILTER_TABLE,
v.getValues().get(0));
- resourceFilter.put(RangerDefines.RESOURCE_TABLE,
v.getValues().get(0));
+ policyFilter.put(SEARCH_FILTER_TABLE, v.getValues().get(0));
+ resourceFilter.put(RESOURCE_TABLE, v.getValues().get(0));
} else if (index[0] == 2) {
- policyFilter.put(RangerDefines.SEARCH_FILTER_COLUMN,
v.getValues().get(0));
- resourceFilter.put(RangerDefines.RESOURCE_TABLE,
v.getValues().get(0));
+ policyFilter.put(SEARCH_FILTER_COLUMN, v.getValues().get(0));
+ resourceFilter.put(RESOURCE_TABLE, v.getValues().get(0));
}
index[0]++;
} else if (type.equals(RANGER_HDFS_TYPE)) {
- policyFilter.put(RangerDefines.SEARCH_FILTER_PATH,
v.getValues().get(0));
- resourceFilter.put(RangerDefines.RESOURCE_PATH,
v.getValues().get(0));
+ policyFilter.put(SEARCH_FILTER_PATH, v.getValues().get(0));
+ resourceFilter.put(RESOURCE_PATH, v.getValues().get(0));
}
});
try {
@@ -512,8 +534,7 @@ public class RangerITEnv {
protected static void cleanAllPolicy(String serviceName) {
try {
List<RangerPolicy> policies =
- rangerClient.findPolicies(
- ImmutableMap.of(RangerDefines.SEARCH_FILTER_SERVICE_NAME,
serviceName));
+ rangerClient.findPolicies(ImmutableMap.of(SearchFilter.SERVICE_NAME,
serviceName));
for (RangerPolicy policy : policies) {
rangerClient.deletePolicy(policy.getId());
}
diff --git a/docs/security/authorization-pushdown.md
b/docs/security/authorization-pushdown.md
index bab70144f..e521402f6 100644
--- a/docs/security/authorization-pushdown.md
+++ b/docs/security/authorization-pushdown.md
@@ -30,8 +30,8 @@ Once you have used the correct configuration, you can perform
authorization oper
#### Example of using the Authorization Ranger Hive Plugin
-Suppose you have an Apache Hive service in your datacenter and have created a
`hiveRepo` in Apache Ranger to manage its permissions.
-The Ranger service is accessible at `172.0.0.100:6080`, with the username
`Jack` and the password `PWD123`.
+Suppose you have an Apache Hive service in your datacenter and have created a
`hiveRepo` in Apache Ranger to manage its permissions.
+The Ranger service is accessible at `172.0.0.100:6080`, with the username
`Jack` and the password `PWD123`.
To add this Hive service to Gravitino using the Hive catalog, you'll need to
configure the following parameters.
```properties
@@ -45,4 +45,4 @@ authorization.ranger.service.name=hiveRepo
:::caution
Gravitino 0.6.0 only supports the authorization Apache Ranger Hive service and
more data source authorization is under development.
-:::
+:::
\ No newline at end of file
diff --git a/integration-test-common/build.gradle.kts
b/integration-test-common/build.gradle.kts
index a25ad4cff..449c38efc 100644
--- a/integration-test-common/build.gradle.kts
+++ b/integration-test-common/build.gradle.kts
@@ -32,6 +32,7 @@ dependencies {
testImplementation(project(":core"))
testImplementation(project(":server"))
testImplementation(project(":server-common"))
+ testImplementation(project(":authorizations:authorization-ranger"))
testImplementation(libs.bundles.jetty)
testImplementation(libs.bundles.jersey)
testImplementation(libs.bundles.jwt)
diff --git
a/integration-test-common/src/test/java/org/apache/gravitino/integration/test/container/RangerContainer.java
b/integration-test-common/src/test/java/org/apache/gravitino/integration/test/container/RangerContainer.java
index 54b2afc0c..1aa91e086 100644
---
a/integration-test-common/src/test/java/org/apache/gravitino/integration/test/container/RangerContainer.java
+++
b/integration-test-common/src/test/java/org/apache/gravitino/integration/test/container/RangerContainer.java
@@ -25,7 +25,7 @@ import com.google.common.collect.ImmutableSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
-import org.apache.ranger.RangerClient;
+import org.apache.gravitino.authorization.ranger.RangerClientExtension;
import org.apache.ranger.RangerServiceException;
import org.rnorth.ducttape.Preconditions;
import org.slf4j.Logger;
@@ -38,7 +38,7 @@ public class RangerContainer extends BaseContainer {
public static final String DEFAULT_IMAGE =
System.getenv("GRAVITINO_CI_RANGER_DOCKER_IMAGE");
public static final String HOST_NAME = "gravitino-ci-ranger";
public static final int RANGER_SERVER_PORT = 6080;
- public RangerClient rangerClient;
+ public RangerClientExtension rangerClient;
private String rangerUrl;
/**
@@ -83,7 +83,7 @@ public class RangerContainer extends BaseContainer {
super.start();
rangerUrl = String.format("http://localhost:%s";,
this.getMappedPort(RANGER_SERVER_PORT));
- rangerClient = new RangerClient(rangerUrl, authType, rangerUserName,
rangerPassword, null);
+ rangerClient = new RangerClientExtension(rangerUrl, authType,
rangerUserName, rangerPassword);
Preconditions.check("Ranger container startup failed!",
checkContainerStatus(10));
}
