jerqi commented on code in PR #5113:
URL: https://github.com/apache/gravitino/pull/5113#discussion_r1804693882
##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHivePlugin.java:
##########
@@ -60,16 +81,286 @@ public Map<Privilege.Name, Set<RangerPrivilege>>
privilegesMappingRule() {
ImmutableSet.of(RangerHivePrivilege.READ, RangerHivePrivilege.SELECT));
}
+ @Override
/** Set the default owner rule. */
public Set<RangerPrivilege> ownerMappingRule() {
return ImmutableSet.of(RangerHivePrivilege.ALL);
}
+ @Override
/** Set Ranger policy resource rule. */
public List<String> policyResourceDefinesRule() {
return ImmutableList.of(
PolicyResource.DATABASE.getName(),
PolicyResource.TABLE.getName(),
PolicyResource.COLUMN.getName());
}
+
+ @Override
+ /** Allow privilege operation defines rule. */
+ public Set<Privilege.Name> allowPrivilegesRule() {
+ return ImmutableSet.of(
+ Privilege.Name.CREATE_CATALOG,
+ Privilege.Name.USE_CATALOG,
+ Privilege.Name.CREATE_SCHEMA,
+ Privilege.Name.USE_SCHEMA,
+ Privilege.Name.CREATE_TABLE,
+ Privilege.Name.MODIFY_TABLE,
+ Privilege.Name.SELECT_TABLE);
+ }
+
+ /** Translate the Gravitino securable object to the Ranger owner securable
object. */
+ public List<RangerSecurableObject> translateOwner(MetadataObject
metadataObject) {
+ List<RangerSecurableObject> rangerSecurableObjects = new ArrayList<>();
+
+ switch (metadataObject.type()) {
+ case METALAKE:
+ case CATALOG:
+ // Add `*` for the SCHEMA permission
+ rangerSecurableObjects.add(
+ RangerSecurableObjects.of(
+ ImmutableList.of(RangerHelper.RESOURCE_STAR),
+ MetadataObject.Type.SCHEMA,
+ ownerMappingRule()));
+ // Add `*.*` for the TABLE permission
+ rangerSecurableObjects.add(
+ RangerSecurableObjects.of(
+ ImmutableList.of(RangerHelper.RESOURCE_STAR,
RangerHelper.RESOURCE_STAR),
+ MetadataObject.Type.TABLE,
+ ownerMappingRule()));
+ // Add `*.*.*` for the COLUMN permission
+ rangerSecurableObjects.add(
+ RangerSecurableObjects.of(
+ ImmutableList.of(
+ RangerHelper.RESOURCE_STAR,
+ RangerHelper.RESOURCE_STAR,
+ RangerHelper.RESOURCE_STAR),
+ MetadataObject.Type.COLUMN,
+ ownerMappingRule()));
+ break;
+ case SCHEMA:
+ // Add `{schema}` for the SCHEMA permission
+ rangerSecurableObjects.add(
+ RangerSecurableObjects.of(
+ ImmutableList.of(metadataObject.name() /*Schema name*/),
+ MetadataObject.Type.SCHEMA,
+ ownerMappingRule()));
+ // Add `{schema}.*` for the TABLE permission
+ rangerSecurableObjects.add(
+ RangerSecurableObjects.of(
+ ImmutableList.of(metadataObject.name() /*Schema name*/,
RangerHelper.RESOURCE_STAR),
+ MetadataObject.Type.TABLE,
+ ownerMappingRule()));
+ // Add `{schema}.*.*` for the COLUMN permission
+ rangerSecurableObjects.add(
+ RangerSecurableObjects.of(
+ ImmutableList.of(
+ metadataObject.name() /*Schema name*/,
+ RangerHelper.RESOURCE_STAR,
+ RangerHelper.RESOURCE_STAR),
Review Comment:
How about renaming`RESOURCE_START` to `RESOURCE_ALL`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
