jerqi commented on code in PR #5113:
URL: https://github.com/apache/gravitino/pull/5113#discussion_r1804701217
##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java:
##########
@@ -181,47 +236,122 @@ public Boolean onRoleUpdated(Role role, RoleChange...
changes) throws RuntimeExc
@Override
public Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner,
Owner newOwner)
throws RuntimeException {
- RangerHelper.check(newOwner != null, "The newOwner must be not null");
+ Preconditions.checkArgument(newOwner != null, "The newOwner must be not
null");
// Add the user or group to the Ranger
+ String preOwnerUserName = null,
+ preOwnerGroupName = null,
+ newOwnerUserName = null,
+ newOwnerGroupName = null;
AuditInfo auditInfo =
AuditInfo.builder()
.withCreator(PrincipalUtils.getCurrentPrincipal().getName())
.withCreateTime(Instant.now())
.build();
+ if (preOwner != null) {
+ if (preOwner.type() == Owner.Type.USER) {
+ preOwnerUserName = newOwner.name();
+ } else {
+ preOwnerGroupName = newOwner.name();
+ }
+ }
if (newOwner.type() == Owner.Type.USER) {
+ newOwnerUserName = newOwner.name();
UserEntity userEntity =
UserEntity.builder()
.withId(1L)
- .withName(newOwner.name())
+ .withName(newOwnerUserName)
.withRoleNames(Collections.emptyList())
.withRoleIds(Collections.emptyList())
.withAuditInfo(auditInfo)
.build();
onUserAdded(userEntity);
} else {
+ newOwnerGroupName = newOwner.name();
GroupEntity groupEntity =
GroupEntity.builder()
.withId(1L)
- .withName(newOwner.name())
+ .withName(newOwnerGroupName)
.withRoleNames(Collections.emptyList())
.withRoleIds(Collections.emptyList())
.withAuditInfo(auditInfo)
.build();
onGroupAdded(groupEntity);
}
- RangerPolicy policy = rangerHelper.findManagedPolicy(metadataObject);
- try {
- if (policy == null) {
- policy = rangerHelper.addOwnerToNewPolicy(metadataObject, newOwner);
- rangerClient.createPolicy(policy);
- } else {
- rangerHelper.updatePolicyOwner(policy, preOwner, newOwner);
- rangerClient.updatePolicy(policy.getId(), policy);
- }
- } catch (RangerServiceException e) {
- throw new RuntimeException(e);
+ List<RangerSecurableObject> rangerSecurableObjects =
translateOwner(metadataObject);
+ String ownerRoleName;
+ switch (metadataObject.type()) {
+ case METALAKE:
+ case CATALOG:
+ // The metalake and catalog use role to manage the owner
+ if (metadataObject.type() == MetadataObject.Type.METALAKE) {
+ ownerRoleName = RangerHelper.GRAVITINO_METALAKE_OWNER_ROLE;
Review Comment:
Maybe we should add some check to avoid creating some specific name roles. I
can add this check in next pull requests.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
