Re: [PR] [#5116][#5106][#4616][#5135] improve(auth-ranger): The owner of catalog/metalake should have all the privileges of schemas/tables [gravitino]

Fri, 18 Oct 2024 08:30:32 -0700 


xunliu commented on code in PR #5113:
URL: https://github.com/apache/gravitino/pull/5113#discussion_r1806686834


##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java:
##########
@@ -123,56 +107,47 @@ void checkPolicyItemAccess(RangerPolicy.RangerPolicyItem 
policyItem)
    * We cannot clean the policy items because one Ranger policy maybe contains 
multiple Gravitino
    * securable objects. <br>
    */
-  void addPolicyItem(RangerPolicy policy, String roleName, SecurableObject 
securableObject) {
-    // First check the privilege if support in the Ranger Hive
-    checkPrivileges(securableObject);
-
+  void addPolicyItem(RangerPolicy policy, String roleName, 
RangerSecurableObject securableObject) {
     // Add the policy items by the securable object's privileges
     securableObject
         .privileges()
         .forEach(
-            gravitinoPrivilege -> {
-              // Translate the Gravitino privilege to map Ranger privilege
-              translatePrivilege(gravitinoPrivilege.name())
-                  .forEach(
-                      rangerPrivilege -> {
-                        // Find the policy item that matches Gravitino 
privilege
-                        List<RangerPolicy.RangerPolicyItem> matchPolicyItems =
-                            policy.getPolicyItems().stream()
-                                .filter(
-                                    policyItem -> {
-                                      return policyItem.getAccesses().stream()
-                                          .anyMatch(
-                                              access -> 
access.getType().equals(rangerPrivilege));
-                                    })
-                                .collect(Collectors.toList());
-
-                        if (matchPolicyItems.size() == 0) {
-                          // If the policy item does not exist, then create a 
new policy item
-                          RangerPolicy.RangerPolicyItem policyItem =
-                              new RangerPolicy.RangerPolicyItem();
-                          RangerPolicy.RangerPolicyItemAccess access =
-                              new RangerPolicy.RangerPolicyItemAccess();
-                          access.setType(rangerPrivilege);
-                          policyItem.getAccesses().add(access);
-                          policyItem.getRoles().add(roleName);
-                          if (Privilege.Condition.ALLOW == 
gravitinoPrivilege.condition()) {
-                            policy.getPolicyItems().add(policyItem);
-                          } else {
-                            policy.getDenyPolicyItems().add(policyItem);
+            rangerPrivilege -> {
+              // Find the policy item that matches Gravitino privilege
+              List<RangerPolicy.RangerPolicyItem> matchPolicyItems =
+                  policy.getPolicyItems().stream()
+                      .filter(
+                          policyItem -> {
+                            return policyItem.getAccesses().stream()
+                                .anyMatch(
+                                    access -> 
access.getType().equals(rangerPrivilege.getName()));
+                          })
+                      .collect(Collectors.toList());
+
+              if (matchPolicyItems.size() == 0) {

Review Comment:
   DONE



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to