Re: [PR] [#5336] feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and compatible for existing ranger policy [gravitino]

Tue, 26 Nov 2024 18:26:53 -0800 


theoryxu commented on code in PR #5629:
URL: https://github.com/apache/gravitino/pull/5629#discussion_r1859696576


##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java:
##########
@@ -242,7 +242,45 @@ public RangerPolicy findManagedPolicy(RangerMetadataObject 
rangerMetadataObject)
     return policy;
   }
 
+  public boolean 
isGravitinoManagedPolicyItemAccess(RangerPolicy.RangerPolicyItem policyItem) {
+    return policyItem.getRoles().stream().anyMatch(role -> 
role.startsWith(GRAVITINO_ROLE_PREFIX));
+  }
+
+  public boolean hasGravitinoManagedPolicyItem(RangerPolicy policy) {
+    List<RangerPolicy.RangerPolicyItem> policyItems = policy.getPolicyItems();
+    policyItems.addAll(policy.getDenyPolicyItems());
+    policyItems.addAll(policy.getRowFilterPolicyItems());
+    policyItems.addAll(policy.getDataMaskPolicyItems());
+    return 
policyItems.stream().anyMatch(this::isGravitinoManagedPolicyItemAccess);
+  }
+
+  public void removeAllGravitinoManagedPolicyItem(RangerPolicy policy) {
+    try {
+      policy.setPolicyItems(
+          policy.getPolicyItems().stream()
+              .filter(i -> !isGravitinoManagedPolicyItemAccess(i))

Review Comment:
   fixed



##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java:
##########
@@ -278,11 +324,13 @@ protected GrantRevokeRoleRequest 
createGrantRevokeRoleRequest(
    * @param isOwnerRole The role is owner role or not
    */
   protected RangerRole createRangerRoleIfNotExists(String roleName, boolean 
isOwnerRole) {
+    roleName = generateGravitinoRoleName(roleName);
     if (isOwnerRole) {
       Preconditions.checkArgument(
           roleName.equalsIgnoreCase(GRAVITINO_METALAKE_OWNER_ROLE)
-              || roleName.equalsIgnoreCase(GRAVITINO_CATALOG_OWNER_ROLE),
-          "The role name should be GRAVITINO_METALAKE_OWNER_ROLE or 
GRAVITINO_CATALOG_OWNER_ROLE");
+              || roleName.equalsIgnoreCase(GRAVITINO_CATALOG_OWNER_ROLE)
+              || roleName.equalsIgnoreCase(GRAVITINO_PLACEHOLDER_OWNER_ROLE),
+          "The role name should be GRAVITINO_METALAKE_OWNER_ROLE or 
GRAVITINO_CATALOG_OWNER_ROLE or GRAVITINO_PLACEHOLDER_OWNER_ROLE");

Review Comment:
   fixed



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to