Re: [PR] [#5731]feat(auth-ranger): RangerAuthorizationHDFSPlugin supports Fileset authorization [gravitino]

via GitHub Tue, 03 Dec 2024 23:01:41 -0800


xunliu commented on code in PR #5733:
URL: https://github.com/apache/gravitino/pull/5733#discussion_r1868818041



##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerMetadataObject.java:
##########
@@ -41,7 +41,9 @@ enum Type {
     /** A table is mapped the table of relational data sources like Apache 
Hive, MySQL, etc. */
     TABLE(MetadataObject.Type.TABLE),
     /** A column is a sub-collection of the table that represents a group of 
same type data. */
-    COLUMN(MetadataObject.Type.COLUMN);
+    COLUMN(MetadataObject.Type.COLUMN),
+

Review Comment:
   Please remove this blank line.



##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHDFSPlugin.java:
##########
@@ -0,0 +1,202 @@
+package org.apache.gravitino.authorization.ranger;
+
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+import java.util.regex.Pattern;
+import org.apache.gravitino.GravitinoEnv;
+import org.apache.gravitino.MetadataObject;
+import org.apache.gravitino.NameIdentifier;
+import org.apache.gravitino.authorization.Privilege;
+import org.apache.gravitino.authorization.SecurableObject;
+import org.apache.gravitino.authorization.SecurableObjects;
+import org.apache.gravitino.authorization.ranger.reference.RangerDefines;
+import org.apache.gravitino.exceptions.AuthorizationPluginException;
+import org.apache.gravitino.file.Fileset;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class RangerAuthorizationHDFSPlugin extends RangerAuthorizationPlugin {
+  private static final Logger LOG = 
LoggerFactory.getLogger(RangerAuthorizationHDFSPlugin.class);
+
+  private static final Pattern pattern = Pattern.compile("^hdfs://[^/]*");
+
+  private RangerAuthorizationHDFSPlugin(Map<String, String> config) {
+    super(config);
+  }
+
+  public static synchronized RangerAuthorizationHDFSPlugin 
getInstance(Map<String, String> config) {
+    return new RangerAuthorizationHDFSPlugin(config);
+  }
+
+  @Override
+  public void validateRangerMetadataObject(List<String> names, 
RangerMetadataObject.Type type)
+      throws IllegalArgumentException {
+    LOG.info("validateRangerMetadataObject {}", names);
+    Preconditions.checkArgument(
+        names != null && !names.isEmpty(), "Cannot create a Ranger metadata 
object with no names");
+    Preconditions.checkArgument(
+        names.size() == 1,
+        "Cannot create a Ranger metadata object with the name length which is 
not equal 1");
+    Preconditions.checkArgument(
+        type == RangerMetadataObject.Type.PATH,
+        String.format("Cannot create a Ranger metadata object with %s type", 
type));
+
+    for (String name : names) {
+      RangerMetadataObjects.checkName(name);
+    }
+  }
+
+  @Override
+  public Map<Privilege.Name, Set<RangerPrivilege>> privilegesMappingRule() {
+    return ImmutableMap.of(
+        Privilege.Name.READ_FILESET,
+        ImmutableSet.of(RangerPrivileges.RangerHdfsPrivilege.READ),
+        Privilege.Name.WRITE_FILESET,
+        ImmutableSet.of(RangerPrivileges.RangerHdfsPrivilege.WRITE));

Review Comment:
   Whether add `RangerPrivileges.RangerHdfsPrivilege.EXECUTE` in the 
`ImmutableSet.of(RangerPrivileges.RangerHdfsPrivilege.WRITE));` ?



##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java:
##########
@@ -445,7 +445,10 @@ protected RangerPolicy 
createPolicyAddResources(RangerMetadataObject metadataObj
     List<String> nsMetadataObject = metadataObject.names();
     for (int i = 0; i < nsMetadataObject.size(); i++) {
       RangerPolicy.RangerPolicyResource policyResource =
-          new RangerPolicy.RangerPolicyResource(nsMetadataObject.get(i));
+          new RangerPolicy.RangerPolicyResource(
+              nsMetadataObject.get(i),
+              false,
+              metadataObject.type().equals(RangerMetadataObject.Type.PATH));

Review Comment:
   I think we need to abstract a function in the `RangerAuthorizationPlugin` 
class.
   ```
   protected abstract RangerPolicy 
createPolicyAddResources(AuthorizationMetadataObject metadataObject)
   ```
   
   because `RangerAuthorizationHDFSPlugin` and 
`RangerAuthorizationHadoopSQLPlugin` have different Ranger policy resource 
expression.
   - RangerAuthorizationHadoopSQLPlugin is `db.tab.column`
   - RangerAuthorizationHDFSPlugin is `path` and other params.
   
   @theoryxu What do you think?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] [#5731]feat(auth-ranger): RangerAuthorizationHDFSPlugin supports Fileset authorization [gravitino]

Reply via email to