This is an automated email from the ASF dual-hosted git repository.
yuqi4733 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new 4d8f9fa3c [#5750] improvement(auth): Add metalake name in the
authorization plugin (#5751)
4d8f9fa3c is described below
commit 4d8f9fa3c8d234309be1b504b7a126e34eaec8a5
Author: Xun <[email protected]>
AuthorDate: Wed Dec 4 17:58:53 2024 +0800
[#5750] improvement(auth): Add metalake name in the authorization plugin
(#5751)
### What changes were proposed in this pull request?
Add metalake name variable in the `BaseAuthorization::newPlugin()`
params.
### Why are the changes needed?
Fix: #5750
### Does this PR introduce _any_ user-facing change?
N/A
### How was this patch tested?
Add ITs.
---
.../authorization/ranger/RangerAuthorization.java | 5 ++--
.../ranger/RangerAuthorizationHadoopSQLPlugin.java | 8 +++----
.../ranger/RangerAuthorizationPlugin.java | 27 +++++++++++++++-------
.../ranger/integration/test/RangerHiveIT.java | 6 ++---
.../ranger/integration/test/RangerITEnv.java | 1 +
.../apache/gravitino/connector/BaseCatalog.java | 2 +-
.../connector/authorization/BaseAuthorization.java | 7 +++---
.../gravitino/hook/MetalakeHookDispatcher.java | 17 ++++++++++----
.../mysql/TestMySQLAuthorization.java | 3 ++-
.../ranger/TestRangerAuthorization.java | 3 ++-
10 files changed, 52 insertions(+), 27 deletions(-)
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
index 459b6b047..ae656f981 100644
---
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
@@ -30,12 +30,13 @@ public class RangerAuthorization extends
BaseAuthorization<RangerAuthorization>
}
@Override
- protected AuthorizationPlugin newPlugin(String catalogProvider, Map<String,
String> config) {
+ protected AuthorizationPlugin newPlugin(
+ String metalake, String catalogProvider, Map<String, String> config) {
switch (catalogProvider) {
case "hive":
case "lakehouse-iceberg":
case "lakehouse-paimon":
- return RangerAuthorizationHadoopSQLPlugin.getInstance(config);
+ return RangerAuthorizationHadoopSQLPlugin.getInstance(metalake,
config);
default:
throw new IllegalArgumentException("Unknown catalog provider: " +
catalogProvider);
}
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHadoopSQLPlugin.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHadoopSQLPlugin.java
index d403d4469..13b0400ec 100644
---
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHadoopSQLPlugin.java
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHadoopSQLPlugin.java
@@ -49,16 +49,16 @@ public class RangerAuthorizationHadoopSQLPlugin extends
RangerAuthorizationPlugi
LoggerFactory.getLogger(RangerAuthorizationHadoopSQLPlugin.class);
private static volatile RangerAuthorizationHadoopSQLPlugin instance = null;
- private RangerAuthorizationHadoopSQLPlugin(Map<String, String> config) {
- super(config);
+ private RangerAuthorizationHadoopSQLPlugin(String metalake, Map<String,
String> config) {
+ super(metalake, config);
}
public static synchronized RangerAuthorizationHadoopSQLPlugin getInstance(
- Map<String, String> config) {
+ String metalake, Map<String, String> config) {
if (instance == null) {
synchronized (RangerAuthorizationHadoopSQLPlugin.class) {
if (instance == null) {
- instance = new RangerAuthorizationHadoopSQLPlugin(config);
+ instance = new RangerAuthorizationHadoopSQLPlugin(metalake, config);
}
}
}
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
index b522691cb..d2b1b7570 100644
---
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
@@ -80,12 +80,14 @@ public abstract class RangerAuthorizationPlugin
implements AuthorizationPlugin, AuthorizationPrivilegesMappingProvider {
private static final Logger LOG =
LoggerFactory.getLogger(RangerAuthorizationPlugin.class);
+ protected String metalake;
protected final String rangerServiceName;
protected final RangerClientExtension rangerClient;
private final RangerHelper rangerHelper;
@VisibleForTesting public final String rangerAdminName;
- protected RangerAuthorizationPlugin(Map<String, String> config) {
+ protected RangerAuthorizationPlugin(String metalake, Map<String, String>
config) {
+ this.metalake = metalake;
String rangerUrl =
config.get(AuthorizationPropertiesMeta.RANGER_ADMIN_URL);
String authType = config.get(AuthorizationPropertiesMeta.RANGER_AUTH_TYPE);
rangerAdminName = config.get(AuthorizationPropertiesMeta.RANGER_USERNAME);
@@ -108,6 +110,11 @@ public abstract class RangerAuthorizationPlugin
policyResourceDefinesRule());
}
+ @VisibleForTesting
+ public String getMetalake() {
+ return metalake;
+ }
+
/**
* Set the Ranger policy resource defines rule.
*
@@ -251,18 +258,22 @@ public abstract class RangerAuthorizationPlugin
((MetadataObjectChange.RenameMetadataObject)
change).metadataObject();
MetadataObject newMetadataObject =
((MetadataObjectChange.RenameMetadataObject)
change).newMetadataObject();
- AuthorizationMetadataObject AuthorizationMetadataObject =
- translateMetadataObject(metadataObject);
- AuthorizationMetadataObject newAuthorizationMetadataObject =
+ if (metadataObject.type() == MetadataObject.Type.METALAKE
+ && newMetadataObject.type() == MetadataObject.Type.METALAKE) {
+ // Modify the metalake name
+ this.metalake = newMetadataObject.name();
+ }
+ AuthorizationMetadataObject oldAuthMetadataObject =
translateMetadataObject(metadataObject);
+ AuthorizationMetadataObject newAuthMetadataObject =
translateMetadataObject(newMetadataObject);
- if
(AuthorizationMetadataObject.equals(newAuthorizationMetadataObject)) {
+ if (oldAuthMetadataObject.equals(newAuthMetadataObject)) {
LOG.info(
"The metadata object({}) and new metadata object({}) are equal,
so ignore rename!",
- AuthorizationMetadataObject.fullName(),
- newAuthorizationMetadataObject.fullName());
+ oldAuthMetadataObject.fullName(),
+ newAuthMetadataObject.fullName());
continue;
}
- doRenameMetadataObject(AuthorizationMetadataObject,
newAuthorizationMetadataObject);
+ doRenameMetadataObject(oldAuthMetadataObject, newAuthMetadataObject);
} else if (change instanceof MetadataObjectChange.RemoveMetadataObject) {
MetadataObject metadataObject =
((MetadataObjectChange.RemoveMetadataObject)
change).metadataObject();
diff --git
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
index 243491867..dce93a614 100644
---
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
+++
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
@@ -697,9 +697,8 @@ public class RangerHiveIT {
Assertions.assertTrue(rangerAuthHivePlugin.onRoleCreated(role));
assertFindManagedPolicyItems(role, true);
- MetadataObject newMetadataObject =
- MetadataObjects.parse(
- String.format("metalake-new-%s", currentFunName),
oldMetadataObject.type());
+ String newMetalake = String.format("metalake-new-%s", currentFunName);
+ MetadataObject newMetadataObject = MetadataObjects.parse(newMetalake,
oldMetadataObject.type());
Assertions.assertTrue(
rangerAuthHivePlugin.onMetadataUpdated(
MetadataObjectChange.rename(oldMetadataObject,
newMetadataObject)));
@@ -716,6 +715,7 @@ public class RangerHiveIT {
.withSecurableObjects(Lists.newArrayList(newSecurableObject1))
.build();
assertFindManagedPolicyItems(newRole, true);
+ Assertions.assertEquals(newMetalake, rangerAuthHivePlugin.getMetalake());
}
@Test
diff --git
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
index 4f4a5ff91..2758d307b 100644
---
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
+++
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
@@ -89,6 +89,7 @@ public class RangerITEnv {
rangerAuthHivePlugin =
RangerAuthorizationHadoopSQLPlugin.getInstance(
+ "metalake",
ImmutableMap.of(
AuthorizationPropertiesMeta.RANGER_ADMIN_URL,
String.format(
diff --git a/core/src/main/java/org/apache/gravitino/connector/BaseCatalog.java
b/core/src/main/java/org/apache/gravitino/connector/BaseCatalog.java
index 213afd4fa..07bc83b62 100644
--- a/core/src/main/java/org/apache/gravitino/connector/BaseCatalog.java
+++ b/core/src/main/java/org/apache/gravitino/connector/BaseCatalog.java
@@ -184,7 +184,7 @@ public abstract class BaseCatalog<T extends BaseCatalog>
if (authorization == null) {
return null;
}
- return authorization.plugin(provider(), this.conf);
+ return authorization.plugin(entity.namespace().level(0), provider(),
this.conf);
}
public void initAuthorizationPluginInstance(IsolatedClassLoader classLoader)
{
diff --git
a/core/src/main/java/org/apache/gravitino/connector/authorization/BaseAuthorization.java
b/core/src/main/java/org/apache/gravitino/connector/authorization/BaseAuthorization.java
index 21a4ff85b..ce460e675 100644
---
a/core/src/main/java/org/apache/gravitino/connector/authorization/BaseAuthorization.java
+++
b/core/src/main/java/org/apache/gravitino/connector/authorization/BaseAuthorization.java
@@ -43,13 +43,14 @@ public abstract class BaseAuthorization<T extends
BaseAuthorization>
* @return A new instance of AuthorizationHook.
*/
protected abstract AuthorizationPlugin newPlugin(
- String catalogProvider, Map<String, String> config);
+ String metalake, String catalogProvider, Map<String, String> config);
- public AuthorizationPlugin plugin(String catalogProvider, Map<String,
String> config) {
+ public AuthorizationPlugin plugin(
+ String metalake, String catalogProvider, Map<String, String> config) {
if (plugin == null) {
synchronized (this) {
if (plugin == null) {
- plugin = newPlugin(catalogProvider, config);
+ plugin = newPlugin(metalake, catalogProvider, config);
}
}
}
diff --git
a/core/src/main/java/org/apache/gravitino/hook/MetalakeHookDispatcher.java
b/core/src/main/java/org/apache/gravitino/hook/MetalakeHookDispatcher.java
index ba7dedfa5..26f31a883 100644
--- a/core/src/main/java/org/apache/gravitino/hook/MetalakeHookDispatcher.java
+++ b/core/src/main/java/org/apache/gravitino/hook/MetalakeHookDispatcher.java
@@ -25,6 +25,7 @@ import org.apache.gravitino.Metalake;
import org.apache.gravitino.MetalakeChange;
import org.apache.gravitino.NameIdentifier;
import org.apache.gravitino.authorization.AccessControlDispatcher;
+import org.apache.gravitino.authorization.AuthorizationUtils;
import org.apache.gravitino.authorization.Owner;
import org.apache.gravitino.authorization.OwnerManager;
import org.apache.gravitino.exceptions.MetalakeAlreadyExistsException;
@@ -85,10 +86,18 @@ public class MetalakeHookDispatcher implements
MetalakeDispatcher {
@Override
public Metalake alterMetalake(NameIdentifier ident, MetalakeChange...
changes)
throws NoSuchMetalakeException, IllegalArgumentException {
- // For underlying authorization plugins, the privilege information
shouldn't
- // contain metalake information, so metalake rename won't affect the
privileges
- // of the authorization plugin.
- return dispatcher.alterMetalake(ident, changes);
+ Metalake alterMetalake = dispatcher.alterMetalake(ident, changes);
+ MetalakeChange.RenameMetalake lastRenameChange = null;
+ for (MetalakeChange change : changes) {
+ if (change instanceof MetalakeChange.RenameMetalake) {
+ lastRenameChange = (MetalakeChange.RenameMetalake) change;
+ }
+ }
+ if (lastRenameChange != null) {
+ AuthorizationUtils.authorizationPluginRenamePrivileges(
+ ident, Entity.EntityType.METALAKE, lastRenameChange.getNewName());
+ }
+ return alterMetalake;
}
@Override
diff --git
a/core/src/test/java/org/apache/gravitino/connector/authorization/mysql/TestMySQLAuthorization.java
b/core/src/test/java/org/apache/gravitino/connector/authorization/mysql/TestMySQLAuthorization.java
index 06d7a9275..db7c629bb 100644
---
a/core/src/test/java/org/apache/gravitino/connector/authorization/mysql/TestMySQLAuthorization.java
+++
b/core/src/test/java/org/apache/gravitino/connector/authorization/mysql/TestMySQLAuthorization.java
@@ -32,7 +32,8 @@ public class TestMySQLAuthorization extends
BaseAuthorization<TestMySQLAuthoriza
}
@Override
- protected AuthorizationPlugin newPlugin(String catalogProvider, Map<String,
String> config) {
+ protected AuthorizationPlugin newPlugin(
+ String metalake, String catalogProvider, Map<String, String> config) {
return new TestMySQLAuthorizationPlugin();
}
}
diff --git
a/core/src/test/java/org/apache/gravitino/connector/authorization/ranger/TestRangerAuthorization.java
b/core/src/test/java/org/apache/gravitino/connector/authorization/ranger/TestRangerAuthorization.java
index c792c407b..383339d08 100644
---
a/core/src/test/java/org/apache/gravitino/connector/authorization/ranger/TestRangerAuthorization.java
+++
b/core/src/test/java/org/apache/gravitino/connector/authorization/ranger/TestRangerAuthorization.java
@@ -32,7 +32,8 @@ public class TestRangerAuthorization extends
BaseAuthorization<TestRangerAuthori
}
@Override
- protected AuthorizationPlugin newPlugin(String catalogProvider, Map<String,
String> config) {
+ protected AuthorizationPlugin newPlugin(
+ String metalake, String catalogProvider, Map<String, String> config) {
return new TestRangerAuthorizationPlugin();
}
}
