This is an automated email from the ASF dual-hosted git repository. jshao pushed a commit to branch branch-gvfs-fuse-dev in repository https://gitbox.apache.org/repos/asf/gravitino.git
commit ddc3c49e7dd00ddd1702b55cf141b679d9bbd531 Author: Xun <[email protected]> AuthorDate: Wed Dec 4 17:58:53 2024 +0800 [#5750] improvement(auth): Add metalake name in the authorization plugin (#5751) ### What changes were proposed in this pull request? Add metalake name variable in the `BaseAuthorization::newPlugin()` params. ### Why are the changes needed? Fix: #5750 ### Does this PR introduce _any_ user-facing change? N/A ### How was this patch tested? Add ITs. --- .../authorization/ranger/RangerAuthorization.java | 5 ++-- .../ranger/RangerAuthorizationHadoopSQLPlugin.java | 8 +++---- .../ranger/RangerAuthorizationPlugin.java | 27 +++++++++++++++------- .../ranger/integration/test/RangerHiveIT.java | 6 ++--- .../ranger/integration/test/RangerITEnv.java | 1 + .../apache/gravitino/connector/BaseCatalog.java | 2 +- .../connector/authorization/BaseAuthorization.java | 7 +++--- .../gravitino/hook/MetalakeHookDispatcher.java | 17 ++++++++++---- .../mysql/TestMySQLAuthorization.java | 3 ++- .../ranger/TestRangerAuthorization.java | 3 ++- 10 files changed, 52 insertions(+), 27 deletions(-) diff --git a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java index 459b6b047..ae656f981 100644 --- a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java +++ b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java @@ -30,12 +30,13 @@ public class RangerAuthorization extends BaseAuthorization<RangerAuthorization> } @Override - protected AuthorizationPlugin newPlugin(String catalogProvider, Map<String, String> config) { + protected AuthorizationPlugin newPlugin( + String metalake, String catalogProvider, Map<String, String> config) { switch (catalogProvider) { case "hive": case "lakehouse-iceberg": case "lakehouse-paimon": - return RangerAuthorizationHadoopSQLPlugin.getInstance(config); + return RangerAuthorizationHadoopSQLPlugin.getInstance(metalake, config); default: throw new IllegalArgumentException("Unknown catalog provider: " + catalogProvider); } diff --git a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHadoopSQLPlugin.java b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHadoopSQLPlugin.java index d403d4469..13b0400ec 100644 --- a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHadoopSQLPlugin.java +++ b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHadoopSQLPlugin.java @@ -49,16 +49,16 @@ public class RangerAuthorizationHadoopSQLPlugin extends RangerAuthorizationPlugi LoggerFactory.getLogger(RangerAuthorizationHadoopSQLPlugin.class); private static volatile RangerAuthorizationHadoopSQLPlugin instance = null; - private RangerAuthorizationHadoopSQLPlugin(Map<String, String> config) { - super(config); + private RangerAuthorizationHadoopSQLPlugin(String metalake, Map<String, String> config) { + super(metalake, config); } public static synchronized RangerAuthorizationHadoopSQLPlugin getInstance( - Map<String, String> config) { + String metalake, Map<String, String> config) { if (instance == null) { synchronized (RangerAuthorizationHadoopSQLPlugin.class) { if (instance == null) { - instance = new RangerAuthorizationHadoopSQLPlugin(config); + instance = new RangerAuthorizationHadoopSQLPlugin(metalake, config); } } } diff --git a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java index b522691cb..d2b1b7570 100644 --- a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java +++ b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java @@ -80,12 +80,14 @@ public abstract class RangerAuthorizationPlugin implements AuthorizationPlugin, AuthorizationPrivilegesMappingProvider { private static final Logger LOG = LoggerFactory.getLogger(RangerAuthorizationPlugin.class); + protected String metalake; protected final String rangerServiceName; protected final RangerClientExtension rangerClient; private final RangerHelper rangerHelper; @VisibleForTesting public final String rangerAdminName; - protected RangerAuthorizationPlugin(Map<String, String> config) { + protected RangerAuthorizationPlugin(String metalake, Map<String, String> config) { + this.metalake = metalake; String rangerUrl = config.get(AuthorizationPropertiesMeta.RANGER_ADMIN_URL); String authType = config.get(AuthorizationPropertiesMeta.RANGER_AUTH_TYPE); rangerAdminName = config.get(AuthorizationPropertiesMeta.RANGER_USERNAME); @@ -108,6 +110,11 @@ public abstract class RangerAuthorizationPlugin policyResourceDefinesRule()); } + @VisibleForTesting + public String getMetalake() { + return metalake; + } + /** * Set the Ranger policy resource defines rule. * @@ -251,18 +258,22 @@ public abstract class RangerAuthorizationPlugin ((MetadataObjectChange.RenameMetadataObject) change).metadataObject(); MetadataObject newMetadataObject = ((MetadataObjectChange.RenameMetadataObject) change).newMetadataObject(); - AuthorizationMetadataObject AuthorizationMetadataObject = - translateMetadataObject(metadataObject); - AuthorizationMetadataObject newAuthorizationMetadataObject = + if (metadataObject.type() == MetadataObject.Type.METALAKE + && newMetadataObject.type() == MetadataObject.Type.METALAKE) { + // Modify the metalake name + this.metalake = newMetadataObject.name(); + } + AuthorizationMetadataObject oldAuthMetadataObject = translateMetadataObject(metadataObject); + AuthorizationMetadataObject newAuthMetadataObject = translateMetadataObject(newMetadataObject); - if (AuthorizationMetadataObject.equals(newAuthorizationMetadataObject)) { + if (oldAuthMetadataObject.equals(newAuthMetadataObject)) { LOG.info( "The metadata object({}) and new metadata object({}) are equal, so ignore rename!", - AuthorizationMetadataObject.fullName(), - newAuthorizationMetadataObject.fullName()); + oldAuthMetadataObject.fullName(), + newAuthMetadataObject.fullName()); continue; } - doRenameMetadataObject(AuthorizationMetadataObject, newAuthorizationMetadataObject); + doRenameMetadataObject(oldAuthMetadataObject, newAuthMetadataObject); } else if (change instanceof MetadataObjectChange.RemoveMetadataObject) { MetadataObject metadataObject = ((MetadataObjectChange.RemoveMetadataObject) change).metadataObject(); diff --git a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java index 243491867..dce93a614 100644 --- a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java +++ b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java @@ -697,9 +697,8 @@ public class RangerHiveIT { Assertions.assertTrue(rangerAuthHivePlugin.onRoleCreated(role)); assertFindManagedPolicyItems(role, true); - MetadataObject newMetadataObject = - MetadataObjects.parse( - String.format("metalake-new-%s", currentFunName), oldMetadataObject.type()); + String newMetalake = String.format("metalake-new-%s", currentFunName); + MetadataObject newMetadataObject = MetadataObjects.parse(newMetalake, oldMetadataObject.type()); Assertions.assertTrue( rangerAuthHivePlugin.onMetadataUpdated( MetadataObjectChange.rename(oldMetadataObject, newMetadataObject))); @@ -716,6 +715,7 @@ public class RangerHiveIT { .withSecurableObjects(Lists.newArrayList(newSecurableObject1)) .build(); assertFindManagedPolicyItems(newRole, true); + Assertions.assertEquals(newMetalake, rangerAuthHivePlugin.getMetalake()); } @Test diff --git a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java index 4f4a5ff91..2758d307b 100644 --- a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java +++ b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java @@ -89,6 +89,7 @@ public class RangerITEnv { rangerAuthHivePlugin = RangerAuthorizationHadoopSQLPlugin.getInstance( + "metalake", ImmutableMap.of( AuthorizationPropertiesMeta.RANGER_ADMIN_URL, String.format( diff --git a/core/src/main/java/org/apache/gravitino/connector/BaseCatalog.java b/core/src/main/java/org/apache/gravitino/connector/BaseCatalog.java index 213afd4fa..07bc83b62 100644 --- a/core/src/main/java/org/apache/gravitino/connector/BaseCatalog.java +++ b/core/src/main/java/org/apache/gravitino/connector/BaseCatalog.java @@ -184,7 +184,7 @@ public abstract class BaseCatalog<T extends BaseCatalog> if (authorization == null) { return null; } - return authorization.plugin(provider(), this.conf); + return authorization.plugin(entity.namespace().level(0), provider(), this.conf); } public void initAuthorizationPluginInstance(IsolatedClassLoader classLoader) { diff --git a/core/src/main/java/org/apache/gravitino/connector/authorization/BaseAuthorization.java b/core/src/main/java/org/apache/gravitino/connector/authorization/BaseAuthorization.java index 21a4ff85b..ce460e675 100644 --- a/core/src/main/java/org/apache/gravitino/connector/authorization/BaseAuthorization.java +++ b/core/src/main/java/org/apache/gravitino/connector/authorization/BaseAuthorization.java @@ -43,13 +43,14 @@ public abstract class BaseAuthorization<T extends BaseAuthorization> * @return A new instance of AuthorizationHook. */ protected abstract AuthorizationPlugin newPlugin( - String catalogProvider, Map<String, String> config); + String metalake, String catalogProvider, Map<String, String> config); - public AuthorizationPlugin plugin(String catalogProvider, Map<String, String> config) { + public AuthorizationPlugin plugin( + String metalake, String catalogProvider, Map<String, String> config) { if (plugin == null) { synchronized (this) { if (plugin == null) { - plugin = newPlugin(catalogProvider, config); + plugin = newPlugin(metalake, catalogProvider, config); } } } diff --git a/core/src/main/java/org/apache/gravitino/hook/MetalakeHookDispatcher.java b/core/src/main/java/org/apache/gravitino/hook/MetalakeHookDispatcher.java index ba7dedfa5..26f31a883 100644 --- a/core/src/main/java/org/apache/gravitino/hook/MetalakeHookDispatcher.java +++ b/core/src/main/java/org/apache/gravitino/hook/MetalakeHookDispatcher.java @@ -25,6 +25,7 @@ import org.apache.gravitino.Metalake; import org.apache.gravitino.MetalakeChange; import org.apache.gravitino.NameIdentifier; import org.apache.gravitino.authorization.AccessControlDispatcher; +import org.apache.gravitino.authorization.AuthorizationUtils; import org.apache.gravitino.authorization.Owner; import org.apache.gravitino.authorization.OwnerManager; import org.apache.gravitino.exceptions.MetalakeAlreadyExistsException; @@ -85,10 +86,18 @@ public class MetalakeHookDispatcher implements MetalakeDispatcher { @Override public Metalake alterMetalake(NameIdentifier ident, MetalakeChange... changes) throws NoSuchMetalakeException, IllegalArgumentException { - // For underlying authorization plugins, the privilege information shouldn't - // contain metalake information, so metalake rename won't affect the privileges - // of the authorization plugin. - return dispatcher.alterMetalake(ident, changes); + Metalake alterMetalake = dispatcher.alterMetalake(ident, changes); + MetalakeChange.RenameMetalake lastRenameChange = null; + for (MetalakeChange change : changes) { + if (change instanceof MetalakeChange.RenameMetalake) { + lastRenameChange = (MetalakeChange.RenameMetalake) change; + } + } + if (lastRenameChange != null) { + AuthorizationUtils.authorizationPluginRenamePrivileges( + ident, Entity.EntityType.METALAKE, lastRenameChange.getNewName()); + } + return alterMetalake; } @Override diff --git a/core/src/test/java/org/apache/gravitino/connector/authorization/mysql/TestMySQLAuthorization.java b/core/src/test/java/org/apache/gravitino/connector/authorization/mysql/TestMySQLAuthorization.java index 06d7a9275..db7c629bb 100644 --- a/core/src/test/java/org/apache/gravitino/connector/authorization/mysql/TestMySQLAuthorization.java +++ b/core/src/test/java/org/apache/gravitino/connector/authorization/mysql/TestMySQLAuthorization.java @@ -32,7 +32,8 @@ public class TestMySQLAuthorization extends BaseAuthorization<TestMySQLAuthoriza } @Override - protected AuthorizationPlugin newPlugin(String catalogProvider, Map<String, String> config) { + protected AuthorizationPlugin newPlugin( + String metalake, String catalogProvider, Map<String, String> config) { return new TestMySQLAuthorizationPlugin(); } } diff --git a/core/src/test/java/org/apache/gravitino/connector/authorization/ranger/TestRangerAuthorization.java b/core/src/test/java/org/apache/gravitino/connector/authorization/ranger/TestRangerAuthorization.java index c792c407b..383339d08 100644 --- a/core/src/test/java/org/apache/gravitino/connector/authorization/ranger/TestRangerAuthorization.java +++ b/core/src/test/java/org/apache/gravitino/connector/authorization/ranger/TestRangerAuthorization.java @@ -32,7 +32,8 @@ public class TestRangerAuthorization extends BaseAuthorization<TestRangerAuthori } @Override - protected AuthorizationPlugin newPlugin(String catalogProvider, Map<String, String> config) { + protected AuthorizationPlugin newPlugin( + String metalake, String catalogProvider, Map<String, String> config) { return new TestRangerAuthorizationPlugin(); } }
