jerqi commented on code in PR #5786:
URL: https://github.com/apache/gravitino/pull/5786#discussion_r1896529555
##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHDFSPlugin.java:
##########
@@ -212,27 +287,77 @@ public AuthorizationMetadataObject
translateMetadataObject(MetadataObject metada
Preconditions.checkArgument(
nsMetadataObject.size() > 0, "The metadata object must have at least
one name.");
- if (metadataObject.type() == MetadataObject.Type.FILESET) {
- RangerPathBaseMetadataObject rangerHDFSMetadataObject =
- new RangerPathBaseMetadataObject(
- getFileSetPath(metadataObject),
RangerPathBaseMetadataObject.Type.PATH);
- rangerHDFSMetadataObject.validateAuthorizationMetadataObject();
- return rangerHDFSMetadataObject;
- } else {
- return new RangerPathBaseMetadataObject("",
RangerPathBaseMetadataObject.Type.PATH);
+ RangerHDFSMetadataObject rangerHDFSMetadataObject;
+ switch (metadataObject.type()) {
+ case METALAKE:
+ case CATALOG:
+ rangerHDFSMetadataObject =
+ new RangerHDFSMetadataObject("",
RangerHDFSMetadataObject.Type.PATH);
+ break;
+ case SCHEMA:
+ rangerHDFSMetadataObject =
+ new RangerHDFSMetadataObject(
+ metadataObject.fullName(), RangerHDFSMetadataObject.Type.PATH);
+ break;
+ case FILESET:
+ rangerHDFSMetadataObject =
+ new RangerHDFSMetadataObject(
+ getLocationPath(metadataObject),
RangerHDFSMetadataObject.Type.PATH);
+ break;
+ default:
+ throw new AuthorizationPluginException(
+ "The metadata object type %s is not supported in the
RangerAuthorizationHDFSPlugin",
+ metadataObject.type());
}
+ rangerHDFSMetadataObject.validateAuthorizationMetadataObject();
+ return rangerHDFSMetadataObject;
}
- public String getFileSetPath(MetadataObject metadataObject) {
- FilesetDispatcher filesetDispatcher =
GravitinoEnv.getInstance().filesetDispatcher();
- NameIdentifier identifier =
- NameIdentifier.parse(String.format("%s.%s", metalake,
metadataObject.fullName()));
- Fileset fileset = filesetDispatcher.loadFileset(identifier);
- Preconditions.checkArgument(
- fileset != null, String.format("Fileset %s is not found", identifier));
- String filesetLocation = fileset.storageLocation();
- Preconditions.checkArgument(
- filesetLocation != null, String.format("Fileset %s location is not
found", identifier));
- return pattern.matcher(filesetLocation).replaceAll("");
+ private NameIdentifier getObjectNameIdentifier(MetadataObject
metadataObject) {
+ return NameIdentifier.parse(String.format("%s.%s", metalake,
metadataObject.fullName()));
+ }
+
+ @VisibleForTesting
+ public String getLocationPath(MetadataObject metadataObject) throws
NoSuchEntityException {
+ String locationPath = null;
+ switch (metadataObject.type()) {
+ case METALAKE:
+ case SCHEMA:
+ case TABLE:
Review Comment:
Maybe you add `TODO` comment at least.
##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHDFSPlugin.java:
##########
@@ -137,10 +171,52 @@ public List<AuthorizationSecurableObject>
translatePrivilege(SecurableObject sec
.forEach(
rangerPrivilege ->
rangerPrivileges.add(
- new RangerPrivileges.RangerHivePrivilegeImpl(
+ new RangerPrivileges.RangerHDFSPrivilegeImpl(
rangerPrivilege,
gravitinoPrivilege.condition())));
-
switch (gravitinoPrivilege.name()) {
+ case USE_CATALOG:
+ case CREATE_CATALOG:
+ // When HDFS is used as the Hive storage layer, Hive does
not support the
+ // `USE_CATALOG` and `CREATE_CATALOG` privileges. So, we
ignore these
+ // in the RangerAuthorizationHDFSPlugin.
+ break;
+ case USE_SCHEMA:
+ break;
+ case CREATE_SCHEMA:
+ switch (securableObject.type()) {
+ case METALAKE:
+ case CATALOG:
+ {
+ String locationPath = getLocationPath(securableObject);
+ if (locationPath != null && !locationPath.isEmpty()) {
+ RangerHDFSMetadataObject rangerHDFSMetadataObject =
+ new RangerHDFSMetadataObject(
+ locationPath,
RangerHDFSMetadataObject.Type.PATH);
+ rangerSecurableObjects.add(
+ generateAuthorizationSecurableObject(
+ rangerHDFSMetadataObject.names(),
+ RangerHDFSMetadataObject.Type.PATH,
+ rangerPrivileges));
+ }
+ }
+ break;
+ case FILESET:
+ rangerSecurableObjects.add(
+ generateAuthorizationSecurableObject(
+ translateMetadataObject(securableObject).names(),
+ RangerHDFSMetadataObject.Type.PATH,
+ rangerPrivileges));
+ break;
+ default:
+ throw new AuthorizationPluginException(
+ "The privilege %s is not supported for the securable
object: %s",
+ gravitinoPrivilege.name(), securableObject.type());
+ }
+ break;
+ case SELECT_TABLE:
Review Comment:
Maybe you add `TODO` comment at least.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
