xunliu commented on code in PR #6100:
URL: https://github.com/apache/gravitino/pull/6100#discussion_r1904128751
##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHDFSPlugin.java:
##########
@@ -118,27 +128,319 @@ public List<String> policyResourceDefinesRule() {
return ImmutableList.of(RangerDefines.PolicyResource.PATH.getName());
}
+ String getAuthorizationPath(PathBasedMetadataObject pathBasedMetadataObject)
{
+ return HDFS_PATTERN.matcher(pathBasedMetadataObject.path()).replaceAll("");
+ }
+
+ /**
+ * Find the managed policy for the ranger securable object.
+ *
+ * @param authzMetadataObject The ranger securable object to find the
managed policy.
+ * @return The managed policy for the metadata object.
+ */
+ public RangerPolicy findManagedPolicy(AuthorizationMetadataObject
authzMetadataObject)
+ throws AuthorizationPluginException {
+ List<RangerPolicy> policies = wildcardSearchPolies(authzMetadataObject);
+ if (!policies.isEmpty()) {
+ /**
+ * Because Ranger doesn't support the precise search, Ranger will return
the policy meets the
+ * wildcard(*,?) conditions, If you use `/a/b` condition to search
policy, the Ranger will
+ * match `/a/b1`, `/a/b2`, `/a/b*`, So we need to manually precisely
filter this research
+ * results.
+ */
+ List<String> nsMetadataObj = authzMetadataObject.names();
+ PathBasedMetadataObject pathAuthzMetadataObject =
+ (PathBasedMetadataObject) authzMetadataObject;
+ Map<String, String> preciseFilters = new HashMap<>();
+ for (int i = 0; i < nsMetadataObj.size() && i <
policyResourceDefinesRule().size(); i++) {
+ preciseFilters.put(
+ policyResourceDefinesRule().get(i),
getAuthorizationPath(pathAuthzMetadataObject));
+ }
+ policies =
+ policies.stream()
+ .filter(
+ policy ->
+ policy.getResources().entrySet().stream()
+ .allMatch(
+ entry ->
+ preciseFilters.containsKey(entry.getKey())
+ && entry.getValue().getValues().size()
== 1
+ && entry
+ .getValue()
+ .getValues()
+
.contains(preciseFilters.get(entry.getKey()))))
+ .collect(Collectors.toList());
+ }
+ // Only return the policies that are managed by Gravitino.
+ if (policies.size() > 1) {
+ throw new AuthorizationPluginException("Each metadata object can have at
most one policy.");
+ }
+
+ if (policies.isEmpty()) {
+ return null;
+ }
+
+ RangerPolicy policy = policies.get(0);
+ // Delegating Gravitino management policies cannot contain duplicate
privilege
+ policy.getPolicyItems().forEach(RangerHelper::checkPolicyItemAccess);
+ policy.getDenyPolicyItems().forEach(RangerHelper::checkPolicyItemAccess);
+
policy.getRowFilterPolicyItems().forEach(RangerHelper::checkPolicyItemAccess);
+
policy.getDataMaskPolicyItems().forEach(RangerHelper::checkPolicyItemAccess);
+
+ return policy;
+ }
+
+ @Override
+ /** Wildcard search the Ranger policies in the different Ranger service. */
+ protected List<RangerPolicy> wildcardSearchPolies(
+ AuthorizationMetadataObject authzMetadataObject) {
+ Preconditions.checkArgument(authzMetadataObject instanceof
PathBasedMetadataObject);
+ PathBasedMetadataObject pathBasedMetadataObject =
(PathBasedMetadataObject) authzMetadataObject;
+ List<String> resourceDefines = policyResourceDefinesRule();
+ Map<String, String> searchFilters = new HashMap<>();
+ searchFilters.put(SearchFilter.SERVICE_NAME, rangerServiceName);
+ resourceDefines.stream()
+ .forEach(
+ resourceDefine -> {
+ searchFilters.put(
+ SearchFilter.RESOURCE_PREFIX + resourceDefine,
+ getAuthorizationPath(pathBasedMetadataObject));
+ });
+ try {
+ return rangerClient.findPolicies(searchFilters);
+ } catch (RangerServiceException e) {
+ throw new AuthorizationPluginException(e, "Failed to find the policies
in the Ranger");
+ }
+ }
+
+ /**
+ * IF rename the SCHEMA, Need to rename these the relevant policies,
`{schema}`, `{schema}.*`,
+ * `{schema}.*.*` <br>
+ * IF rename the TABLE, Need to rename these the relevant policies,
`{schema}.*`, `{schema}.*.*`
+ * <br>
+ */
+ @Override
+ protected void doRenameMetadataObject(
+ AuthorizationMetadataObject authzMetadataObject,
+ AuthorizationMetadataObject newAuthzMetadataObject) {
+ Preconditions.checkArgument(
+ authzMetadataObject instanceof PathBasedMetadataObject,
+ "The metadata object must be a PathBasedMetadataObject");
+ Preconditions.checkArgument(
+ newAuthzMetadataObject instanceof PathBasedMetadataObject,
+ "The metadata object must be a PathBasedMetadataObject");
+ updatePolicyByMetadataObject(
+ newAuthzMetadataObject.type().metadataObjectType(),
+ authzMetadataObject,
+ newAuthzMetadataObject);
+ }
+
+ @Override
+ protected void updatePolicyByMetadataObject(
+ MetadataObject.Type operationType,
+ AuthorizationMetadataObject oldAuthzMetaobject,
+ AuthorizationMetadataObject newAuthzMetaobject) {
+ PathBasedMetadataObject newPathBasedMetadataObject =
+ (PathBasedMetadataObject) newAuthzMetaobject;
+ List<RangerPolicy> oldPolicies = wildcardSearchPolies(oldAuthzMetaobject);
+ List<RangerPolicy> existNewPolicies =
wildcardSearchPolies(newAuthzMetaobject);
+ if (oldPolicies.isEmpty()) {
+ LOG.warn("Cannot find the Ranger policy for the metadata object({})!",
oldAuthzMetaobject);
+ return;
+ }
+ if (!existNewPolicies.isEmpty()) {
+ LOG.warn("The Ranger policy for the metadata object({}) already
exists!", newAuthzMetaobject);
+ }
+ oldPolicies.stream()
+ .forEach(
+ policy -> {
+ try {
+ // Update the policy name is following Gravitino's spec
+
policy.setName(getAuthorizationPath(newPathBasedMetadataObject));
+ // Update the policy resource name to new name
+ policy
+ .getResources()
+ .put(
+ rangerHelper.policyResourceDefines.get(0),
+ new RangerPolicy.RangerPolicyResource(
+ getAuthorizationPath(newPathBasedMetadataObject)));
+
+ boolean alreadyExist =
+ existNewPolicies.stream()
+ .anyMatch(
+ existNewPolicy ->
+
existNewPolicy.getName().equals(policy.getName())
+ ||
existNewPolicy.getResources().equals(policy.getResources()));
+ if (alreadyExist) {
+ LOG.warn(
+ "The Ranger policy for the metadata object({}) already
exists!",
+ newAuthzMetaobject);
+ return;
+ }
+
+ // Update the policy
+ rangerClient.updatePolicy(policy.getId(), policy);
+ } catch (RangerServiceException e) {
+ LOG.error("Failed to rename the policy {}!", policy);
+ throw new RuntimeException(e);
+ }
+ });
+ }
+
+ /**
+ * IF remove the SCHEMA, need to remove these the relevant policies,
`{schema}`, `{schema}.*`,
+ * `{schema}.*.*` <br>
+ * IF remove the TABLE, need to remove these the relevant policies,
`{schema}.*`, `{schema}.*.*`
+ * <br>
+ * IF remove the COLUMN, Only need to remove `{schema}.*.*` <br>
+ */
+ @Override
+ protected void doRemoveMetadataObject(AuthorizationMetadataObject
authzMetadataObject) {
+ if (authzMetadataObject.type().equals(SCHEMA)) {
+ doRemoveSchemaMetadataObject(authzMetadataObject);
+ } else if (authzMetadataObject.type().equals(TABLE)) {
+ doRemoveTableMetadataObject(authzMetadataObject);
+ } else if (authzMetadataObject.type().equals(COLUMN)
+ || authzMetadataObject.type().equals(PATH)) {
+ removePolicyByMetadataObject(authzMetadataObject);
+ } else {
+ throw new IllegalArgumentException(
+ "Unsupported authorization metadata object type: " +
authzMetadataObject.type());
+ }
+ }
+
+ /**
+ * Remove the SCHEMA, Need to remove these the relevant policies,
`{schema}`, `{schema}.*`,
+ * `{schema}.*.*` permissions.
+ */
+ private void doRemoveSchemaMetadataObject(AuthorizationMetadataObject
authzMetadataObject) {
+ Preconditions.checkArgument(
+ authzMetadataObject instanceof PathBasedMetadataObject,
+ "The metadata object must be a PathBasedMetadataObject");
+ Preconditions.checkArgument(
+ authzMetadataObject.type() == SCHEMA, "The metadata object type must
be SCHEMA");
+ Preconditions.checkArgument(
+ authzMetadataObject.names().size() == 1, "The metadata object names
must be 1");
+ if (RangerHelper.RESOURCE_ALL.equals(authzMetadataObject.name())) {
+ // Remove all schema in this catalog
+ String catalogName = authzMetadataObject.names().get(0);
+ NameIdentifier[] schemas =
+ GravitinoEnv.getInstance()
+ .schemaDispatcher()
+ .listSchemas(Namespace.of(metalake, catalogName));
+ Arrays.asList(schemas).stream()
+ .forEach(
+ schema -> {
+ List<String> schemaLocations =
+ AuthorizationUtils.getMetadataObjectLocation(
+ NameIdentifier.of(metalake, catalogName,
schema.name()),
+ Entity.EntityType.SCHEMA);
+ schemaLocations.stream()
+ .forEach(
+ locationPath -> {
+ List<String> names =
+ ImmutableList.of(metalake, catalogName,
schema.name());
+ AuthorizationMetadataObject schemaMetadataObject =
+ new PathBasedMetadataObject(
+
AuthorizationMetadataObject.getParentFullName(names),
+
AuthorizationMetadataObject.getLastName(names),
+ locationPath,
+ PATH);
+ doRemoveSchemaMetadataObject(schemaMetadataObject);
+ });
+ });
+ } else {
+ // Remove all table in this schema
+ NameIdentifier[] tables =
+ GravitinoEnv.getInstance()
+ .tableDispatcher()
+ .listTables(Namespace.of(authzMetadataObject.name()));
+ Arrays.asList(tables).stream()
+ .forEach(
+ table -> {
+ NameIdentifier identifier =
+ NameIdentifier.of(authzMetadataObject.name(),
table.name());
+ List<String> tabLocations =
+ AuthorizationUtils.getMetadataObjectLocation(
+ identifier, Entity.EntityType.TABLE);
+ tabLocations.stream()
+ .forEach(
+ locationPath -> {
+ AuthorizationMetadataObject tableMetadataObject =
+ new PathBasedMetadataObject(
+ authzMetadataObject.name(), table.name(),
locationPath, PATH);
+ doRemoveTableMetadataObject(tableMetadataObject);
+ });
+ // Remove schema
+ Schema schema =
+ GravitinoEnv.getInstance()
+ .schemaDispatcher()
+
.loadSchema(NameIdentifier.of(authzMetadataObject.name()));
+ List<String> schemaLocations =
+ AuthorizationUtils.getMetadataObjectLocation(
+ identifier, Entity.EntityType.SCHEMA);
+ schemaLocations.stream()
+ .forEach(
+ locationPath -> {
+ AuthorizationMetadataObject schemaMetadataObject =
+ new PathBasedMetadataObject(
+ authzMetadataObject.name(), schema.name(),
locationPath, PATH);
+ removePolicyByMetadataObject(schemaMetadataObject);
+ });
+ });
+ }
+ }
+
+ /**
+ * Remove the TABLE, Need to remove these the relevant policies,
`*.{table}`, `*.{table}.{column}`
+ * permissions.
+ */
+ private void doRemoveTableMetadataObject(AuthorizationMetadataObject
authzMetadataObject) {
+ Preconditions.checkArgument(
+ authzMetadataObject instanceof PathBasedMetadataObject,
+ "The metadata object must be a PathBasedMetadataObject");
+ Preconditions.checkArgument(
+ authzMetadataObject.names().size() == 3, "The metadata object names
must be 3");
+ Preconditions.checkArgument(
+ authzMetadataObject.type() == PATH, "The metadata object type must be
PATH");
+ removePolicyByMetadataObject(authzMetadataObject);
+ }
+
@Override
protected RangerPolicy createPolicyAddResources(AuthorizationMetadataObject
metadataObject) {
+ Preconditions.checkArgument(
+ metadataObject instanceof PathBasedMetadataObject,
+ "The metadata object must be a PathBasedMetadataObject");
+ PathBasedMetadataObject pathBasedMetadataObject =
(PathBasedMetadataObject) metadataObject;
RangerPolicy policy = new RangerPolicy();
policy.setService(rangerServiceName);
- policy.setName(metadataObject.fullName());
+ policy.setName(getAuthorizationPath(pathBasedMetadataObject));
Review Comment:
No, Gravitino maintained Ranger Policy only has one unique resource.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
