Re: [PR] [#5956] feat(auth): Uses chain authorization to support Hive and HDFS [gravitino]

via GitHub Mon, 06 Jan 2025 18:45:02 -0800


jerqi commented on code in PR #6100:
URL: https://github.com/apache/gravitino/pull/6100#discussion_r1904838550



##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHadoopSQLPlugin.java:
##########
@@ -76,6 +85,297 @@ public Map<Privilege.Name, Set<AuthorizationPrivilege>> 
privilegesMappingRule()
         ImmutableSet.of(RangerHadoopSQLPrivilege.READ, 
RangerHadoopSQLPrivilege.SELECT));
   }
 
+  /**
+   * Find the managed policy for the ranger securable object.
+   *
+   * @param authzMetadataObject The ranger securable object to find the 
managed policy.
+   * @return The managed policy for the metadata object.
+   */
+  @Override
+  public RangerPolicy findManagedPolicy(AuthorizationMetadataObject 
authzMetadataObject)
+      throws AuthorizationPluginException {
+    List<String> nsMetadataObj = authzMetadataObject.names();
+    Map<String, String> preciseFilters = new HashMap<>();
+    for (int i = 0; i < nsMetadataObj.size() && i < 
policyResourceDefinesRule().size(); i++) {
+      preciseFilters.put(policyResourceDefinesRule().get(i), 
nsMetadataObj.get(i));
+    }
+    return preciseFindPolicy(authzMetadataObject, preciseFilters);
+  }
+
+  /** Wildcard search the Ranger policies in the different Ranger service. */
+  @Override
+  protected List<RangerPolicy> wildcardSearchPolies(
+      AuthorizationMetadataObject authzMetadataObject) {
+    List<String> resourceDefines = policyResourceDefinesRule();
+    Map<String, String> searchFilters = new HashMap<>();
+    searchFilters.put(SearchFilter.SERVICE_NAME, rangerServiceName);
+    for (int i = 0; i < authzMetadataObject.names().size() && i < 
resourceDefines.size(); i++) {
+      searchFilters.put(
+          SearchFilter.RESOURCE_PREFIX + resourceDefines.get(i),
+          authzMetadataObject.names().get(i));
+    }
+
+    try {
+      return rangerClient.findPolicies(searchFilters);
+    } catch (RangerServiceException e) {
+      throw new AuthorizationPluginException(e, "Failed to find the policies 
in the Ranger");
+    }
+  }
+
+  /**
+   * If rename the SCHEMA, Need to rename these the relevant policies, 
`{schema}`, `{schema}.*`,
+   * `{schema}.*.*` <br>
+   * If rename the TABLE, Need to rename these the relevant policies, 
`{schema}.*`, `{schema}.*.*`
+   * <br>
+   * If rename the COLUMN, Only need to rename `{schema}.*.*` <br>
+   */
+  @Override
+  protected void doRenameMetadataObject(
+      AuthorizationMetadataObject authzMetadataObject,
+      AuthorizationMetadataObject newAuthzMetadataObject) {
+    List<Map<String, String>> mappingOldAndNewMetadata = new ArrayList<>();
+    if (newAuthzMetadataObject.type().equals(SCHEMA)) {
+      // Rename the SCHEMA, Need to rename these the relevant policies, 
`{schema}`, `{schema}.*`,
+      // * `{schema}.*.*`
+      mappingOldAndNewMetadata =
+          ImmutableList.of(
+              ImmutableMap.of(
+                  authzMetadataObject.names().get(0), 
newAuthzMetadataObject.names().get(0)),
+              ImmutableMap.of(RangerHelper.RESOURCE_ALL, 
RangerHelper.RESOURCE_ALL),
+              ImmutableMap.of(RangerHelper.RESOURCE_ALL, 
RangerHelper.RESOURCE_ALL));
+    } else if (newAuthzMetadataObject.type().equals(TABLE)) {
+      // Rename the TABLE, Need to rename these the relevant policies, 
`{schema}.*`, `{schema}.*.*`
+      mappingOldAndNewMetadata =
+          ImmutableList.of(
+              ImmutableMap.of(
+                  authzMetadataObject.names().get(0), 
newAuthzMetadataObject.names().get(0)),
+              ImmutableMap.of(
+                  authzMetadataObject.names().get(1), 
newAuthzMetadataObject.names().get(1)),
+              ImmutableMap.of(RangerHelper.RESOURCE_ALL, 
RangerHelper.RESOURCE_ALL));
+    } else if (newAuthzMetadataObject.type().equals(COLUMN)) {
+      // Rename the COLUMN, Only need to rename `{schema}.*.*`
+      mappingOldAndNewMetadata =
+          ImmutableList.of(
+              ImmutableMap.of(
+                  authzMetadataObject.names().get(0), 
newAuthzMetadataObject.names().get(0)),
+              ImmutableMap.of(
+                  authzMetadataObject.names().get(1), 
newAuthzMetadataObject.names().get(1)),
+              ImmutableMap.of(
+                  authzMetadataObject.names().get(2), 
newAuthzMetadataObject.names().get(2)));
+    } else if (newAuthzMetadataObject.type().equals(PATH)) {

Review Comment:
   Do we need `PATH` here?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] [#5956] feat(auth): Uses chain authorization to support Hive and HDFS [gravitino]

Reply via email to