Repository: incubator-hawq Updated Branches: refs/heads/master 7d02472b8 -> e4ac516b2
HAWQ-1292. Change GUC enable_ranger(bool) to a text GUC(hawq_acl_type), which can allow other kinds of ACL. Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/e4ac516b Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/e4ac516b Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/e4ac516b Branch: refs/heads/master Commit: e4ac516b24853a83f3c0c7c66d858e92437f8d46 Parents: 7d02472 Author: stanlyxiang <[email protected]> Authored: Sat Jan 14 15:31:28 2017 +0800 Committer: Wen Lin <[email protected]> Committed: Sat Feb 4 16:21:19 2017 +0800 ---------------------------------------------------------------------- src/backend/catalog/aclchk.c | 22 +++++++------- src/backend/catalog/namespace.c | 4 +-- src/backend/parser/parse_relation.c | 5 +-- src/backend/tcop/postgres.c | 17 +++++++++-- src/backend/utils/adt/acl.c | 3 +- src/backend/utils/misc/guc.c | 52 ++++++++++++++++---------------- src/include/utils/acl.h | 14 ++++++++- src/include/utils/guc.h | 4 ++- 8 files changed, 75 insertions(+), 46 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/backend/catalog/aclchk.c ---------------------------------------------------------------------- diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c index 33fa9ab..667aa61 100644 --- a/src/backend/catalog/aclchk.c +++ b/src/backend/catalog/aclchk.c @@ -228,7 +228,7 @@ restrict_and_check_grant(bool is_grant, AclMode avail_goptions, bool all_privs, */ if (avail_goptions == ACL_NO_RIGHTS && Gp_role != GP_ROLE_EXECUTE) { - if (enable_ranger && !fallBackToNativeCheck(objkind, objectId, grantorId)) { + if (aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(objkind, objectId, grantorId)) { if (pg_rangercheck(objkind, objectId, grantorId, whole_mask | ACL_GRANT_OPTION_FOR(whole_mask), ACLMASK_ANY) != ACLCHECK_OK) @@ -3851,7 +3851,7 @@ pg_class_aclcheck(Oid table_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_CLASS, table_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_CLASS, table_oid, roleid)) { return pg_rangercheck(ACL_KIND_CLASS, table_oid, roleid, mode, ACLMASK_ANY); } @@ -3871,7 +3871,7 @@ pg_database_aclcheck(Oid db_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_DATABASE, db_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_DATABASE, db_oid, roleid)) { return pg_rangercheck(ACL_KIND_DATABASE, db_oid, roleid, mode, ACLMASK_ANY); } @@ -3891,7 +3891,7 @@ pg_proc_aclcheck(Oid proc_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_PROC, proc_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_PROC, proc_oid, roleid)) { return pg_rangercheck(ACL_KIND_PROC, proc_oid, roleid, mode, ACLMASK_ANY); } @@ -3911,7 +3911,7 @@ pg_language_aclcheck(Oid lang_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_LANGUAGE, lang_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_LANGUAGE, lang_oid, roleid)) { return pg_rangercheck(ACL_KIND_LANGUAGE, lang_oid, roleid, mode, ACLMASK_ANY); } @@ -3931,7 +3931,7 @@ pg_namespace_aclcheck(Oid nsp_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_NAMESPACE, nsp_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_NAMESPACE, nsp_oid, roleid)) { return pg_rangercheck(ACL_KIND_NAMESPACE, nsp_oid, roleid, mode, ACLMASK_ANY); } @@ -3951,7 +3951,7 @@ pg_tablespace_aclcheck(Oid spc_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_TABLESPACE, spc_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_TABLESPACE, spc_oid, roleid)) { return pg_rangercheck(ACL_KIND_TABLESPACE, spc_oid, roleid, mode, ACLMASK_ANY); } @@ -3972,7 +3972,7 @@ pg_foreign_data_wrapper_aclcheck(Oid fdw_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_FDW, fdw_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_FDW, fdw_oid, roleid)) { return pg_rangercheck(ACL_KIND_FDW, fdw_oid, roleid, mode, ACLMASK_ANY); } @@ -3993,7 +3993,7 @@ pg_foreign_server_aclcheck(Oid srv_oid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_FOREIGN_SERVER, srv_oid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_FOREIGN_SERVER, srv_oid, roleid)) { return pg_rangercheck(ACL_KIND_FOREIGN_SERVER, srv_oid, roleid, mode, ACLMASK_ANY); } @@ -4014,7 +4014,7 @@ pg_extprotocol_aclcheck(Oid ptcid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_EXTPROTOCOL, ptcid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_EXTPROTOCOL, ptcid, roleid)) { return pg_rangercheck(ACL_KIND_EXTPROTOCOL, ptcid, roleid, mode, ACLMASK_ANY); } @@ -4034,7 +4034,7 @@ pg_filesystem_aclcheck(Oid fsysid, Oid roleid, AclMode mode) if (Gp_role == GP_ROLE_EXECUTE) return ACLCHECK_OK; - if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_FILESYSTEM, fsysid, roleid)) + if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_FILESYSTEM, fsysid, roleid)) { return pg_rangercheck(ACL_KIND_FILESYSTEM, fsysid, roleid, mode, ACLMASK_ANY); } http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/backend/catalog/namespace.c ---------------------------------------------------------------------- diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c index a780625..e67570e 100644 --- a/src/backend/catalog/namespace.c +++ b/src/backend/catalog/namespace.c @@ -1946,7 +1946,7 @@ recomputeNamespacePath(void) */ if (namespaceSearchPathValid && namespaceUser == roleid) { - if (!enable_ranger) + if (aclType != HAWQ_ACL_RANGER) { return; } @@ -1959,7 +1959,7 @@ recomputeNamespacePath(void) if (current_query_sign == last_query_sign) return; last_query_sign = current_query_sign; - elog(DEBUG3, "recompute search_path[%s] when enable_ranger", namespace_search_path); + elog(DEBUG3, "recompute search_path[%s] when acl_type is ranger", namespace_search_path); } } http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/backend/parser/parse_relation.c ---------------------------------------------------------------------- diff --git a/src/backend/parser/parse_relation.c b/src/backend/parser/parse_relation.c index 1dc6b86..676f8bf 100644 --- a/src/backend/parser/parse_relation.c +++ b/src/backend/parser/parse_relation.c @@ -2714,7 +2714,7 @@ warnAutoRange(ParseState *pstate, RangeVar *relation, int location) void ExecCheckRTPerms(List *rangeTable) { - if (enable_ranger && !fallBackToNativeChecks(ACL_KIND_CLASS,rangeTable,GetUserId())) + if (aclType == HAWQ_ACL_RANGER && !fallBackToNativeChecks(ACL_KIND_CLASS,rangeTable,GetUserId())) { if(rangeTable!=NULL) ExecCheckRTPermsWithRanger(rangeTable); @@ -2729,7 +2729,8 @@ ExecCheckRTPerms(List *rangeTable) /* * ExecCheckRTPerms - * Batch implementation: Check access permissions for all relations listed in a range table with enable_ranger is true. + * Batch implementation: Check access permissions for all relations + * listed in a range table with acl_type is ranger. */ void ExecCheckRTPermsWithRanger(List *rangeTable) http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/backend/tcop/postgres.c ---------------------------------------------------------------------- diff --git a/src/backend/tcop/postgres.c b/src/backend/tcop/postgres.c index 74c5dd6..7cbe206 100644 --- a/src/backend/tcop/postgres.c +++ b/src/backend/tcop/postgres.c @@ -4395,8 +4395,21 @@ PostgresMain(int argc, char *argv[], const char *username) BuildFlatFiles(true); } - /* for enable ranger*/ - if (AmIMaster() && enable_ranger && !curl_context_ranger.hasInited) + if (strcasecmp(acl_type, HAWQ_ACL_TYPE_STANDALONE) == 0) + { + aclType = HAWQ_ACL_NATIVE; + } + else if (strcasecmp(acl_type, HAWQ_ACL_TYPE_RANGER) == 0) + { + aclType = HAWQ_ACL_RANGER; + } + else + { + elog(ERROR, "invalid acl check type : %s.", acl_type); + } + elog(LOG, "acl check type is %s, the acl type value is %d.", acl_type, aclType); + /* for acl_type is ranger*/ + if (AmIMaster() && aclType == HAWQ_ACL_RANGER && !curl_context_ranger.hasInited) { memset(&curl_context_ranger, 0, sizeof(curl_context_t)); curl_global_init(CURL_GLOBAL_ALL); http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/backend/utils/adt/acl.c ---------------------------------------------------------------------- diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c index e9a4244..27e1bbb 100644 --- a/src/backend/utils/adt/acl.c +++ b/src/backend/utils/adt/acl.c @@ -32,6 +32,7 @@ #include "utils/lsyscache.h" #include "utils/memutils.h" #include "utils/syscache.h" +#include "utils/guc.h" typedef struct { @@ -108,7 +109,7 @@ static AclResult pg_role_aclcheck(Oid role_oid, Oid roleid, AclMode mode); static void RoleMembershipCacheCallback(Datum arg, Oid relid); - +AclType aclType; /* * getid * Consumes the first alphanumeric string (identifier) found in string http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/backend/utils/misc/guc.c ---------------------------------------------------------------------- diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index e87d514..bd03d5e 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -732,7 +732,6 @@ int hawq_rm_nvseg_for_analyze_nopart_perquery_perseg_limit; int hawq_rm_nvseg_for_analyze_part_perquery_perseg_limit; int hawq_rm_nvseg_for_analyze_nopart_perquery_limit; int hawq_rm_nvseg_for_analyze_part_perquery_limit; -bool enable_ranger = false; double optimizer_cost_threshold; double optimizer_nestloop_factor; double locality_upper_bound; @@ -781,6 +780,8 @@ bool gp_plpgsql_clear_cache_always = false; /* indicate whether called by gpdump, if yes, processutility will open some limitations */ bool gp_called_by_pgdump = false; +char *acl_type; + char *rps_addr_host; char *rps_addr_suffix; int rps_addr_port; @@ -4332,16 +4333,6 @@ static struct config_bool ConfigureNamesBool[] = }, { - {"enable_ranger", PGC_POSTMASTER, CONN_AUTH_SETTINGS, - gettext_noop("Enable Apache Ranger for HAWQ privilege management."), - NULL, - GUC_SUPERUSER_ONLY - }, - &enable_ranger, - false, NULL, NULL - }, - - { {"filesystem_support_truncate", PGC_USERSET, APPENDONLY_TABLES, gettext_noop("the file system support truncate feature."), NULL, @@ -8188,22 +8179,31 @@ static struct config_string ConfigureNamesString[] = }, { - {"hawq_rps_address_host", PGC_POSTMASTER, PRESET_OPTIONS, - gettext_noop("ranger plugin server address hostname"), - NULL - }, - &rps_addr_host, - "localhost", NULL, NULL - }, + {"hawq_rps_address_host", PGC_POSTMASTER, PRESET_OPTIONS, + gettext_noop("ranger plugin server address hostname"), + NULL + }, + &rps_addr_host, + "localhost", NULL, NULL + }, - { - {"hawq_rps_address_suffix", PGC_POSTMASTER, PRESET_OPTIONS, - gettext_noop("ranger plugin server suffix of restful service address"), - NULL - }, - &rps_addr_suffix, - "rps", NULL, NULL - }, + { + {"hawq_rps_address_suffix", PGC_POSTMASTER, PRESET_OPTIONS, + gettext_noop("ranger plugin server suffix of restful service address"), + NULL + }, + &rps_addr_suffix, + "rps", NULL, NULL + }, + + { + {"hawq_acl_type", PGC_POSTMASTER, PRESET_OPTIONS, + gettext_noop("hawq acl mode, currently 'standalone' and 'ranger' is available"), + NULL + }, + &acl_type, + "standalone", NULL, NULL + }, { {"hawq_standby_address_host", PGC_POSTMASTER, PRESET_OPTIONS, http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/include/utils/acl.h ---------------------------------------------------------------------- diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h index da6f512..863f5ae 100644 --- a/src/include/utils/acl.h +++ b/src/include/utils/acl.h @@ -26,7 +26,6 @@ #include "nodes/parsenodes.h" #include "utils/array.h" -//#include "utils/rangerrest.h" /* @@ -156,6 +155,19 @@ typedef ArrayType Acl; #define ACL_ALL_RIGHTS_NAMESPACE (ACL_USAGE|ACL_CREATE) #define ACL_ALL_RIGHTS_TABLESPACE (ACL_CREATE) +/* how hawq do acl check */ +#define HAWQ_ACL_TYPE_STANDALONE "standalone" +#define HAWQ_ACL_TYPE_RANGER "ranger" + +/* acl type */ +typedef enum +{ + HAWQ_ACL_NATIVE, + HAWQ_ACL_RANGER +} AclType; + +extern AclType aclType; + /* operation codes for pg_*_aclmask */ typedef enum { http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/include/utils/guc.h ---------------------------------------------------------------------- diff --git a/src/include/utils/guc.h b/src/include/utils/guc.h index 2315778..77cee1e 100644 --- a/src/include/utils/guc.h +++ b/src/include/utils/guc.h @@ -275,7 +275,6 @@ extern bool gp_plpgsql_clear_cache_always; extern bool gp_disable_catalog_access_on_segment; extern bool gp_called_by_pgdump; -extern bool enable_ranger; /* Debug DTM Action */ typedef enum @@ -453,6 +452,9 @@ extern int information_schema_namespcace_oid; */ extern bool optimizer_partition_selection_log; +/* acl type for privileges check */ +extern char *acl_type; + /** * rps host and port */
