[jira] [Created] (RANGER-4810) Move Trino authorizer implementation from Ranger git repo to Trino repo

Thu, 06 Jun 2024 14:05:04 -0700 

Madhan Neethiraj created RANGER-4810:
----------------------------------------

             Summary: Move Trino authorizer implementation from Ranger git repo 
to Trino repo
                 Key: RANGER-4810
                 URL: https://issues.apache.org/jira/browse/RANGER-4810
             Project: Ranger
          Issue Type: Improvement
          Components: plugins
            Reporter: Madhan Neethiraj
            Assignee: Madhan Neethiraj


Moving Trino authorizer implementation from Ranger git repo to Trino repo has 
several advantages, including:
 # Keeping the authorizer in sync with the updates in SystemAccessControl 
interface. For example, following changes in the latest Trino repo are not 
compatible with the Trino authorizer in Ranger repo:
 ## SystemAccessControl.checkCanAccessCatalog(): removed
 ## 
SystemAccessControl.getRowFilter(): replaced with getRowFilters()
 ## 
 SystemAccessControl.getColumnMasks(): replaced with getColumnMask()
 ## 
SystemAccessControl.checkCanSetSystemSessionProperty(): removed
 ## 
SystemAccessControl.checkCanImpersonateUser(): signature changed
 ## 
SystemAccessControl.checkCanAccessCatalog(): removed
 ## SystemAccessControl.checkCanCreateSchema(): signature changed
 ## 
SystemAccessControl.checkCanExecuteQuery(): removed
 ## 
SystemAccessControl.checkCanViewQueryOwnedBy(): removed
 ## 
SystemAccessControl.filterViewQueryOwnedBy(): signature changed
 ## 
SystemAccessControl.checkCanKillQueryOwnedBy(): removed
 ## 
SystemAccessControl.checkCanGrantExecuteFunctionPrivilege(): removed/replaced
 ## 
SystemAccessControl.checkCanExecuteFunction(): signature changed
 ## 
ViewExpression(): constructor changed
 ## 
AccessDeniedException.denyGrantExecuteFunctionPrivilege(): removed
 # Trino requires more recent JDK versions (currently JDK 22) than Ranger repo 
(which still supports JDK 8). Trino authorizer is built separately, as a second 
phase, in Ranger repo using higher JDK versions. Moving the authorizer to Trino 
repo will avoid this additional step.

 

Trino seems to have a class loader isolation in place for its plugins, which 
can eliminate the need for the shim layer used in Ranger plugin. This needs to 
be considered along with this move.

Though the authorizer implementation would move to Trino repp, Ranger repo will 
continue to have modules used in Ranger admin server for resource look up and 
default policy creation (class RangerServiceTrino).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to