[jira] [Resolved] (RANGER-4810) Move Trino authorizer implementation from Ranger git repo to Trino repo

Sun, 11 Aug 2024 10:27:14 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-4810?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Madhan Neethiraj resolved RANGER-4810.
--------------------------------------
    Fix Version/s: 3.0.0
                   2.5.0
       Resolution: Fixed

> Move Trino authorizer implementation from Ranger git repo to Trino repo
> -----------------------------------------------------------------------
>
>                 Key: RANGER-4810
>                 URL: https://issues.apache.org/jira/browse/RANGER-4810
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>            Reporter: Madhan Neethiraj
>            Assignee: Madhan Neethiraj
>            Priority: Major
>             Fix For: 3.0.0, 2.5.0
>
>
> Moving Trino authorizer implementation from Ranger git repo to Trino repo has 
> several advantages, including:
>  # Keeping the authorizer in sync with the updates in SystemAccessControl 
> interface. For example, following changes in the latest Trino repo are not 
> compatible with the Trino authorizer in Ranger repo:
>  ## SystemAccessControl.checkCanAccessCatalog(): removed
>  ## SystemAccessControl.getRowFilter(): replaced with getRowFilters()
>  ## SystemAccessControl.getColumnMasks(): replaced with getColumnMask()
>  ## SystemAccessControl.checkCanSetSystemSessionProperty(): removed
>  ## SystemAccessControl.checkCanImpersonateUser(): signature changed
>  ## SystemAccessControl.checkCanAccessCatalog(): removed
>  ## SystemAccessControl.checkCanCreateSchema(): signature changed
>  ## SystemAccessControl.checkCanExecuteQuery(): removed
>  ## SystemAccessControl.checkCanViewQueryOwnedBy(): removed
>  ## SystemAccessControl.filterViewQueryOwnedBy(): signature changed
>  ## SystemAccessControl.checkCanKillQueryOwnedBy(): removed
>  ## SystemAccessControl.checkCanGrantExecuteFunctionPrivilege(): 
> removed/replaced
>  ## SystemAccessControl.checkCanExecuteFunction(): signature changed
>  ## ViewExpression(): constructor changed
>  ## AccessDeniedException.denyGrantExecuteFunctionPrivilege(): removed
>  # Trino requires more recent JDK versions (currently JDK 22) than Ranger 
> repo (which still supports JDK 8). Trino authorizer is built separately, as a 
> second phase, in Ranger repo using higher JDK versions. Moving the authorizer 
> to Trino repo will avoid this additional step.
>  
> Trino seems to have a class loader isolation in place for its plugins, which 
> can eliminate the need for the shim layer used in Ranger plugin. This needs 
> to be considered along with this move.
> Though the authorizer implementation would move to Trino repp, Ranger repo 
> will continue to have modules used in Ranger admin server for resource look 
> up and default policy creation (class RangerServiceTrino).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to