kumaab commented on code in PR #766:
URL: https://github.com/apache/ranger/pull/766#discussion_r2607795756
##########
plugin-ozone/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java:
##########
@@ -77,6 +93,11 @@ public RangerOzoneAuthorizer() {
}
}
+ // for testing only
Review Comment:
@VisibleForTesting suggested here.
##########
plugin-ozone/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java:
##########
@@ -221,4 +295,88 @@ private String mapToRangerAccessType(ACLType operation) {
return rangerAccessType;
}
+
+ private static RangerInlinePolicy.Grant
toRangerGrant(AssumeRoleRequest.OzoneGrant ozoneGrant, RangerBasePlugin plugin)
{
+ RangerInlinePolicy.Grant ret;
+
+ if (CollectionUtils.isEmpty(ozoneGrant.getObjects()) &&
CollectionUtils.isEmpty(ozoneGrant.getPermissions())) {
+ ret = null;
+ } else {
+ ret = new RangerInlinePolicy.Grant();
+
+ if (ozoneGrant.getObjects() != null) {
+ ret.setResources(ozoneGrant.getObjects().stream().map(o ->
toRrn(o, plugin)).filter(Objects::nonNull).collect(Collectors.toSet()));
+ }
+
+ if (ozoneGrant.getPermissions() != null) {
+
ret.setPermissions(ozoneGrant.getPermissions().stream().map(RangerOzoneAuthorizer::toRangerPermission).filter(Objects::nonNull).collect(Collectors.toSet()));
+ }
+ }
+
+ LOG.debug("toRangerGrant(ozoneGrant={}): ret={}", ozoneGrant, ret);
+
+ return ret;
+ }
+
+ private static String toRrn(IOzoneObj obj, RangerBasePlugin plugin) {
+ OzoneObj ozoneObj = (OzoneObj) obj;
+ Map<String, String> resource = new HashMap<>();
+ String resType = null;
+
+ switch (ozoneObj.getResourceType()) {
+ case VOLUME:
+ resType = KEY_RESOURCE_VOLUME;
+
+ resource.put(KEY_RESOURCE_VOLUME, ozoneObj.getVolumeName());
+ break;
+
+ case BUCKET:
+ resType = KEY_RESOURCE_BUCKET;
+
+ resource.put(KEY_RESOURCE_VOLUME, ozoneObj.getStoreType() ==
OzoneObj.StoreType.S3 ? "s3Vol" : ozoneObj.getVolumeName());
+ resource.put(KEY_RESOURCE_BUCKET, ozoneObj.getBucketName());
+ break;
+
+ case KEY:
+ resType = KEY_RESOURCE_KEY;
+
+ resource.put(KEY_RESOURCE_VOLUME, ozoneObj.getStoreType() ==
OzoneObj.StoreType.S3 ? "s3Vol" : ozoneObj.getVolumeName());
+ resource.put(KEY_RESOURCE_BUCKET, ozoneObj.getBucketName());
+ resource.put(KEY_RESOURCE_KEY, ozoneObj.getKeyName());
+ break;
+ }
+
+ RangerResourceNameParser rrnParser = resType != null ?
plugin.getServiceDefHelper().getRrnParser(resType) : null;
+ String ret = rrnParser != null ? (resType +
RangerResourceNameParser.RRN_RESOURCE_TYPE_SEP +
rrnParser.toResourceName(resource)) : null;
+
+ LOG.debug("toRrn(ozoneObj={}): ret={}", ozoneObj, ret);
+
+ return ret;
+ }
+
+ private static String toRangerPermission(ACLType acl) {
Review Comment:
(Optional)
Map based approach maybe more maintainable:
private static final Map<ACLType, String> PERMISSIONS = Map.of(
ACLType.READ, "read",
ACLType.WRITE, "write",
ACLType.CREATE, "create",
ACLType.LIST, "list",
ACLType.DELETE, "delete",
ACLType.READ_ACL, "read_acl",
ACLType.WRITE_ACL, "write_acl",
ACLType.ALL, "all"
// NONE and ASSUME_ROLE intentionally excluded
);
private static String toRangerPermission(ACLType acl) {
return PERMISSIONS.get(acl);
}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
