Re: [PR] RANGER-5393: updated RangerOzoneAuthorizer to support AssumeRole [ranger]

Wed, 10 Dec 2025 15:09:37 -0800 


mneethiraj commented on code in PR #766:
URL: https://github.com/apache/ranger/pull/766#discussion_r2608529130


##########
plugin-ozone/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java:
##########
@@ -221,4 +295,88 @@ private String mapToRangerAccessType(ACLType operation) {
 
         return rangerAccessType;
     }
+
+    private static RangerInlinePolicy.Grant 
toRangerGrant(AssumeRoleRequest.OzoneGrant ozoneGrant, RangerBasePlugin plugin) 
{
+        RangerInlinePolicy.Grant ret;
+
+        if (CollectionUtils.isEmpty(ozoneGrant.getObjects()) && 
CollectionUtils.isEmpty(ozoneGrant.getPermissions())) {
+            ret = null;
+        } else {
+            ret = new RangerInlinePolicy.Grant();
+
+            if (ozoneGrant.getObjects() != null) {
+                ret.setResources(ozoneGrant.getObjects().stream().map(o -> 
toRrn(o, plugin)).filter(Objects::nonNull).collect(Collectors.toSet()));
+            }
+
+            if (ozoneGrant.getPermissions() != null) {
+                
ret.setPermissions(ozoneGrant.getPermissions().stream().map(RangerOzoneAuthorizer::toRangerPermission).filter(Objects::nonNull).collect(Collectors.toSet()));
+            }
+        }
+
+        LOG.debug("toRangerGrant(ozoneGrant={}): ret={}", ozoneGrant, ret);
+
+        return ret;
+    }
+
+    private static String toRrn(IOzoneObj obj, RangerBasePlugin plugin) {
+        OzoneObj            ozoneObj = (OzoneObj) obj;
+        Map<String, String> resource = new HashMap<>();
+        String              resType  = null;
+
+        switch (ozoneObj.getResourceType()) {
+            case VOLUME:
+                resType = KEY_RESOURCE_VOLUME;
+
+                resource.put(KEY_RESOURCE_VOLUME, ozoneObj.getVolumeName());
+                break;
+
+            case BUCKET:
+                resType = KEY_RESOURCE_BUCKET;
+
+                resource.put(KEY_RESOURCE_VOLUME, ozoneObj.getStoreType() == 
OzoneObj.StoreType.S3 ? "s3Vol" : ozoneObj.getVolumeName());
+                resource.put(KEY_RESOURCE_BUCKET, ozoneObj.getBucketName());
+                break;
+
+            case KEY:
+                resType = KEY_RESOURCE_KEY;
+
+                resource.put(KEY_RESOURCE_VOLUME, ozoneObj.getStoreType() == 
OzoneObj.StoreType.S3 ? "s3Vol" : ozoneObj.getVolumeName());
+                resource.put(KEY_RESOURCE_BUCKET, ozoneObj.getBucketName());
+                resource.put(KEY_RESOURCE_KEY, ozoneObj.getKeyName());

Review Comment:
   @fateh288  - hirearchical permissions are *not* added in 
`RangerOzoneAuthorizer`. You seem to suggest that Ozone already adds necessary 
hieracrchical grants while translating `IAMPolicy` to `AssumeRoleRequest`. If 
yes, do you see need for any changes in `RangerOzoneAuthorizer`?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to