Re: [PR] RANGER-5393: updated RangerOzoneAuthorizer to support AssumeRole [ranger]

Fri, 12 Dec 2025 12:20:56 -0800 


Copilot commented on code in PR #766:
URL: https://github.com/apache/ranger/pull/766#discussion_r2615466125


##########
plugin-ozone/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java:
##########
@@ -188,6 +215,60 @@ public boolean checkAccess(IOzoneObj ozoneObject, 
RequestContext context) {
         return returnValue;
     }
 
+    @Override
+    public String generateAssumeRoleSessionPolicy(AssumeRoleRequest 
assumeRoleRequest) throws OMException {
+        LOG.debug("==> 
RangerOzoneAuthorizer.generateAssumeRoleSessionPolicy(assumeRoleRequest={})", 
assumeRoleRequest);
+
+        if (assumeRoleRequest == null) {
+            throw new OMException("invalid request: null", 
OMException.ResultCodes.INVALID_REQUEST);
+        } else if (assumeRoleRequest.getClientUgi() == null) {
+            throw new OMException("invalid request: request.clientUgi null", 
OMException.ResultCodes.INVALID_REQUEST);
+        } else if (assumeRoleRequest.getTargetRoleName() == null) {
+            throw new OMException("invalid request: request.targetRoleName 
null", OMException.ResultCodes.INVALID_REQUEST);
+        }
+
+        RangerBasePlugin plugin = rangerPlugin;
+
+        if (plugin == null) {
+            throw new OMException("Ranger authorizer not initialized", 
OMException.ResultCodes.INTERNAL_ERROR);
+        }
+
+        UserGroupInformation     ugi      = assumeRoleRequest.getClientUgi();
+        RangerAccessResourceImpl resource = new 
RangerAccessResourceImpl(Collections.singletonMap(KEY_RESOURCE_ROLE, 
assumeRoleRequest.getTargetRoleName()));
+        RangerAccessRequestImpl  request  = new 
RangerAccessRequestImpl(resource, ACCESS_TYPE_ASSUME_ROLE, 
ugi.getShortUserName(), Sets.newHashSet(ugi.getGroupNames()), null);
+
+        try {
+            RangerAccessResult result = plugin.isAccessAllowed(request);
+
+            if (result != null && result.getIsAccessDetermined() && 
result.getIsAllowed()) {
+                final List<RangerInlinePolicy.Grant> inlineGrants;
+
+                if (assumeRoleRequest.getGrants() == null) { // inlinePolicy 
allows all permissions
+                    inlineGrants = null;
+                } else if (assumeRoleRequest.getGrants().isEmpty()) { // 
inlinePolicy doesn't allow any permission

Review Comment:
   An empty Grant object may not clearly convey intent. Consider adding a 
comment explaining that an empty grant is used to explicitly deny all 
permissions, distinguishing it from null (which allows all permissions).
   ```suggestion
                   } else if (assumeRoleRequest.getGrants().isEmpty()) { // 
inlinePolicy doesn't allow any permission
                       // An empty Grant object is used here to explicitly deny 
all permissions.
                       // This is distinct from 'null', which allows all 
permissions.
   ```



##########
plugin-ozone/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java:
##########
@@ -221,4 +302,82 @@ private String mapToRangerAccessType(ACLType operation) {
 
         return rangerAccessType;
     }
+
+    private static RangerInlinePolicy.Grant toRangerGrant(OzoneGrant 
ozoneGrant, RangerBasePlugin plugin) {
+        RangerInlinePolicy.Grant ret = new RangerInlinePolicy.Grant();
+
+        if (ozoneGrant.getObjects() != null) {
+            ret.setResources(ozoneGrant.getObjects().stream().map(o -> 
toRrn(o, plugin)).filter(Objects::nonNull).collect(Collectors.toSet()));
+        }
+
+        if (ozoneGrant.getPermissions() != null) {
+            
ret.setPermissions(ozoneGrant.getPermissions().stream().map(RangerOzoneAuthorizer::toRangerPermission).filter(Objects::nonNull).collect(Collectors.toSet()));
+        }
+
+        LOG.debug("toRangerGrant(ozoneGrant={}): ret={}", ozoneGrant, ret);
+
+        return ret;
+    }
+
+    private static String toRrn(IOzoneObj obj, RangerBasePlugin plugin) {
+        OzoneObj            ozoneObj = (OzoneObj) obj;
+        Map<String, String> resource = new HashMap<>();
+        String              resType  = null;
+
+        switch (ozoneObj.getResourceType()) {
+            case VOLUME:
+                resType = KEY_RESOURCE_VOLUME;
+
+                resource.put(KEY_RESOURCE_VOLUME, ozoneObj.getVolumeName());
+                break;
+
+            case BUCKET:
+                resType = KEY_RESOURCE_BUCKET;
+
+                resource.put(KEY_RESOURCE_VOLUME, ozoneObj.getStoreType() == 
OzoneObj.StoreType.S3 ? "s3Vol" : ozoneObj.getVolumeName());

Review Comment:
   The hardcoded 's3Vol' string is duplicated. Consider extracting this as a 
constant (e.g., S3_VOLUME_NAME) to improve maintainability and ensure 
consistency.



##########
plugin-ozone/src/main/java/org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.java:
##########
@@ -221,4 +302,82 @@ private String mapToRangerAccessType(ACLType operation) {
 
         return rangerAccessType;
     }
+
+    private static RangerInlinePolicy.Grant toRangerGrant(OzoneGrant 
ozoneGrant, RangerBasePlugin plugin) {
+        RangerInlinePolicy.Grant ret = new RangerInlinePolicy.Grant();
+
+        if (ozoneGrant.getObjects() != null) {
+            ret.setResources(ozoneGrant.getObjects().stream().map(o -> 
toRrn(o, plugin)).filter(Objects::nonNull).collect(Collectors.toSet()));
+        }
+
+        if (ozoneGrant.getPermissions() != null) {
+            
ret.setPermissions(ozoneGrant.getPermissions().stream().map(RangerOzoneAuthorizer::toRangerPermission).filter(Objects::nonNull).collect(Collectors.toSet()));
+        }
+
+        LOG.debug("toRangerGrant(ozoneGrant={}): ret={}", ozoneGrant, ret);
+
+        return ret;
+    }
+
+    private static String toRrn(IOzoneObj obj, RangerBasePlugin plugin) {
+        OzoneObj            ozoneObj = (OzoneObj) obj;
+        Map<String, String> resource = new HashMap<>();
+        String              resType  = null;
+
+        switch (ozoneObj.getResourceType()) {
+            case VOLUME:
+                resType = KEY_RESOURCE_VOLUME;
+
+                resource.put(KEY_RESOURCE_VOLUME, ozoneObj.getVolumeName());
+                break;
+
+            case BUCKET:
+                resType = KEY_RESOURCE_BUCKET;
+
+                resource.put(KEY_RESOURCE_VOLUME, ozoneObj.getStoreType() == 
OzoneObj.StoreType.S3 ? "s3Vol" : ozoneObj.getVolumeName());
+                resource.put(KEY_RESOURCE_BUCKET, ozoneObj.getBucketName());
+                break;
+
+            case KEY:
+                resType = KEY_RESOURCE_KEY;
+
+                resource.put(KEY_RESOURCE_VOLUME, ozoneObj.getStoreType() == 
OzoneObj.StoreType.S3 ? "s3Vol" : ozoneObj.getVolumeName());

Review Comment:
   The hardcoded 's3Vol' string is duplicated. Consider extracting this as a 
constant (e.g., S3_VOLUME_NAME) to improve maintainability and ensure 
consistency.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to