mneethiraj commented on code in PR #3928: URL: https://github.com/apache/polaris/pull/3928#discussion_r2892303893
########## extensions/auth/ranger/src/main/java/org/apache/polaris/extension/auth/ranger/RangerPolarisAuthorizer.java: ########## @@ -0,0 +1,449 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.extension.auth.ranger; + +import static org.apache.polaris.core.entity.PolarisEntityConstants.getRootPrincipalName; + +import com.google.common.base.Preconditions; +import jakarta.annotation.Nonnull; +import jakarta.annotation.Nullable; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Properties; +import java.util.Set; +import java.util.stream.Collectors; +import org.apache.iceberg.exceptions.ForbiddenException; +import org.apache.polaris.core.auth.AuthorizationDecision; +import org.apache.polaris.core.auth.AuthorizationRequest; +import org.apache.polaris.core.auth.AuthorizationState; +import org.apache.polaris.core.auth.PolarisAuthorizableOperation; +import org.apache.polaris.core.auth.PolarisAuthorizer; +import org.apache.polaris.core.auth.PolarisPrincipal; +import org.apache.polaris.core.config.FeatureConfiguration; +import org.apache.polaris.core.config.RealmConfig; +import org.apache.polaris.core.entity.PolarisBaseEntity; +import org.apache.polaris.core.entity.PolarisEntityConstants; +import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper; +import org.apache.polaris.extension.auth.ranger.utils.RangerUtils; +import org.apache.ranger.authz.api.RangerAuthorizer; +import org.apache.ranger.authz.api.RangerAuthzException; +import org.apache.ranger.authz.embedded.RangerEmbeddedAuthorizer; +import org.apache.ranger.authz.model.RangerAccessContext; +import org.apache.ranger.authz.model.RangerAccessInfo; +import org.apache.ranger.authz.model.RangerAuthzResult; +import org.apache.ranger.authz.model.RangerMultiAuthzRequest; +import org.apache.ranger.authz.model.RangerMultiAuthzResult; +import org.apache.ranger.authz.model.RangerUserInfo; +import org.jspecify.annotations.NonNull; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** Authorizes operations based on policies defined in Apache Ranger. */ +public class RangerPolarisAuthorizer implements PolarisAuthorizer { + private static final Logger LOG = LoggerFactory.getLogger(RangerPolarisAuthorizer.class); + + public static final String SERVICE_TYPE = "polaris"; + public static final String SERVICE_NAME_PROPERTY = "ranger.plugin.polaris.service.name"; + + private static final String OPERATION_NOT_ALLOWED_FOR_USER_ERROR = + "Principal '%s' is not authorized for op %s due to PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE"; + private static final String ROOT_PRINCIPLE_NEEDED_ERROR = + "Principal '%s' is not authorized for op %s as only root principal can perform this operation"; + private static final String RANGER_AUTH_FAILED_ERROR = + "Principal '%s' is not authorized for op '%s'"; + private static final String RANGER_UNSUPPORTED_OPERATION = + "Operation %s is not supported by Ranger authorizer"; + + private static final Set<PolarisAuthorizableOperation> AUTHORIZED_OPERATIONS = + initAuthorizedOperations(); + + private final RealmConfig realmConfig; + private final RangerAuthorizer authorizer; + private final String serviceName; + + public RangerPolarisAuthorizer(RangerPolarisAuthorizerConfig config, RealmConfig realmConfig) { + LOG.info("Initializing RangerPolarisAuthorizer"); + + Properties rangerProp = RangerUtils.loadProperties(config.configFileName().get()); + + this.realmConfig = realmConfig; + this.authorizer = new RangerEmbeddedAuthorizer(rangerProp); + this.serviceName = rangerProp.getProperty(SERVICE_NAME_PROPERTY); + + try { + authorizer.init(); + } catch (RangerAuthzException t) { + LOG.error("Failed to initialize RangerPolarisAuthorizer", t); + throw new RuntimeException(t); + } + + LOG.info("RangerPolarisAuthorizer initialized successfully"); + } + + @Override + public void resolveAuthorizationInputs( + @NonNull AuthorizationState authzState, @NonNull AuthorizationRequest request) { + throw new UnsupportedOperationException( + "resolveAuthorizationInputs is not implemented yet for RangerPolarisAuthorizer"); + } + + @Override + public @NonNull AuthorizationDecision authorize( + @NonNull AuthorizationState authzState, @NonNull AuthorizationRequest request) { + throw new UnsupportedOperationException( + "authorize is not implemented yet for RangerPolarisAuthorizer"); + } + + @Override + public void authorizeOrThrow( + @Nonnull PolarisPrincipal polarisPrincipal, + @Nonnull Set<PolarisBaseEntity> activatedEntities, + @Nonnull PolarisAuthorizableOperation authzOp, + @Nullable PolarisResolvedPathWrapper target, + @Nullable PolarisResolvedPathWrapper secondary) { + authorizeOrThrow( + polarisPrincipal, + activatedEntities, + authzOp, + target == null ? null : List.of(target), + secondary == null ? null : List.of(secondary)); + } + + @Override + public void authorizeOrThrow( + @Nonnull PolarisPrincipal polarisPrincipal, + @Nonnull Set<PolarisBaseEntity> activatedEntities, + @Nonnull PolarisAuthorizableOperation authzOp, + @Nullable List<PolarisResolvedPathWrapper> targets, + @Nullable List<PolarisResolvedPathWrapper> secondaries) { + try { + if (authzOp == PolarisAuthorizableOperation.ROTATE_CREDENTIALS) { Review Comment: @flyingImer - yes, it makes sense to require the caller to have permission to rotate-credentials. Will update to address this. Should a principal be implicitly allowed to roate their own credentials? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
