diff --git a/core/src/main/java/org/apache/gravitino/authorization/AuthorizationUserGroupMappingProvider.java b/authorizations/authorization-common/src/main/java/org/apache/gravitino/authorization/common/AuthorizationUserGroupMappingProvider.java similarity index 69% rename from core/src/main/java/org/apache/gravitino/authorization/AuthorizationUserGroupMappingProvider.java rename to authorizations/authorization-common/src/main/java/org/apache/gravitino/authorization/common/AuthorizationUserGroupMappingProvider.java index 3614386a3d7..08b48dc7850 100644 --- a/core/src/main/java/org/apache/gravitino/authorization/AuthorizationUserGroupMappingProvider.java +++ b/authorizations/authorization-common/src/main/java/org/apache/gravitino/authorization/common/AuthorizationUserGroupMappingProvider.java @@ -18,13 +18,13 @@ * */ -package org.apache.gravitino.authorization; +package org.apache.gravitino.authorization.common; import java.util.Map; /** * The AuthorizationUserGroupMappingProvider interface defines the public API for mapping Gravitino - * users and groups to the underlying data source. + * users and groups to the that in underlying data source system. * *

Typically, the users and group names in Gravitino are the same as the underlying data source. * However, in some cases, the user and group names in Gravitino may be different from the @@ -42,14 +42,23 @@ public interface AuthorizationUserGroupMappingProvider { default void initialize(Map config) {} /** - * Get the username or group name from the underlying data source based on the Gravitino username - * or group name. For instance, in GCP IAM, the username is the email address or the service - * account. + * Get the username from the underlying data source based on the Gravitino username For instance, + * in GCP IAM, the username is the email address or the service account. * - * @param gravitinoUserGroup The Gravitino username. + * @param gravitinoUserName The Gravitino username. * @return The username from the underlying data source. */ - default String getUserGroupMapping(String gravitinoUserGroup) { - return gravitinoUserGroup; + default String getUserName(String gravitinoUserName) { + return gravitinoUserName; + } + + /** + * Get the group name from the underlying data source based on the Gravitino group name. + * + * @param gravitinoGroupName The Gravitino group name. + * @return The group name from the underlying data source. + */ + default String getGroupName(String gravitinoGroupName) { + return gravitinoGroupName; } } diff --git a/authorizations/authorization-common/src/main/java/org/apache/gravitino/authorization/common/PathBasedMetadataObject.java b/authorizations/authorization-common/src/main/java/org/apache/gravitino/authorization/common/PathBasedMetadataObject.java index ed67b1cc0fc..1c0ebdd0f9b 100644 --- a/authorizations/authorization-common/src/main/java/org/apache/gravitino/authorization/common/PathBasedMetadataObject.java +++ b/authorizations/authorization-common/src/main/java/org/apache/gravitino/authorization/common/PathBasedMetadataObject.java @@ -32,7 +32,11 @@ public class PathBasedMetadataObject implements AuthorizationMetadataObject { */ public enum Type implements AuthorizationMetadataObject.Type { /** A path is mapped the path of storages like HDFS, S3 etc. */ - PATH(MetadataObject.Type.FILESET); + FILESET_PATH(MetadataObject.Type.FILESET), + TABLE_PATH(MetadataObject.Type.TABLE), + SCHEMA_PATH(MetadataObject.Type.SCHEMA), + CATALOG_PATH(MetadataObject.Type.CATALOG); + private final MetadataObject.Type metadataType; Type(MetadataObject.Type type) { @@ -87,7 +91,7 @@ public void validateAuthorizationMetadataObject() throws IllegalArgumentExceptio type != null, "Cannot create a path based metadata object with no type"); Preconditions.checkArgument( - type == PathBasedMetadataObject.Type.PATH, "it must be the PATH type"); + type == PathBasedMetadataObject.Type.FILESET_PATH, "it must be the PATH type"); for (String name : names) { Preconditions.checkArgument( diff --git a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHDFSPlugin.java b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHDFSPlugin.java index bc3d309e1d1..38cc80b845d 100644 --- a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHDFSPlugin.java +++ b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHDFSPlugin.java @@ -193,11 +193,11 @@ public List translatePrivilege(SecurableObject sec if (locationPath != null && !locationPath.isEmpty()) { PathBasedMetadataObject rangerPathBaseMetadataObject = new PathBasedMetadataObject( - locationPath, PathBasedMetadataObject.Type.PATH); + locationPath, PathBasedMetadataObject.Type.FILESET_PATH); rangerSecurableObjects.add( generateAuthorizationSecurableObject( rangerPathBaseMetadataObject.names(), - PathBasedMetadataObject.Type.PATH, + PathBasedMetadataObject.Type.FILESET_PATH, rangerPrivileges)); } } @@ -206,7 +206,7 @@ public List translatePrivilege(SecurableObject sec rangerSecurableObjects.add( generateAuthorizationSecurableObject( translateMetadataObject(securableObject).names(), - PathBasedMetadataObject.Type.PATH, + PathBasedMetadataObject.Type.FILESET_PATH, rangerPrivileges)); break; default: @@ -234,7 +234,7 @@ public List translatePrivilege(SecurableObject sec rangerSecurableObjects.add( generateAuthorizationSecurableObject( translateMetadataObject(securableObject).names(), - PathBasedMetadataObject.Type.PATH, + PathBasedMetadataObject.Type.FILESET_PATH, rangerPrivileges)); break; default: @@ -265,7 +265,7 @@ public List translateOwner(MetadataObject gravitin rangerSecurableObjects.add( generateAuthorizationSecurableObject( translateMetadataObject(gravitinoMetadataObject).names(), - PathBasedMetadataObject.Type.PATH, + PathBasedMetadataObject.Type.FILESET_PATH, ownerMappingRule())); break; default: @@ -294,17 +294,17 @@ public AuthorizationMetadataObject translateMetadataObject(MetadataObject metada case METALAKE: case CATALOG: rangerPathBaseMetadataObject = - new PathBasedMetadataObject("", PathBasedMetadataObject.Type.PATH); + new PathBasedMetadataObject("", PathBasedMetadataObject.Type.FILESET_PATH); break; case SCHEMA: rangerPathBaseMetadataObject = new PathBasedMetadataObject( - metadataObject.fullName(), PathBasedMetadataObject.Type.PATH); + metadataObject.fullName(), PathBasedMetadataObject.Type.FILESET_PATH); break; case FILESET: rangerPathBaseMetadataObject = new PathBasedMetadataObject( - getLocationPath(metadataObject), PathBasedMetadataObject.Type.PATH); + getLocationPath(metadataObject), PathBasedMetadataObject.Type.FILESET_PATH); break; default: throw new AuthorizationPluginException( diff --git a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerAuthorizationHDFSPluginIT.java b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerAuthorizationHDFSPluginIT.java index 4606fa68e70..bd5c1b9a484 100644 --- a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerAuthorizationHDFSPluginIT.java +++ b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerAuthorizationHDFSPluginIT.java @@ -56,19 +56,20 @@ public void testTranslateMetadataObject() { MetadataObject metalake = MetadataObjects.parse(String.format("metalake1"), MetadataObject.Type.METALAKE); Assertions.assertEquals( - PathBasedMetadataObject.Type.PATH, + PathBasedMetadataObject.Type.FILESET_PATH, rangerAuthPlugin.translateMetadataObject(metalake).type()); MetadataObject catalog = MetadataObjects.parse(String.format("catalog1"), MetadataObject.Type.CATALOG); Assertions.assertEquals( - PathBasedMetadataObject.Type.PATH, + PathBasedMetadataObject.Type.FILESET_PATH, rangerAuthPlugin.translateMetadataObject(catalog).type()); MetadataObject schema = MetadataObjects.parse(String.format("catalog1.schema1"), MetadataObject.Type.SCHEMA); Assertions.assertEquals( - PathBasedMetadataObject.Type.PATH, rangerAuthPlugin.translateMetadataObject(schema).type()); + PathBasedMetadataObject.Type.FILESET_PATH, + rangerAuthPlugin.translateMetadataObject(schema).type()); MetadataObject table = MetadataObjects.parse(String.format("catalog1.schema1.tab1"), MetadataObject.Type.TABLE); @@ -81,7 +82,7 @@ public void testTranslateMetadataObject() { AuthorizationMetadataObject rangerFileset = rangerAuthPlugin.translateMetadataObject(fileset); Assertions.assertEquals(1, rangerFileset.names().size()); Assertions.assertEquals("/test", rangerFileset.fullName()); - Assertions.assertEquals(PathBasedMetadataObject.Type.PATH, rangerFileset.type()); + Assertions.assertEquals(PathBasedMetadataObject.Type.FILESET_PATH, rangerFileset.type()); } @Test @@ -136,7 +137,8 @@ public void testTranslatePrivilege() { filesetInFileset1.forEach( securableObject -> { - Assertions.assertEquals(PathBasedMetadataObject.Type.PATH, securableObject.type()); + Assertions.assertEquals( + PathBasedMetadataObject.Type.FILESET_PATH, securableObject.type()); Assertions.assertEquals("/test", securableObject.fullName()); Assertions.assertEquals(2, securableObject.privileges().size()); }); @@ -165,7 +167,7 @@ public void testTranslateOwner() { List filesetOwner = rangerAuthPlugin.translateOwner(fileset); Assertions.assertEquals(1, filesetOwner.size()); Assertions.assertEquals("/test", filesetOwner.get(0).fullName()); - Assertions.assertEquals(PathBasedMetadataObject.Type.PATH, filesetOwner.get(0).type()); + Assertions.assertEquals(PathBasedMetadataObject.Type.FILESET_PATH, filesetOwner.get(0).type()); Assertions.assertEquals(3, filesetOwner.get(0).privileges().size()); } } diff --git a/core/src/main/java/org/apache/gravitino/authorization/PathBasedMetadataObject.java b/core/src/main/java/org/apache/gravitino/authorization/PathBasedMetadataObject.java deleted file mode 100644 index 0be88d2f1b0..00000000000 --- a/core/src/main/java/org/apache/gravitino/authorization/PathBasedMetadataObject.java +++ /dev/null @@ -1,116 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.gravitino.authorization; - -import com.google.common.base.Preconditions; -import com.google.common.collect.ImmutableList; -import java.util.List; -import javax.annotation.Nullable; -import org.apache.gravitino.MetadataObject; - -public class PathBasedMetadataObject implements AuthorizationMetadataObject { - /** - * The type of object in the Ranger system. Every type will map one kind of the entity of the - * Gravitino type system. - */ - public enum Type implements AuthorizationMetadataObject.Type { - /** A path is mapped the path of storages like HDFS, S3 etc. */ - FILESET(MetadataObject.Type.FILESET), - TABLE(MetadataObject.Type.TABLE), - SCHEMA(MetadataObject.Type.SCHEMA), - CATALOG(MetadataObject.Type.CATALOG); - - private final MetadataObject.Type metadataType; - - Type(MetadataObject.Type type) { - this.metadataType = type; - } - - public MetadataObject.Type metadataObjectType() { - return metadataType; - } - - public static PathBasedMetadataObject.Type fromMetadataType(MetadataObject.Type metadataType) { - for (PathBasedMetadataObject.Type type : PathBasedMetadataObject.Type.values()) { - if (type.metadataObjectType() == metadataType) { - return type; - } - } - throw new IllegalArgumentException( - "No matching RangerMetadataObject.Type for " + metadataType); - } - } - - /** - * The path of the object. It can be a file path, table path, like 'hdfs://ip:/path', - * 's3://bucket/path', 'hive://database/table', 'gs://path...' etc. - */ - private final String path; - - private final AuthorizationMetadataObject.Type type; - - public PathBasedMetadataObject(String path, AuthorizationMetadataObject.Type type) { - this.path = path; - this.type = type; - } - - public String getPath() { - return path; - } - - @Nullable - @Override - public String parent() { - return null; - } - - @Override - public String name() { - return this.path; - } - - @Override - public List names() { - return ImmutableList.of(this.path); - } - - @Override - public AuthorizationMetadataObject.Type type() { - return this.type; - } - - @Override - public void validateAuthorizationMetadataObject() throws IllegalArgumentException { - List names = names(); - Preconditions.checkArgument( - names != null && !names.isEmpty(), "Cannot create a Ranger metadata object with no names"); - Preconditions.checkArgument( - names.size() == 1, - "Cannot create a Ranger metadata object with the name length which is 1"); - Preconditions.checkArgument( - type != null, "Cannot create a Ranger metadata object with no type"); - - Preconditions.checkArgument( - type == Type.FILESET || type == Type.TABLE, "it must be the PATH type"); - - for (String name : names) { - Preconditions.checkArgument(name != null, "Cannot create a metadata object with null name"); - } - } -} diff --git a/core/src/main/java/org/apache/gravitino/authorization/PathBasedSecurableObject.java b/core/src/main/java/org/apache/gravitino/authorization/PathBasedSecurableObject.java deleted file mode 100644 index 1b7676b6e4f..00000000000 --- a/core/src/main/java/org/apache/gravitino/authorization/PathBasedSecurableObject.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - * - */ -package org.apache.gravitino.authorization; - -import java.util.List; - -public class PathBasedSecurableObject extends PathBasedMetadataObject - implements AuthorizationSecurableObject { - - private final List privileges; - - public PathBasedSecurableObject( - String path, AuthorizationMetadataObject.Type type, List privileges) { - super(path, type); - this.privileges = privileges; - } - - @Override - public List privileges() { - return privileges; - } -}