Skip to content

Commit

Permalink
Merge branch 'main' of github.com:theoryxu/gravitino into feature_4370
Browse files Browse the repository at this point in the history
  • Loading branch information
theoryxu committed Sep 19, 2024
2 parents 7a79bf6 + 7c10cde commit 825fafa
Show file tree
Hide file tree
Showing 247 changed files with 5,047 additions and 3,490 deletions.
1 change: 1 addition & 0 deletions LICENSE.bin
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,7 @@
Apache Hadoop Auth
Apache Hadoop Client Aggregator
Apache Hadoop Common
Apache Hadoop HDFS
Apache Hadoop HDFS Client
Apache Hadoop MapReduce Common
Apache Hadoop MapReduce Core
Expand Down
6 changes: 5 additions & 1 deletion authorizations/authorization-ranger/build.gradle.kts
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ tasks {
}

val copyAuthorizationLibs by registering(Copy::class) {
dependsOn("jar", "runtimeJars")
dependsOn("jar", runtimeJars)
from("build/libs") {
exclude("guava-*.jar")
exclude("log4j-*.jar")
Expand All @@ -108,6 +108,10 @@ tasks {
register("copyLibAndConfig", Copy::class) {
dependsOn(copyAuthorizationLibs)
}

jar {
dependsOn(runtimeJars)
}
}

tasks.test {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,11 @@ public String shortName() {

@Override
protected AuthorizationPlugin newPlugin(String catalogProvider, Map<String, String> config) {
return new RangerAuthorizationPlugin(catalogProvider, config);
switch (catalogProvider) {
case "hive":
return RangerAuthorizationHivePlugin.getInstance(config);
default:
throw new IllegalArgumentException("Unknown catalog provider: " + catalogProvider);
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.gravitino.authorization.ranger;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.gravitino.authorization.Privilege;
import org.apache.gravitino.authorization.ranger.RangerPrivilege.RangerHivePrivilege;
import org.apache.gravitino.authorization.ranger.reference.RangerDefines.PolicyResource;

public class RangerAuthorizationHivePlugin extends RangerAuthorizationPlugin {
private static volatile RangerAuthorizationHivePlugin instance = null;

private RangerAuthorizationHivePlugin(Map<String, String> config) {
super(config);
}

public static synchronized RangerAuthorizationHivePlugin getInstance(Map<String, String> config) {
if (instance == null) {
synchronized (RangerAuthorizationHivePlugin.class) {
if (instance == null) {
instance = new RangerAuthorizationHivePlugin(config);
}
}
}
return instance;
}

/** Set the default mapping Gravitino privilege name to the Ranger rule */
public Map<Privilege.Name, Set<RangerPrivilege>> privilegesMappingRule() {
return ImmutableMap.of(
Privilege.Name.CREATE_SCHEMA,
ImmutableSet.of(RangerHivePrivilege.CREATE),
Privilege.Name.CREATE_TABLE,
ImmutableSet.of(RangerHivePrivilege.CREATE),
Privilege.Name.MODIFY_TABLE,
ImmutableSet.of(
RangerHivePrivilege.UPDATE, RangerHivePrivilege.ALTER, RangerHivePrivilege.WRITE),
Privilege.Name.SELECT_TABLE,
ImmutableSet.of(RangerHivePrivilege.READ, RangerHivePrivilege.SELECT));
}

/** Set the default owner rule. */
public Set<RangerPrivilege> ownerMappingRule() {
return ImmutableSet.of(RangerHivePrivilege.ALL);
}

/** Set Ranger policy resource rule. */
public List<String> policyResourceDefinesRule() {
return ImmutableList.of(
PolicyResource.DATABASE.getName(),
PolicyResource.TABLE.getName(),
PolicyResource.COLUMN.getName());
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import java.io.IOException;
import java.time.Instant;
import java.util.Collections;
Expand Down Expand Up @@ -63,18 +62,16 @@
* 4. The Ranger policy also supports multiple users and groups, But we only use a user or group to
* implement Gravitino Owner concept. <br>
*/
public class RangerAuthorizationPlugin implements AuthorizationPlugin {
public abstract class RangerAuthorizationPlugin
implements AuthorizationPlugin, RangerPrivilegesMappingProvider {
private static final Logger LOG = LoggerFactory.getLogger(RangerAuthorizationPlugin.class);

protected String catalogProvider;
protected String rangerServiceName;
protected RangerClientExtend rangerClient;
private RangerHelper rangerHelper;
protected final String rangerServiceName;
protected final RangerClientExtension rangerClient;
private final RangerHelper rangerHelper;
@VisibleForTesting public final String rangerAdminName;

public RangerAuthorizationPlugin(String catalogProvider, Map<String, String> config) {
super();
this.catalogProvider = catalogProvider;
protected RangerAuthorizationPlugin(Map<String, String> config) {
String rangerUrl = config.get(AuthorizationPropertiesMeta.RANGER_ADMIN_URL);
String authType = config.get(AuthorizationPropertiesMeta.RANGER_AUTH_TYPE);
rangerAdminName = config.get(AuthorizationPropertiesMeta.RANGER_USERNAME);
Expand All @@ -86,23 +83,26 @@ public RangerAuthorizationPlugin(String catalogProvider, Map<String, String> con
RangerHelper.check(rangerAdminName != null, "Ranger username is required");
RangerHelper.check(password != null, "Ranger password is required");
RangerHelper.check(rangerServiceName != null, "Ranger service name is required");
rangerClient = new RangerClientExtend(rangerUrl, authType, rangerAdminName, password);
rangerHelper = new RangerHelper(this, catalogProvider);
rangerClient = new RangerClientExtension(rangerUrl, authType, rangerAdminName, password);

rangerHelper =
new RangerHelper(
rangerClient,
rangerAdminName,
rangerServiceName,
privilegesMappingRule(),
ownerMappingRule(),
policyResourceDefinesRule());
}

/**
* Translate the privilege name to the corresponding privilege name in the underlying permission
* Translate the privilege name to the corresponding privilege name in the Ranger
*
* @param name The privilege name to translate
* @return The corresponding privilege name in the underlying permission system
* @return The corresponding Ranger privilege name in the underlying permission system
*/
public Set<String> translatePrivilege(Privilege.Name name) {
return rangerHelper.privilegesMapping.get(name);
}

@VisibleForTesting
public List<String> getOwnerPrivileges() {
return Lists.newArrayList(rangerHelper.ownerPrivileges);
return rangerHelper.translatePrivilege(name);
}

/**
Expand Down Expand Up @@ -194,7 +194,8 @@ public Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner, Owner n
UserEntity.builder()
.withId(1L)
.withName(newOwner.name())
.withRoles(Collections.emptyList())
.withRoleNames(Collections.emptyList())
.withRoleIds(Collections.emptyList())
.withAuditInfo(auditInfo)
.build();
onUserAdded(userEntity);
Expand All @@ -203,7 +204,8 @@ public Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner, Owner n
GroupEntity.builder()
.withId(1L)
.withName(newOwner.name())
.withRoles(Collections.emptyList())
.withRoleNames(Collections.emptyList())
.withRoleIds(Collections.emptyList())
.withAuditInfo(auditInfo)
.build();
onGroupAdded(groupEntity);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,8 @@
* The class extends the RangerClient class and provides additional methods to create, search and
* delete users and groups
*/
public class RangerClientExtend extends RangerClient {
private static final Logger LOG = LoggerFactory.getLogger(RangerClientExtend.class);
public class RangerClientExtension extends RangerClient {
private static final Logger LOG = LoggerFactory.getLogger(RangerClientExtension.class);
private static final String URI_USER_BASE = "/service/xusers/users";
private static final String URI_USER_BY_ID = URI_USER_BASE + "/%d";
private static final String URI_GROUP_BASE = "/service/xusers/groups";
Expand Down Expand Up @@ -75,7 +75,7 @@ public class RangerClientExtend extends RangerClient {
// private void callAPI(API api, Map<String, String> params) throws RangerServiceException
private Method callAPIMethodNonResponse;

public RangerClientExtend(String hostName, String authType, String username, String password) {
public RangerClientExtension(String hostName, String authType, String username, String password) {
super(hostName, authType, username, password, null);

// initialize callAPI method
Expand Down
Loading

0 comments on commit 825fafa

Please sign in to comment.