Skip to content

Commit

Permalink
abstract function
Browse files Browse the repository at this point in the history
  • Loading branch information
@xunliu
xunliu committed Aug 21, 2024
1 parent 8404594 commit 08d7045
Show file tree
Hide file tree
Showing 3 changed files with 61 additions and 85 deletions.
79 changes: 26 additions & 53 deletions ...er/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,7 @@
import org.apache.gravitino.authorization.Privilege;
import org.apache.gravitino.authorization.Role;
import org.apache.gravitino.authorization.RoleChange;
import org.apache.gravitino.authorization.SecurableObjects;
import org.apache.gravitino.authorization.User;
import org.apache.gravitino.authorization.ranger.reference.RangerDefines;
import org.apache.gravitino.authorization.ranger.reference.VXGroup;
import org.apache.gravitino.authorization.ranger.reference.VXGroupList;
import org.apache.gravitino.authorization.ranger.reference.VXUser;
Expand Down Expand Up @@ -185,34 +183,32 @@ public Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner, Owner n
throws RuntimeException {
RangerHelper.check(newOwner != null, "The newOwner must be not null");

if (newOwner != null) {
// Add the user or group to the Ranger
AuditInfo auditInfo =
AuditInfo.builder()
.withCreator(PrincipalUtils.getCurrentPrincipal().getName())
.withCreateTime(Instant.now())
// Add the user or group to the Ranger
AuditInfo auditInfo =
AuditInfo.builder()
.withCreator(PrincipalUtils.getCurrentPrincipal().getName())
.withCreateTime(Instant.now())
.build();
if (newOwner.type() == Owner.Type.USER) {
UserEntity userEntity =
UserEntity.builder()
.withId(1L)
.withName(newOwner.name())
.withRoleNames(Collections.emptyList())
.withRoleIds(Collections.emptyList())
.withAuditInfo(auditInfo)
.build();
if (newOwner.type() == Owner.Type.USER) {
UserEntity userEntity =
UserEntity.builder()
.withId(1L)
.withName(newOwner.name())
.withRoleNames(Collections.emptyList())
.withRoleIds(Collections.emptyList())
.withAuditInfo(auditInfo)
.build();
onUserAdded(userEntity);
} else {
GroupEntity groupEntity =
GroupEntity.builder()
.withId(1L)
.withName(newOwner.name())
.withRoleNames(Collections.emptyList())
.withRoleIds(Collections.emptyList())
.withAuditInfo(auditInfo)
.build();
onGroupAdded(groupEntity);
}
onUserAdded(userEntity);
} else {
GroupEntity groupEntity =
GroupEntity.builder()
.withId(1L)
.withName(newOwner.name())
.withRoleNames(Collections.emptyList())
.withRoleIds(Collections.emptyList())
.withAuditInfo(auditInfo)
.build();
onGroupAdded(groupEntity);
}

RangerPolicy policy = rangerHelper.findManagedPolicy(metadataObject);
Expand Down Expand Up @@ -444,30 +440,7 @@ private boolean doAddSecurableObject(RoleChange.AddSecurableObject change) {
return true;
}
} else {
policy = new RangerPolicy();
policy.setService(rangerServiceName);
policy.setName(change.getSecurableObject().fullName());
policy.setPolicyLabels(Lists.newArrayList(RangerHelper.MANAGED_BY_GRAVITINO));

List<String> nsMetadataObject =
Lists.newArrayList(
SecurableObjects.DOT_SPLITTER.splitToList(change.getSecurableObject().fullName()));
if (nsMetadataObject.size() > 4) {
// The max level of the securable object is `catalog.db.table.column`
throw new RuntimeException("The securable object than 4");
}
nsMetadataObject.remove(0); // remove `catalog`

List<String> rangerDefinesList =
Lists.newArrayList(
RangerDefines.RESOURCE_DATABASE,
RangerDefines.RESOURCE_TABLE,
RangerDefines.RESOURCE_COLUMN);
for (int i = 0; i < nsMetadataObject.size(); i++) {
RangerPolicy.RangerPolicyResource policyResource =
new RangerPolicy.RangerPolicyResource(nsMetadataObject.get(i));
policy.getResources().put(rangerDefinesList.get(i), policyResource);
}
policy = rangerHelper.createPolicyAddResources(change.getSecurableObject());
}

rangerHelper.addPolicyItem(policy, change.getRoleName(), change.getSecurableObject());
Expand Down
60 changes: 31 additions & 29 deletions ...rization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,8 @@
*/
public class RangerHelper {
private static final Logger LOG = LoggerFactory.getLogger(RangerHelper.class);
public static final String MANAGED_BY_GRAVITINO = "MANAGED_BY_GRAVITINO";

public static final String MANAGED_BY_GRAVITINO = "MANAGED_BY_GRAVITINO";
RangerAuthorizationPlugin rangerAuthorizationPlugin;

/** Mapping Gravitino privilege name to the underlying authorization system privileges. */
Expand Down Expand Up @@ -253,7 +253,7 @@ void removePolicyItem(RangerPolicy policy, String roleName, SecurableObject secu
if (matchPrivilege
&& !policyItem.getUsers().isEmpty()
&& !policyItem.getGroups().isEmpty()) {
// Not ownership policy item, then remove the role
// We can only remove this policy item if there are no users or groups
policyItem.getRoles().removeIf(roleName::equals);
}
});
Expand Down Expand Up @@ -301,19 +301,19 @@ public RangerPolicy findManagedPolicy(MetadataObject metadataObject)
List<String> nsMetadataObj =
Lists.newArrayList(SecurableObjects.DOT_SPLITTER.splitToList(metadataObject.fullName()));
nsMetadataObj.remove(0); // skip `catalog`
Map<String, String> policyFilter = new HashMap<>();
Map<String, String> preciseFilterKeysFilter = new HashMap<>();
policyFilter.put(
Map<String, String> searchFilters = new HashMap<>();
Map<String, String> preciseFilters = new HashMap<>();
searchFilters.put(
RangerDefines.SEARCH_FILTER_SERVICE_NAME, rangerAuthorizationPlugin.rangerServiceName);
policyFilter.put(SearchFilter.POLICY_LABELS_PARTIAL, MANAGED_BY_GRAVITINO);
searchFilters.put(SearchFilter.POLICY_LABELS_PARTIAL, MANAGED_BY_GRAVITINO);
for (int i = 0; i < nsMetadataObj.size(); i++) {
policyFilter.put(policySearchKeys.get(i), nsMetadataObj.get(i));
preciseFilterKeysFilter.put(policyPreciseFilterKeys.get(i), nsMetadataObj.get(i));
searchFilters.put(policySearchKeys.get(i), nsMetadataObj.get(i));
preciseFilters.put(policyPreciseFilterKeys.get(i), nsMetadataObj.get(i));
}

try {
List<RangerPolicy> policies =
rangerAuthorizationPlugin.rangerClient.findPolicies(policyFilter);
rangerAuthorizationPlugin.rangerClient.findPolicies(searchFilters);

if (!policies.isEmpty()) {
/**
Expand All @@ -329,12 +329,12 @@ public RangerPolicy findManagedPolicy(MetadataObject metadataObject)
policy.getResources().entrySet().stream()
.allMatch(
entry ->
preciseFilterKeysFilter.containsKey(entry.getKey())
preciseFilters.containsKey(entry.getKey())
&& entry.getValue().getValues().size() == 1
&& entry
.getValue()
.getValues()
.contains(preciseFilterKeysFilter.get(entry.getKey()))))
.contains(preciseFilters.get(entry.getKey()))))
.collect(Collectors.toList());
}

Expand All @@ -344,14 +344,15 @@ public RangerPolicy findManagedPolicy(MetadataObject metadataObject)
"Each metadata object only have one Gravitino management enable policies.");
}

RangerPolicy policy = policies.size() == 1 ? policies.get(0) : null;
// Delegating Gravitino management policies cannot contain duplicate privilege
if (policy != null) {
policy.getPolicyItems().forEach(this::checkPolicyItemAccess);
policy.getDenyPolicyItems().forEach(this::checkPolicyItemAccess);
policy.getRowFilterPolicyItems().forEach(this::checkPolicyItemAccess);
policy.getDataMaskPolicyItems().forEach(this::checkPolicyItemAccess);
if (policies.isEmpty()) {
return null;
}
RangerPolicy policy = policies.get(0);
// Delegating Gravitino management policies cannot contain duplicate privilege
policy.getPolicyItems().forEach(this::checkPolicyItemAccess);
policy.getDenyPolicyItems().forEach(this::checkPolicyItemAccess);
policy.getRowFilterPolicyItems().forEach(this::checkPolicyItemAccess);
policy.getDataMaskPolicyItems().forEach(this::checkPolicyItemAccess);

return policy;
} catch (RangerServiceException e) {
Expand All @@ -361,14 +362,10 @@ public RangerPolicy findManagedPolicy(MetadataObject metadataObject)

protected boolean checkRangerRole(String roleName) throws AuthorizationPluginException {
try {
RangerRole role =
rangerAuthorizationPlugin.rangerClient.getRole(
roleName,
rangerAuthorizationPlugin.rangerAdminName,
rangerAuthorizationPlugin.rangerServiceName);
if (role == null) {
return false;
}
rangerAuthorizationPlugin.rangerClient.getRole(
roleName,
rangerAuthorizationPlugin.rangerAdminName,
rangerAuthorizationPlugin.rangerServiceName);
} catch (RangerServiceException e) {
throw new AuthorizationPluginException(e);
}
Expand Down Expand Up @@ -481,7 +478,7 @@ protected void updatePolicyOwner(RangerPolicy policy, Owner preOwner, Owner newO
});
}

protected RangerPolicy addOwnerToNewPolicy(MetadataObject metadataObject, Owner newOwner) {
protected RangerPolicy createPolicyAddResources(MetadataObject metadataObject) {
RangerPolicy policy = new RangerPolicy();
policy.setService(rangerAuthorizationPlugin.rangerServiceName);
policy.setName(metadataObject.fullName());
Expand All @@ -494,7 +491,7 @@ protected RangerPolicy addOwnerToNewPolicy(MetadataObject metadataObject, Owner
throw new RuntimeException("The securable object than 4");
}

List<String> rangerDefinesList =
List<String> rangerResourceDefs =
Lists.newArrayList(
RangerDefines.RESOURCE_DATABASE,
RangerDefines.RESOURCE_TABLE,
Expand All @@ -503,8 +500,13 @@ protected RangerPolicy addOwnerToNewPolicy(MetadataObject metadataObject, Owner
for (int i = 0; i < nsMetadataObject.size(); i++) {
RangerPolicy.RangerPolicyResource policyResource =
new RangerPolicy.RangerPolicyResource(nsMetadataObject.get(i));
policy.getResources().put(rangerDefinesList.get(i), policyResource);
policy.getResources().put(rangerResourceDefs.get(i), policyResource);
}
return policy;
}

protected RangerPolicy addOwnerToNewPolicy(MetadataObject metadataObject, Owner newOwner) {
RangerPolicy policy = createPolicyAddResources(metadataObject);

ownerPrivileges.stream()
.forEach(
Expand Down
7 changes: 4 additions & 3 deletions ...src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,9 +255,10 @@ protected static void updateOrCreateRangerPolicy(
try {
List<RangerPolicy> policies = rangerClient.findPolicies(policyFilter);
if (!policies.isEmpty()) {
// Because Ranger user the wildcard filter, Ranger will return the policy meets
// the wildcard(*,?) conditions, just like `*.*.*` policy will match `db1.table1.column1`
// So we need to manually precise filter the policies.
// Because Ranger doesn't support the precise search, Ranger will return the policy meets
// the wildcard(*,?) conditions, If you use `db.table` condition to search policy, the
// Ranger will match `db1.table1`, `db1.table2`, `db*.table*`, So we need to manually
// precisely filter this research results.
policies =
policies.stream()
.filter(
Expand Down

0 comments on commit 08d7045

Please sign in to comment.