From 08d70450e9e3cf720023dd9e110ba1b9869e6753 Mon Sep 17 00:00:00 2001 From: xunliu Date: Wed, 21 Aug 2024 20:18:41 +0800 Subject: [PATCH] abstract function --- .../ranger/RangerAuthorizationPlugin.java | 79 ++++++------------- .../authorization/ranger/RangerHelper.java | 60 +++++++------- .../ranger/integration/test/RangerITEnv.java | 7 +- 3 files changed, 61 insertions(+), 85 deletions(-) diff --git a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java index 0c3ed698b6b..86455366c24 100644 --- a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java +++ b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java @@ -35,9 +35,7 @@ import org.apache.gravitino.authorization.Privilege; import org.apache.gravitino.authorization.Role; import org.apache.gravitino.authorization.RoleChange; -import org.apache.gravitino.authorization.SecurableObjects; import org.apache.gravitino.authorization.User; -import org.apache.gravitino.authorization.ranger.reference.RangerDefines; import org.apache.gravitino.authorization.ranger.reference.VXGroup; import org.apache.gravitino.authorization.ranger.reference.VXGroupList; import org.apache.gravitino.authorization.ranger.reference.VXUser; @@ -185,34 +183,32 @@ public Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner, Owner n throws RuntimeException { RangerHelper.check(newOwner != null, "The newOwner must be not null"); - if (newOwner != null) { - // Add the user or group to the Ranger - AuditInfo auditInfo = - AuditInfo.builder() - .withCreator(PrincipalUtils.getCurrentPrincipal().getName()) - .withCreateTime(Instant.now()) + // Add the user or group to the Ranger + AuditInfo auditInfo = + AuditInfo.builder() + .withCreator(PrincipalUtils.getCurrentPrincipal().getName()) + .withCreateTime(Instant.now()) + .build(); + if (newOwner.type() == Owner.Type.USER) { + UserEntity userEntity = + UserEntity.builder() + .withId(1L) + .withName(newOwner.name()) + .withRoleNames(Collections.emptyList()) + .withRoleIds(Collections.emptyList()) + .withAuditInfo(auditInfo) .build(); - if (newOwner.type() == Owner.Type.USER) { - UserEntity userEntity = - UserEntity.builder() - .withId(1L) - .withName(newOwner.name()) - .withRoleNames(Collections.emptyList()) - .withRoleIds(Collections.emptyList()) - .withAuditInfo(auditInfo) - .build(); - onUserAdded(userEntity); - } else { - GroupEntity groupEntity = - GroupEntity.builder() - .withId(1L) - .withName(newOwner.name()) - .withRoleNames(Collections.emptyList()) - .withRoleIds(Collections.emptyList()) - .withAuditInfo(auditInfo) - .build(); - onGroupAdded(groupEntity); - } + onUserAdded(userEntity); + } else { + GroupEntity groupEntity = + GroupEntity.builder() + .withId(1L) + .withName(newOwner.name()) + .withRoleNames(Collections.emptyList()) + .withRoleIds(Collections.emptyList()) + .withAuditInfo(auditInfo) + .build(); + onGroupAdded(groupEntity); } RangerPolicy policy = rangerHelper.findManagedPolicy(metadataObject); @@ -444,30 +440,7 @@ private boolean doAddSecurableObject(RoleChange.AddSecurableObject change) { return true; } } else { - policy = new RangerPolicy(); - policy.setService(rangerServiceName); - policy.setName(change.getSecurableObject().fullName()); - policy.setPolicyLabels(Lists.newArrayList(RangerHelper.MANAGED_BY_GRAVITINO)); - - List nsMetadataObject = - Lists.newArrayList( - SecurableObjects.DOT_SPLITTER.splitToList(change.getSecurableObject().fullName())); - if (nsMetadataObject.size() > 4) { - // The max level of the securable object is `catalog.db.table.column` - throw new RuntimeException("The securable object than 4"); - } - nsMetadataObject.remove(0); // remove `catalog` - - List rangerDefinesList = - Lists.newArrayList( - RangerDefines.RESOURCE_DATABASE, - RangerDefines.RESOURCE_TABLE, - RangerDefines.RESOURCE_COLUMN); - for (int i = 0; i < nsMetadataObject.size(); i++) { - RangerPolicy.RangerPolicyResource policyResource = - new RangerPolicy.RangerPolicyResource(nsMetadataObject.get(i)); - policy.getResources().put(rangerDefinesList.get(i), policyResource); - } + policy = rangerHelper.createPolicyAddResources(change.getSecurableObject()); } rangerHelper.addPolicyItem(policy, change.getRoleName(), change.getSecurableObject()); diff --git a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java index 6df19eb642f..3082c567198 100644 --- a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java +++ b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java @@ -55,8 +55,8 @@ */ public class RangerHelper { private static final Logger LOG = LoggerFactory.getLogger(RangerHelper.class); - public static final String MANAGED_BY_GRAVITINO = "MANAGED_BY_GRAVITINO"; + public static final String MANAGED_BY_GRAVITINO = "MANAGED_BY_GRAVITINO"; RangerAuthorizationPlugin rangerAuthorizationPlugin; /** Mapping Gravitino privilege name to the underlying authorization system privileges. */ @@ -253,7 +253,7 @@ void removePolicyItem(RangerPolicy policy, String roleName, SecurableObject secu if (matchPrivilege && !policyItem.getUsers().isEmpty() && !policyItem.getGroups().isEmpty()) { - // Not ownership policy item, then remove the role + // We can only remove this policy item if there are no users or groups policyItem.getRoles().removeIf(roleName::equals); } }); @@ -301,19 +301,19 @@ public RangerPolicy findManagedPolicy(MetadataObject metadataObject) List nsMetadataObj = Lists.newArrayList(SecurableObjects.DOT_SPLITTER.splitToList(metadataObject.fullName())); nsMetadataObj.remove(0); // skip `catalog` - Map policyFilter = new HashMap<>(); - Map preciseFilterKeysFilter = new HashMap<>(); - policyFilter.put( + Map searchFilters = new HashMap<>(); + Map preciseFilters = new HashMap<>(); + searchFilters.put( RangerDefines.SEARCH_FILTER_SERVICE_NAME, rangerAuthorizationPlugin.rangerServiceName); - policyFilter.put(SearchFilter.POLICY_LABELS_PARTIAL, MANAGED_BY_GRAVITINO); + searchFilters.put(SearchFilter.POLICY_LABELS_PARTIAL, MANAGED_BY_GRAVITINO); for (int i = 0; i < nsMetadataObj.size(); i++) { - policyFilter.put(policySearchKeys.get(i), nsMetadataObj.get(i)); - preciseFilterKeysFilter.put(policyPreciseFilterKeys.get(i), nsMetadataObj.get(i)); + searchFilters.put(policySearchKeys.get(i), nsMetadataObj.get(i)); + preciseFilters.put(policyPreciseFilterKeys.get(i), nsMetadataObj.get(i)); } try { List policies = - rangerAuthorizationPlugin.rangerClient.findPolicies(policyFilter); + rangerAuthorizationPlugin.rangerClient.findPolicies(searchFilters); if (!policies.isEmpty()) { /** @@ -329,12 +329,12 @@ public RangerPolicy findManagedPolicy(MetadataObject metadataObject) policy.getResources().entrySet().stream() .allMatch( entry -> - preciseFilterKeysFilter.containsKey(entry.getKey()) + preciseFilters.containsKey(entry.getKey()) && entry.getValue().getValues().size() == 1 && entry .getValue() .getValues() - .contains(preciseFilterKeysFilter.get(entry.getKey())))) + .contains(preciseFilters.get(entry.getKey())))) .collect(Collectors.toList()); } @@ -344,14 +344,15 @@ public RangerPolicy findManagedPolicy(MetadataObject metadataObject) "Each metadata object only have one Gravitino management enable policies."); } - RangerPolicy policy = policies.size() == 1 ? policies.get(0) : null; - // Delegating Gravitino management policies cannot contain duplicate privilege - if (policy != null) { - policy.getPolicyItems().forEach(this::checkPolicyItemAccess); - policy.getDenyPolicyItems().forEach(this::checkPolicyItemAccess); - policy.getRowFilterPolicyItems().forEach(this::checkPolicyItemAccess); - policy.getDataMaskPolicyItems().forEach(this::checkPolicyItemAccess); + if (policies.isEmpty()) { + return null; } + RangerPolicy policy = policies.get(0); + // Delegating Gravitino management policies cannot contain duplicate privilege + policy.getPolicyItems().forEach(this::checkPolicyItemAccess); + policy.getDenyPolicyItems().forEach(this::checkPolicyItemAccess); + policy.getRowFilterPolicyItems().forEach(this::checkPolicyItemAccess); + policy.getDataMaskPolicyItems().forEach(this::checkPolicyItemAccess); return policy; } catch (RangerServiceException e) { @@ -361,14 +362,10 @@ public RangerPolicy findManagedPolicy(MetadataObject metadataObject) protected boolean checkRangerRole(String roleName) throws AuthorizationPluginException { try { - RangerRole role = - rangerAuthorizationPlugin.rangerClient.getRole( - roleName, - rangerAuthorizationPlugin.rangerAdminName, - rangerAuthorizationPlugin.rangerServiceName); - if (role == null) { - return false; - } + rangerAuthorizationPlugin.rangerClient.getRole( + roleName, + rangerAuthorizationPlugin.rangerAdminName, + rangerAuthorizationPlugin.rangerServiceName); } catch (RangerServiceException e) { throw new AuthorizationPluginException(e); } @@ -481,7 +478,7 @@ protected void updatePolicyOwner(RangerPolicy policy, Owner preOwner, Owner newO }); } - protected RangerPolicy addOwnerToNewPolicy(MetadataObject metadataObject, Owner newOwner) { + protected RangerPolicy createPolicyAddResources(MetadataObject metadataObject) { RangerPolicy policy = new RangerPolicy(); policy.setService(rangerAuthorizationPlugin.rangerServiceName); policy.setName(metadataObject.fullName()); @@ -494,7 +491,7 @@ protected RangerPolicy addOwnerToNewPolicy(MetadataObject metadataObject, Owner throw new RuntimeException("The securable object than 4"); } - List rangerDefinesList = + List rangerResourceDefs = Lists.newArrayList( RangerDefines.RESOURCE_DATABASE, RangerDefines.RESOURCE_TABLE, @@ -503,8 +500,13 @@ protected RangerPolicy addOwnerToNewPolicy(MetadataObject metadataObject, Owner for (int i = 0; i < nsMetadataObject.size(); i++) { RangerPolicy.RangerPolicyResource policyResource = new RangerPolicy.RangerPolicyResource(nsMetadataObject.get(i)); - policy.getResources().put(rangerDefinesList.get(i), policyResource); + policy.getResources().put(rangerResourceDefs.get(i), policyResource); } + return policy; + } + + protected RangerPolicy addOwnerToNewPolicy(MetadataObject metadataObject, Owner newOwner) { + RangerPolicy policy = createPolicyAddResources(metadataObject); ownerPrivileges.stream() .forEach( diff --git a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java index 9e87ce6a203..784f91b2bb4 100644 --- a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java +++ b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java @@ -255,9 +255,10 @@ protected static void updateOrCreateRangerPolicy( try { List policies = rangerClient.findPolicies(policyFilter); if (!policies.isEmpty()) { - // Because Ranger user the wildcard filter, Ranger will return the policy meets - // the wildcard(*,?) conditions, just like `*.*.*` policy will match `db1.table1.column1` - // So we need to manually precise filter the policies. + // Because Ranger doesn't support the precise search, Ranger will return the policy meets + // the wildcard(*,?) conditions, If you use `db.table` condition to search policy, the + // Ranger will match `db1.table1`, `db1.table2`, `db*.table*`, So we need to manually + // precisely filter this research results. policies = policies.stream() .filter(