[#3963] feat(core): Apache Ranger Hive authorization pushdown #4515

xunliu · 2024-08-14T11:18:17Z

What changes were proposed in this pull request?

Use Gravitino authorization plugin to authorize Ranger Hive.

Added RangerHiveAuthorization modul
Added RangerAuthorizationPlugin abstract class.
Extend RangerHiveAuthorizationPlugin class process Hive authorization pushdown
Added Ranger client extension

Why are the changes needed?

Fix: #3963

Does this PR introduce any user-facing change?

Added RangerHiveAuthorizationPlugin interface

How was this patch tested?

RangerHiveIT passed.

...r/src/main/java/org/apache/gravitino/authorization/ranger/RangerHiveAuthorizationPlugin.java

...anger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java

...r/src/main/java/org/apache/gravitino/authorization/ranger/RangerHiveAuthorizationPlugin.java

lw-yang · 2024-08-14T13:44:02Z

I found that there are differences between the construction the ranger policy and our implementation.

If the policyName is roleName + securableObjectFullName, it's possible that there will be many policies for the same resource, which seems unnecessary.

In our system, each policy corresponds to a single resource, and the policy is named based on the resource name. Within Ranger, we create roles in ranger, instead of putting the role in the policyName, we will put the role and role privileges into policyItems.

api/src/main/java/org/apache/gravitino/authorization/RoleChange.java

authorizations/authorization-ranger/build.gradle.kts

...r/src/main/java/org/apache/gravitino/authorization/ranger/RangerHiveAuthorizationPlugin.java

xunliu · 2024-08-19T02:38:30Z

@lw-yang @yuqi1129 I refactor this PR, Please help me review it again, thanks!

xunliu · 2024-08-19T02:41:00Z

I found that there are differences between the construction the ranger policy and our implementation.

If the policyName is roleName + securableObjectFullName, it's possible that there will be many policies for the same resource, which seems unnecessary.

In our system, each policy corresponds to a single resource, and the policy is named based on the resource name. Within Ranger, we create roles in ranger, instead of putting the role in the policyName, we will put the role and role privileges into policyItems.

hi @lw-yang
So does Gravitino.

...st-common/src/test/java/org/apache/gravitino/integration/test/container/RangerContainer.java

api/src/main/java/org/apache/gravitino/authorization/RoleChange.java

...anger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java

authorizations/authorization-ranger/build.gradle.kts

...anger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java

api/src/main/java/org/apache/gravitino/authorization/RoleChange.java

...anger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java

xunliu · 2024-08-19T10:26:57Z

@yuqi1129 I fixed all problems based on your comments, Please help me review again. Thanks.

...thorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java

jerqi · 2024-08-21T11:22:30Z

...thorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java

+                                      return access.getType().equals(privilege);
+                                    });
+                        if (matchPrivilege
+                            && !policyItem.getUsers().isEmpty()


Why do we need getUsers is empty and getGroups is empty?

We can only remove this policy item if there are no users or groups

We just remove roles here, not remove policyItem.

Yes, you are right.
I fix this problem and add a test case.

...anger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java

...er/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java

...anger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java

...thorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java

...anger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java

xunliu · 2024-08-21T13:15:28Z

Only one point:

Some privileges like use schema, use catalog, create catalog could be pushed down underlying system, too. The check logic will throw exception for them.

I created EPIC #4615 to track these issue.

yuqi1129

LGTM

### What changes were proposed in this pull request? Use Gravitino authorization plugin to authorize Ranger Hive. 1. Added RangerHiveAuthorization modul 2. Added RangerAuthorizationPlugin abstract class. 3. Extend RangerHiveAuthorizationPlugin class process Hive authorization pushdown 4. Added Ranger client extension ### Why are the changes needed? Fix: #3963 ### Does this PR introduce _any_ user-facing change? 1. Added RangerHiveAuthorizationPlugin interface ### How was this patch tested? RangerHiveIT passed. --------- Co-authored-by: yuqi <[email protected]>

xunliu requested a review from yuqi1129 August 14, 2024 11:18

xunliu force-pushed the issue-3963 branch from 76577e8 to 212c7ec Compare August 14, 2024 13:30

lw-yang reviewed Aug 14, 2024

View reviewed changes

xunliu force-pushed the issue-3963 branch 5 times, most recently from f957505 to 0d7b9bc Compare August 15, 2024 02:59

yuqi1129 reviewed Aug 15, 2024

View reviewed changes

xunliu force-pushed the issue-3963 branch 9 times, most recently from 18e9038 to 4f37b45 Compare August 18, 2024 22:48

xunliu added the branch-0.6 Automatically cherry-pick commit to branch-0.6 label Aug 18, 2024

xunliu force-pushed the issue-3963 branch 2 times, most recently from 02a2531 to eddc014 Compare August 19, 2024 01:46

xunliu force-pushed the issue-3963 branch from eddc014 to 2c02969 Compare August 19, 2024 05:43

yuqi1129 reviewed Aug 19, 2024

View reviewed changes

xunliu mentioned this pull request Aug 19, 2024

[#4460] feat(core): Add the method call of the authorizationPlugin #4461

Merged

typo

8404594