Skip to content

Commit

Permalink
[apache#5336] feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limite
Browse files Browse the repository at this point in the history
  • Loading branch information
xunliu committed Oct 29, 2024
1 parent 5c41758 commit bb3e0d9
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -587,6 +587,9 @@ private boolean doAddSecurableObject(String roleName, RangerSecurableObject secu
if (policy.getId() == null) {
rangerClient.createPolicy(policy);
} else {
if (!policy.getPolicyLabels().contains(RangerHelper.MANAGED_BY_GRAVITINO)) {
policy.getPolicyLabels().add(RangerHelper.MANAGED_BY_GRAVITINO);
}
rangerClient.updatePolicy(policy.getId(), policy);
}
} catch (RangerServiceException e) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -196,11 +196,9 @@ void removePolicyItem(
public RangerPolicy findManagedPolicy(RangerMetadataObject rangerMetadataObject)
throws AuthorizationPluginException {
List<String> nsMetadataObj = rangerMetadataObject.names();

Map<String, String> searchFilters = new HashMap<>();
Map<String, String> preciseFilters = new HashMap<>();
searchFilters.put(SearchFilter.SERVICE_NAME, rangerServiceName);
searchFilters.put(SearchFilter.POLICY_LABELS_PARTIAL, MANAGED_BY_GRAVITINO);
for (int i = 0; i < nsMetadataObj.size(); i++) {
searchFilters.put(
SearchFilter.RESOURCE_PREFIX + policyResourceDefines.get(i), nsMetadataObj.get(i));
Expand All @@ -209,7 +207,6 @@ public RangerPolicy findManagedPolicy(RangerMetadataObject rangerMetadataObject)

try {
List<RangerPolicy> policies = rangerClient.findPolicies(searchFilters);

if (!policies.isEmpty()) {
/**
* Because Ranger doesn't support the precise search, Ranger will return the policy meets
Expand Down Expand Up @@ -400,7 +397,6 @@ protected RangerPolicy createPolicyAddResources(RangerMetadataObject metadataObj
policy.setPolicyLabels(Lists.newArrayList(RangerHelper.MANAGED_BY_GRAVITINO));

List<String> nsMetadataObject = metadataObject.names();

for (int i = 0; i < nsMetadataObject.size(); i++) {
RangerPolicy.RangerPolicyResource policyResource =
new RangerPolicy.RangerPolicyResource(nsMetadataObject.get(i));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import static org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.currentFunName;
import static org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.verifyRoleInRanger;

import com.google.common.base.Joiner;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
Expand Down Expand Up @@ -229,6 +230,25 @@ public RoleEntity mockCatalogRole(String roleName) {
return role;
}

@Test
public void testManagedByGravitino() {
RoleEntity role = mock3TableRole(currentFunName());
role.securableObjects().stream()
.forEach(
securableObject -> {
Joiner DOT_JOINER = Joiner.on('.');
List<String> names =
Lists.newArrayList(
SecurableObjects.DOT_SPLITTER.splitToList(securableObject.fullName()));
names.remove(0); // remove catalog node
// Manual create the Ranger Policy
createHivePolicy(Lists.newArrayList(names), DOT_JOINER.join(names));
});
// Use role to create Ranger Policy
Assertions.assertTrue(rangerAuthHivePlugin.onRoleCreated(role));
verifyRoleInRanger(rangerAuthHivePlugin, role);
}

@Test
public void testFindManagedPolicy() {
// Because Ranger support wildcard to match the policy, so we need to test the policy with
Expand Down Expand Up @@ -264,7 +284,7 @@ public void testFindManagedPolicy() {
Assertions.assertNotNull(rangerHelper.findManagedPolicy(rangerSecurableObject));
}

static void createHivePolicy(List<String> metaObjects, String roleName) {
static void createHivePolicy(List<String> metaObjects, String policyName) {
Assertions.assertTrue(metaObjects.size() < 4);
Map<String, RangerPolicy.RangerPolicyResource> policyResourceMap = new HashMap<>();
for (int i = 0; i < metaObjects.size(); i++) {
Expand All @@ -286,7 +306,7 @@ static void createHivePolicy(List<String> metaObjects, String roleName) {
RangerITEnv.updateOrCreateRangerPolicy(
RangerDefines.SERVICE_TYPE_HIVE,
RangerITEnv.RANGER_HIVE_REPO_NAME,
roleName,
policyName,
policyResourceMap,
Collections.singletonList(policyItem));
}
Expand Down Expand Up @@ -1318,7 +1338,6 @@ private void verifyOwnerInRanger(
}

Assertions.assertEquals(policy.getName(), policyName);
Assertions.assertTrue(policy.getPolicyLabels().contains(RangerHelper.MANAGED_BY_GRAVITINO));

// verify namespace
List<String> metaObjNamespaces = metadataObject.names();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
package org.apache.gravitino.authorization.ranger.integration.test;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
Expand Down Expand Up @@ -508,7 +507,6 @@ protected static void updateOrCreateRangerPolicy(
Map<String, String> resourceFilter = new HashMap<>(); // use to match the precise policy
Map<String, String> policyFilter = new HashMap<>();
policyFilter.put(SearchFilter.SERVICE_NAME, serviceName);
policyFilter.put(SearchFilter.POLICY_LABELS_PARTIAL, RangerHelper.MANAGED_BY_GRAVITINO);
final int[] index = {0};
policyResourceMap.forEach(
(k, v) -> {
Expand Down Expand Up @@ -562,7 +560,6 @@ protected static void updateOrCreateRangerPolicy(
policy.setServiceType(type);
policy.setService(serviceName);
policy.setName(policyName);
policy.setPolicyLabels(Lists.newArrayList(RangerHelper.MANAGED_BY_GRAVITINO));
policy.setResources(policyResourceMap);
policy.setPolicyItems(policyItems);
rangerClient.createPolicy(policy);
Expand Down Expand Up @@ -594,6 +591,8 @@ protected static void cleanAllPolicy(String serviceName) {

/** Don't call this function in the Lambda function body, It will return a random function name */
public static String currentFunName() {
return Thread.currentThread().getStackTrace()[2].getMethodName();
String name = Thread.currentThread().getStackTrace()[2].getMethodName();
Assertions.assertFalse(name.startsWith("lambda$"), "Don't call this function in the Lambda");
return name;
}
}

0 comments on commit bb3e0d9

Please sign in to comment.