Skip to content

Commit bea3934

Browse files
xunliuxunliu
authored
[#5196] improve(auth-ranger): Refactor RangerSecurableObject class (#5222)
### What changes were proposed in this pull request? 1. Add `RangerMetadataObject` class. ### Why are the changes needed? Currently, RangerSecurableObject extends MetadataObject, but Ranger managers meta types different with Gravitino, for example, Ranger doesn't have `METALAKE`, `ROLE`, So we need to Refactor RangerSecurableObject class. Fix: #5196 ### Does this PR introduce _any_ user-facing change? N/A ### How was this patch tested? CI Passed.
1 parent 44a47d0 commit bea3934

File tree

12 files changed

+431
-138
lines changed

12 files changed

+431
-138
lines changed

api/src/main/java/org/apache/gravitino/MetadataObjects.java

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,8 @@ public static MetadataObject of(String parent, String name, MetadataObject.Type
4949
Preconditions.checkArgument(name != null, "Cannot create a metadata object with null name");
5050
Preconditions.checkArgument(type != null, "Cannot create a metadata object with no type");
5151

52-
return new MetadataObjectImpl(parent, name, type);
52+
String fullName = parent == null ? name : DOT_JOINER.join(parent, name);
53+
return parse(fullName, type);
5354
}
5455

5556
/**
@@ -159,7 +160,7 @@ public static MetadataObject parse(String fullName, MetadataObject.Type type) {
159160
* @param names The names of the metadata object
160161
* @return The parent full name if it exists, otherwise null
161162
*/
162-
public static String getParentFullName(List<String> names) {
163+
private static String getParentFullName(List<String> names) {
163164
if (names.size() <= 1) {
164165
return null;
165166
}

authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHivePlugin.java

Lines changed: 74 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,35 @@ public static synchronized RangerAuthorizationHivePlugin getInstance(Map<String,
6060
return instance;
6161
}
6262

63+
/** Validate different Ranger metadata object */
64+
@Override
65+
public void validateRangerMetadataObject(List<String> names, RangerMetadataObject.Type type)
66+
throws IllegalArgumentException {
67+
Preconditions.checkArgument(
68+
names != null && !names.isEmpty(), "Cannot create a Ranger metadata object with no names");
69+
Preconditions.checkArgument(
70+
names.size() <= 3,
71+
"Cannot create a Ranger metadata object with the name length which is greater than 3");
72+
Preconditions.checkArgument(
73+
type != null, "Cannot create a Ranger metadata object with no type");
74+
75+
Preconditions.checkArgument(
76+
names.size() != 1 || type == RangerMetadataObject.Type.SCHEMA,
77+
"If the length of names is 1, it must be the SCHEMA type");
78+
79+
Preconditions.checkArgument(
80+
names.size() != 2 || type == RangerMetadataObject.Type.TABLE,
81+
"If the length of names is 2, it must be the TABLE type");
82+
83+
Preconditions.checkArgument(
84+
names.size() != 3 || type == RangerMetadataObject.Type.COLUMN,
85+
"If the length of names is 3, it must be COLUMN");
86+
87+
for (String name : names) {
88+
RangerMetadataObjects.checkName(name);
89+
}
90+
}
91+
6392
@Override
6493
/** Set the default mapping Gravitino privilege name to the Ranger rule */
6594
public Map<Privilege.Name, Set<RangerPrivilege>> privilegesMappingRule() {
@@ -110,78 +139,79 @@ public Set<Privilege.Name> allowPrivilegesRule() {
110139
}
111140

112141
/** Translate the Gravitino securable object to the Ranger owner securable object. */
113-
public List<RangerSecurableObject> translateOwner(MetadataObject metadataObject) {
142+
public List<RangerSecurableObject> translateOwner(MetadataObject gravitinoMetadataObject) {
114143
List<RangerSecurableObject> rangerSecurableObjects = new ArrayList<>();
115144

116-
switch (metadataObject.type()) {
145+
switch (gravitinoMetadataObject.type()) {
117146
case METALAKE:
118147
case CATALOG:
119148
// Add `*` for the SCHEMA permission
120149
rangerSecurableObjects.add(
121-
RangerSecurableObjects.of(
150+
generateRangerSecurableObject(
122151
ImmutableList.of(RangerHelper.RESOURCE_ALL),
123-
MetadataObject.Type.SCHEMA,
152+
RangerMetadataObject.Type.SCHEMA,
124153
ownerMappingRule()));
125154
// Add `*.*` for the TABLE permission
126155
rangerSecurableObjects.add(
127-
RangerSecurableObjects.of(
156+
generateRangerSecurableObject(
128157
ImmutableList.of(RangerHelper.RESOURCE_ALL, RangerHelper.RESOURCE_ALL),
129-
MetadataObject.Type.TABLE,
158+
RangerMetadataObject.Type.TABLE,
130159
ownerMappingRule()));
131160
// Add `*.*.*` for the COLUMN permission
132161
rangerSecurableObjects.add(
133-
RangerSecurableObjects.of(
162+
generateRangerSecurableObject(
134163
ImmutableList.of(
135164
RangerHelper.RESOURCE_ALL,
136165
RangerHelper.RESOURCE_ALL,
137166
RangerHelper.RESOURCE_ALL),
138-
MetadataObject.Type.COLUMN,
167+
RangerMetadataObject.Type.COLUMN,
139168
ownerMappingRule()));
140169
break;
141170
case SCHEMA:
142171
// Add `{schema}` for the SCHEMA permission
143172
rangerSecurableObjects.add(
144-
RangerSecurableObjects.of(
145-
ImmutableList.of(metadataObject.name() /*Schema name*/),
146-
MetadataObject.Type.SCHEMA,
173+
generateRangerSecurableObject(
174+
ImmutableList.of(gravitinoMetadataObject.name() /*Schema name*/),
175+
RangerMetadataObject.Type.SCHEMA,
147176
ownerMappingRule()));
148177
// Add `{schema}.*` for the TABLE permission
149178
rangerSecurableObjects.add(
150-
RangerSecurableObjects.of(
151-
ImmutableList.of(metadataObject.name() /*Schema name*/, RangerHelper.RESOURCE_ALL),
152-
MetadataObject.Type.TABLE,
179+
generateRangerSecurableObject(
180+
ImmutableList.of(
181+
gravitinoMetadataObject.name() /*Schema name*/, RangerHelper.RESOURCE_ALL),
182+
RangerMetadataObject.Type.TABLE,
153183
ownerMappingRule()));
154184
// Add `{schema}.*.*` for the COLUMN permission
155185
rangerSecurableObjects.add(
156-
RangerSecurableObjects.of(
186+
generateRangerSecurableObject(
157187
ImmutableList.of(
158-
metadataObject.name() /*Schema name*/,
188+
gravitinoMetadataObject.name() /*Schema name*/,
159189
RangerHelper.RESOURCE_ALL,
160190
RangerHelper.RESOURCE_ALL),
161-
MetadataObject.Type.COLUMN,
191+
RangerMetadataObject.Type.COLUMN,
162192
ownerMappingRule()));
163193
break;
164194
case TABLE:
165195
// Add `{schema}.{table}` for the TABLE permission
166196
rangerSecurableObjects.add(
167-
RangerSecurableObjects.of(
168-
convertToRangerMetadataObject(metadataObject),
169-
MetadataObject.Type.TABLE,
197+
generateRangerSecurableObject(
198+
convertToRangerMetadataObject(gravitinoMetadataObject),
199+
RangerMetadataObject.Type.TABLE,
170200
ownerMappingRule()));
171201
// Add `{schema}.{table}.*` for the COLUMN permission
172202
rangerSecurableObjects.add(
173-
RangerSecurableObjects.of(
203+
generateRangerSecurableObject(
174204
Stream.concat(
175-
convertToRangerMetadataObject(metadataObject).stream(),
205+
convertToRangerMetadataObject(gravitinoMetadataObject).stream(),
176206
Stream.of(RangerHelper.RESOURCE_ALL))
177207
.collect(Collectors.toList()),
178-
MetadataObject.Type.COLUMN,
208+
RangerMetadataObject.Type.COLUMN,
179209
ownerMappingRule()));
180210
break;
181211
default:
182212
throw new AuthorizationPluginException(
183213
"The owner privilege is not supported for the securable object: %s",
184-
metadataObject.type());
214+
gravitinoMetadataObject.type());
185215
}
186216

187217
return rangerSecurableObjects;
@@ -214,9 +244,9 @@ public List<RangerSecurableObject> translatePrivilege(SecurableObject securableO
214244
case CATALOG:
215245
// Add Ranger privilege(`SELECT`) to SCHEMA(`*`)
216246
rangerSecurableObjects.add(
217-
RangerSecurableObjects.of(
247+
generateRangerSecurableObject(
218248
ImmutableList.of(RangerHelper.RESOURCE_ALL),
219-
MetadataObject.Type.SCHEMA,
249+
RangerMetadataObject.Type.SCHEMA,
220250
rangerPrivileges));
221251
break;
222252
default:
@@ -231,9 +261,9 @@ public List<RangerSecurableObject> translatePrivilege(SecurableObject securableO
231261
case CATALOG:
232262
// Add Ranger privilege(`CREATE`) to SCHEMA(`*`)
233263
rangerSecurableObjects.add(
234-
RangerSecurableObjects.of(
264+
generateRangerSecurableObject(
235265
ImmutableList.of(RangerHelper.RESOURCE_ALL),
236-
MetadataObject.Type.SCHEMA,
266+
RangerMetadataObject.Type.SCHEMA,
237267
rangerPrivileges));
238268
break;
239269
default:
@@ -248,17 +278,17 @@ public List<RangerSecurableObject> translatePrivilege(SecurableObject securableO
248278
case CATALOG:
249279
// Add Ranger privilege(`SELECT`) to SCHEMA(`*`)
250280
rangerSecurableObjects.add(
251-
RangerSecurableObjects.of(
281+
generateRangerSecurableObject(
252282
ImmutableList.of(RangerHelper.RESOURCE_ALL),
253-
MetadataObject.Type.SCHEMA,
283+
RangerMetadataObject.Type.SCHEMA,
254284
rangerPrivileges));
255285
break;
256286
case SCHEMA:
257287
// Add Ranger privilege(`SELECT`) to SCHEMA(`{schema}`)
258288
rangerSecurableObjects.add(
259-
RangerSecurableObjects.of(
289+
generateRangerSecurableObject(
260290
ImmutableList.of(securableObject.name() /*Schema name*/),
261-
MetadataObject.Type.SCHEMA,
291+
RangerMetadataObject.Type.SCHEMA,
262292
rangerPrivileges));
263293
break;
264294
default:
@@ -275,38 +305,38 @@ public List<RangerSecurableObject> translatePrivilege(SecurableObject securableO
275305
case CATALOG:
276306
// Add `*.*` for the TABLE permission
277307
rangerSecurableObjects.add(
278-
RangerSecurableObjects.of(
308+
generateRangerSecurableObject(
279309
ImmutableList.of(
280310
RangerHelper.RESOURCE_ALL, RangerHelper.RESOURCE_ALL),
281-
MetadataObject.Type.TABLE,
311+
RangerMetadataObject.Type.TABLE,
282312
rangerPrivileges));
283313
// Add `*.*.*` for the COLUMN permission
284314
rangerSecurableObjects.add(
285-
RangerSecurableObjects.of(
315+
generateRangerSecurableObject(
286316
ImmutableList.of(
287317
RangerHelper.RESOURCE_ALL,
288318
RangerHelper.RESOURCE_ALL,
289319
RangerHelper.RESOURCE_ALL),
290-
MetadataObject.Type.COLUMN,
320+
RangerMetadataObject.Type.COLUMN,
291321
rangerPrivileges));
292322
break;
293323
case SCHEMA:
294324
// Add `{schema}.*` for the TABLE permission
295325
rangerSecurableObjects.add(
296-
RangerSecurableObjects.of(
326+
generateRangerSecurableObject(
297327
ImmutableList.of(
298328
securableObject.name() /*Schema name*/,
299329
RangerHelper.RESOURCE_ALL),
300-
MetadataObject.Type.TABLE,
330+
RangerMetadataObject.Type.TABLE,
301331
rangerPrivileges));
302332
// Add `{schema}.*.*` for the COLUMN permission
303333
rangerSecurableObjects.add(
304-
RangerSecurableObjects.of(
334+
generateRangerSecurableObject(
305335
ImmutableList.of(
306336
securableObject.name() /*Schema name*/,
307337
RangerHelper.RESOURCE_ALL,
308338
RangerHelper.RESOURCE_ALL),
309-
MetadataObject.Type.COLUMN,
339+
RangerMetadataObject.Type.COLUMN,
310340
rangerPrivileges));
311341
break;
312342
case TABLE:
@@ -317,18 +347,18 @@ public List<RangerSecurableObject> translatePrivilege(SecurableObject securableO
317347
} else {
318348
// Add `{schema}.{table}` for the TABLE permission
319349
rangerSecurableObjects.add(
320-
RangerSecurableObjects.of(
350+
generateRangerSecurableObject(
321351
convertToRangerMetadataObject(securableObject),
322-
MetadataObject.Type.TABLE,
352+
RangerMetadataObject.Type.TABLE,
323353
rangerPrivileges));
324354
// Add `{schema}.{table}.*` for the COLUMN permission
325355
rangerSecurableObjects.add(
326-
RangerSecurableObjects.of(
356+
generateRangerSecurableObject(
327357
Stream.concat(
328358
convertToRangerMetadataObject(securableObject).stream(),
329359
Stream.of(RangerHelper.RESOURCE_ALL))
330360
.collect(Collectors.toList()),
331-
MetadataObject.Type.COLUMN,
361+
RangerMetadataObject.Type.COLUMN,
332362
rangerPrivileges));
333363
}
334364
break;

authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,7 @@
6767
* implement Gravitino Owner concept. <br>
6868
*/
6969
public abstract class RangerAuthorizationPlugin
70-
implements AuthorizationPlugin, RangerPrivilegesMappingProvider {
70+
implements AuthorizationPlugin, RangerPrivilegesMappingProvider, RangerMetadataObjectRule {
7171
private static final Logger LOG = LoggerFactory.getLogger(RangerAuthorizationPlugin.class);
7272

7373
protected final String rangerServiceName;
@@ -660,7 +660,20 @@ private boolean doRemoveSecurableObject(
660660
@Override
661661
public void close() throws IOException {}
662662

663-
boolean validAuthorizationOperation(List<SecurableObject> securableObjects) {
663+
/** Generate different Ranger securable object */
664+
public RangerSecurableObject generateRangerSecurableObject(
665+
List<String> names, RangerMetadataObject.Type type, Set<RangerPrivilege> privileges) {
666+
validateRangerMetadataObject(names, type);
667+
RangerMetadataObject metadataObject =
668+
new RangerMetadataObjects.RangerMetadataObjectImpl(
669+
RangerMetadataObjects.getParentFullName(names),
670+
RangerMetadataObjects.getLastName(names),
671+
type);
672+
return new RangerSecurableObjects.RangerSecurableObjectImpl(
673+
metadataObject.parent(), metadataObject.name(), metadataObject.type(), privileges);
674+
}
675+
676+
public boolean validAuthorizationOperation(List<SecurableObject> securableObjects) {
664677
return securableObjects.stream()
665678
.allMatch(
666679
securableObject -> {

authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java

Lines changed: 7 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -28,10 +28,8 @@
2828
import java.util.Set;
2929
import java.util.stream.Collectors;
3030
import org.apache.commons.lang.StringUtils;
31-
import org.apache.gravitino.MetadataObject;
3231
import org.apache.gravitino.authorization.Owner;
3332
import org.apache.gravitino.authorization.Privilege;
34-
import org.apache.gravitino.authorization.SecurableObjects;
3533
import org.apache.gravitino.exceptions.AuthorizationPluginException;
3634
import org.apache.ranger.RangerClient;
3735
import org.apache.ranger.RangerServiceException;
@@ -192,12 +190,12 @@ void removePolicyItem(
192190
/**
193191
* Find the managed policy for the ranger securable object.
194192
*
195-
* @param rangerSecurableObject The ranger securable object to find the managed policy.
193+
* @param rangerMetadataObject The ranger securable object to find the managed policy.
196194
* @return The managed policy for the metadata object.
197195
*/
198-
public RangerPolicy findManagedPolicy(RangerSecurableObject rangerSecurableObject)
196+
public RangerPolicy findManagedPolicy(RangerMetadataObject rangerMetadataObject)
199197
throws AuthorizationPluginException {
200-
List<String> nsMetadataObj = getMetadataObjectNames(rangerSecurableObject);
198+
List<String> nsMetadataObj = rangerMetadataObject.names();
201199

202200
Map<String, String> searchFilters = new HashMap<>();
203201
Map<String, String> preciseFilters = new HashMap<>();
@@ -395,23 +393,13 @@ protected void updatePolicyOwner(RangerPolicy policy, Owner preOwner, Owner newO
395393
});
396394
}
397395

398-
private static List<String> getMetadataObjectNames(MetadataObject metadataObject) {
399-
List<String> nsMetadataObject =
400-
Lists.newArrayList(SecurableObjects.DOT_SPLITTER.splitToList(metadataObject.fullName()));
401-
if (nsMetadataObject.size() > 4) {
402-
// The max level of the securable object is `catalog.db.table.column`
403-
throw new RuntimeException("The length of the securable object should not be greater than 4");
404-
}
405-
return nsMetadataObject;
406-
}
407-
408-
protected RangerPolicy createPolicyAddResources(MetadataObject metadataObject) {
396+
protected RangerPolicy createPolicyAddResources(RangerMetadataObject metadataObject) {
409397
RangerPolicy policy = new RangerPolicy();
410398
policy.setService(rangerServiceName);
411399
policy.setName(metadataObject.fullName());
412400
policy.setPolicyLabels(Lists.newArrayList(RangerHelper.MANAGED_BY_GRAVITINO));
413401

414-
List<String> nsMetadataObject = getMetadataObjectNames(metadataObject);
402+
List<String> nsMetadataObject = metadataObject.names();
415403

416404
for (int i = 0; i < nsMetadataObject.size(); i++) {
417405
RangerPolicy.RangerPolicyResource policyResource =
@@ -421,7 +409,7 @@ protected RangerPolicy createPolicyAddResources(MetadataObject metadataObject) {
421409
return policy;
422410
}
423411

424-
protected RangerPolicy addOwnerToNewPolicy(MetadataObject metadataObject, Owner newOwner) {
412+
protected RangerPolicy addOwnerToNewPolicy(RangerMetadataObject metadataObject, Owner newOwner) {
425413
RangerPolicy policy = createPolicyAddResources(metadataObject);
426414

427415
ownerPrivileges.forEach(
@@ -444,7 +432,7 @@ protected RangerPolicy addOwnerToNewPolicy(MetadataObject metadataObject, Owner
444432
}
445433

446434
protected RangerPolicy addOwnerRoleToNewPolicy(
447-
MetadataObject metadataObject, String ownerRoleName) {
435+
RangerMetadataObject metadataObject, String ownerRoleName) {
448436
RangerPolicy policy = createPolicyAddResources(metadataObject);
449437

450438
ownerPrivileges.forEach(

0 commit comments

Comments
 (0)