Skip to content

Commit 4cdee1d

Browse files
jerqiAbyss-lord
jerqi
authored and
Abyss-lord
committed
[apache#6695] fix(authz): Fix the error privileges (apache#6821)
### What changes were proposed in this pull request? Fix the error privileges. ### Why are the changes needed? Fix: apache#6695 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Add UT.
1 parent 8c7f3ad commit 4cdee1d

File tree

8 files changed

+296
-131
lines changed

8 files changed

+296
-131
lines changed

authorizations/authorization-common/src/main/java/org/apache/gravitino/authorization/common/PathBasedMetadataObject.java

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,15 +92,26 @@ public String toString() {
9292
private final String name;
9393
private final String parent;
9494
private final String path;
95+
private final boolean recursive;
9596

9697
private final AuthorizationMetadataObject.Type type;
9798

9899
public PathBasedMetadataObject(
99100
String parent, String name, String path, AuthorizationMetadataObject.Type type) {
101+
this(parent, name, path, type, true);
102+
}
103+
104+
public PathBasedMetadataObject(
105+
String parent,
106+
String name,
107+
String path,
108+
AuthorizationMetadataObject.Type type,
109+
boolean recursive) {
100110
this.parent = parent;
101111
this.name = name;
102112
this.path = path;
103113
this.type = type;
114+
this.recursive = recursive;
104115
}
105116

106117
@Override
@@ -122,6 +133,10 @@ public String path() {
122133
return path;
123134
}
124135

136+
public boolean recursive() {
137+
return recursive;
138+
}
139+
125140
@Override
126141
public AuthorizationMetadataObject.Type type() {
127142
return this.type;

authorizations/authorization-common/src/main/java/org/apache/gravitino/authorization/common/PathBasedSecurableObject.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,9 @@ public PathBasedSecurableObject(
3535
String name,
3636
String path,
3737
AuthorizationMetadataObject.Type type,
38+
boolean recursive,
3839
Set<AuthorizationPrivilege> privileges) {
39-
super(parent, name, path, type);
40+
super(parent, name, path, type, recursive);
4041
this.privileges = ImmutableList.copyOf(privileges);
4142
}
4243

authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHDFSPlugin.java

Lines changed: 163 additions & 75 deletions
Large diffs are not rendered by default.

authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHadoopSQLPlugin.java

Lines changed: 9 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -396,23 +396,24 @@ protected RangerPolicy createPolicyAddResources(AuthorizationMetadataObject meta
396396
return policy;
397397
}
398398

399-
@Override
400399
public AuthorizationSecurableObject generateAuthorizationSecurableObject(
401400
List<String> names,
402-
String path,
403401
AuthorizationMetadataObject.Type type,
404402
Set<AuthorizationPrivilege> privileges) {
405-
AuthorizationMetadataObject authMetadataObject =
403+
RangerHadoopSQLMetadataObject object =
406404
new RangerHadoopSQLMetadataObject(
407405
AuthorizationMetadataObject.getParentFullName(names),
408406
AuthorizationMetadataObject.getLastName(names),
409407
type);
410-
authMetadataObject.validateAuthorizationMetadataObject();
408+
return generateAuthorizationSecurableObject(object, privileges);
409+
}
410+
411+
@Override
412+
public AuthorizationSecurableObject generateAuthorizationSecurableObject(
413+
AuthorizationMetadataObject object, Set<AuthorizationPrivilege> privileges) {
414+
object.validateAuthorizationMetadataObject();
411415
return new RangerHadoopSQLSecurableObject(
412-
authMetadataObject.parent(),
413-
authMetadataObject.name(),
414-
authMetadataObject.type(),
415-
privileges);
416+
object.parent(), object.name(), object.type(), privileges);
416417
}
417418

418419
@Override
@@ -455,14 +456,12 @@ public List<AuthorizationSecurableObject> translateOwner(MetadataObject gravitin
455456
rangerSecurableObjects.add(
456457
generateAuthorizationSecurableObject(
457458
ImmutableList.of(RangerHelper.RESOURCE_ALL),
458-
null,
459459
RangerHadoopSQLMetadataObject.Type.SCHEMA,
460460
ownerMappingRule()));
461461
// Add `*.*` for the TABLE permission
462462
rangerSecurableObjects.add(
463463
generateAuthorizationSecurableObject(
464464
ImmutableList.of(RangerHelper.RESOURCE_ALL, RangerHelper.RESOURCE_ALL),
465-
null,
466465
RangerHadoopSQLMetadataObject.Type.TABLE,
467466
ownerMappingRule()));
468467
// Add `*.*.*` for the COLUMN permission
@@ -472,7 +471,6 @@ public List<AuthorizationSecurableObject> translateOwner(MetadataObject gravitin
472471
RangerHelper.RESOURCE_ALL,
473472
RangerHelper.RESOURCE_ALL,
474473
RangerHelper.RESOURCE_ALL),
475-
null,
476474
RangerHadoopSQLMetadataObject.Type.COLUMN,
477475
ownerMappingRule()));
478476
break;
@@ -481,15 +479,13 @@ public List<AuthorizationSecurableObject> translateOwner(MetadataObject gravitin
481479
rangerSecurableObjects.add(
482480
generateAuthorizationSecurableObject(
483481
ImmutableList.of(gravitinoMetadataObject.name() /*Schema name*/),
484-
null,
485482
RangerHadoopSQLMetadataObject.Type.SCHEMA,
486483
ownerMappingRule()));
487484
// Add `{schema}.*` for the TABLE permission
488485
rangerSecurableObjects.add(
489486
generateAuthorizationSecurableObject(
490487
ImmutableList.of(
491488
gravitinoMetadataObject.name() /*Schema name*/, RangerHelper.RESOURCE_ALL),
492-
null,
493489
RangerHadoopSQLMetadataObject.Type.TABLE,
494490
ownerMappingRule()));
495491
// Add `{schema}.*.*` for the COLUMN permission
@@ -499,7 +495,6 @@ public List<AuthorizationSecurableObject> translateOwner(MetadataObject gravitin
499495
gravitinoMetadataObject.name() /*Schema name*/,
500496
RangerHelper.RESOURCE_ALL,
501497
RangerHelper.RESOURCE_ALL),
502-
null,
503498
RangerHadoopSQLMetadataObject.Type.COLUMN,
504499
ownerMappingRule()));
505500
break;
@@ -511,7 +506,6 @@ public List<AuthorizationSecurableObject> translateOwner(MetadataObject gravitin
511506
rangerSecurableObjects.add(
512507
generateAuthorizationSecurableObject(
513508
rangerMetadataObject.names(),
514-
null,
515509
RangerHadoopSQLMetadataObject.Type.TABLE,
516510
ownerMappingRule()));
517511
// Add `{schema}.{table}.*` for the COLUMN permission
@@ -521,7 +515,6 @@ public List<AuthorizationSecurableObject> translateOwner(MetadataObject gravitin
521515
rangerMetadataObject.names().stream(),
522516
Stream.of(RangerHelper.RESOURCE_ALL))
523517
.collect(Collectors.toList()),
524-
null,
525518
RangerHadoopSQLMetadataObject.Type.COLUMN,
526519
ownerMappingRule()));
527520
});
@@ -568,7 +561,6 @@ public List<AuthorizationSecurableObject> translatePrivilege(SecurableObject sec
568561
rangerSecurableObjects.add(
569562
generateAuthorizationSecurableObject(
570563
ImmutableList.of(RangerHelper.RESOURCE_ALL),
571-
null,
572564
RangerHadoopSQLMetadataObject.Type.SCHEMA,
573565
rangerPrivileges));
574566
break;
@@ -587,7 +579,6 @@ public List<AuthorizationSecurableObject> translatePrivilege(SecurableObject sec
587579
rangerSecurableObjects.add(
588580
generateAuthorizationSecurableObject(
589581
ImmutableList.of(RangerHelper.RESOURCE_ALL),
590-
null,
591582
RangerHadoopSQLMetadataObject.Type.SCHEMA,
592583
rangerPrivileges));
593584
break;
@@ -606,7 +597,6 @@ public List<AuthorizationSecurableObject> translatePrivilege(SecurableObject sec
606597
rangerSecurableObjects.add(
607598
generateAuthorizationSecurableObject(
608599
ImmutableList.of(RangerHelper.RESOURCE_ALL),
609-
null,
610600
RangerHadoopSQLMetadataObject.Type.SCHEMA,
611601
rangerPrivileges));
612602
break;
@@ -615,7 +605,6 @@ public List<AuthorizationSecurableObject> translatePrivilege(SecurableObject sec
615605
rangerSecurableObjects.add(
616606
generateAuthorizationSecurableObject(
617607
ImmutableList.of(securableObject.name() /*Schema name*/),
618-
null,
619608
RangerHadoopSQLMetadataObject.Type.SCHEMA,
620609
rangerPrivileges));
621610
break;
@@ -637,7 +626,6 @@ public List<AuthorizationSecurableObject> translatePrivilege(SecurableObject sec
637626
generateAuthorizationSecurableObject(
638627
ImmutableList.of(
639628
RangerHelper.RESOURCE_ALL, RangerHelper.RESOURCE_ALL),
640-
null,
641629
RangerHadoopSQLMetadataObject.Type.TABLE,
642630
rangerPrivileges));
643631
// Add `*.*.*` for the COLUMN permission
@@ -647,7 +635,6 @@ public List<AuthorizationSecurableObject> translatePrivilege(SecurableObject sec
647635
RangerHelper.RESOURCE_ALL,
648636
RangerHelper.RESOURCE_ALL,
649637
RangerHelper.RESOURCE_ALL),
650-
null,
651638
RangerHadoopSQLMetadataObject.Type.COLUMN,
652639
rangerPrivileges));
653640
break;
@@ -658,7 +645,6 @@ public List<AuthorizationSecurableObject> translatePrivilege(SecurableObject sec
658645
ImmutableList.of(
659646
securableObject.name() /*Schema name*/,
660647
RangerHelper.RESOURCE_ALL),
661-
null,
662648
RangerHadoopSQLMetadataObject.Type.TABLE,
663649
rangerPrivileges));
664650
// Add `{schema}.*.*` for the COLUMN permission
@@ -668,7 +654,6 @@ public List<AuthorizationSecurableObject> translatePrivilege(SecurableObject sec
668654
securableObject.name() /*Schema name*/,
669655
RangerHelper.RESOURCE_ALL,
670656
RangerHelper.RESOURCE_ALL),
671-
null,
672657
RangerHadoopSQLMetadataObject.Type.COLUMN,
673658
rangerPrivileges));
674659
break;
@@ -686,7 +671,6 @@ public List<AuthorizationSecurableObject> translatePrivilege(SecurableObject sec
686671
rangerSecurableObjects.add(
687672
generateAuthorizationSecurableObject(
688673
rangerMetadataObject.names(),
689-
null,
690674
RangerHadoopSQLMetadataObject.Type.TABLE,
691675
rangerPrivileges));
692676
// Add `{schema}.{table}.*` for the COLUMN permission
@@ -696,7 +680,6 @@ public List<AuthorizationSecurableObject> translatePrivilege(SecurableObject sec
696680
rangerMetadataObject.names().stream(),
697681
Stream.of(RangerHelper.RESOURCE_ALL))
698682
.collect(Collectors.toList()),
699-
null,
700683
RangerHadoopSQLMetadataObject.Type.COLUMN,
701684
rangerPrivileges));
702685
});

authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1028,10 +1028,7 @@ public void close() throws IOException {}
10281028

10291029
/** Generate authorization securable object */
10301030
public abstract AuthorizationSecurableObject generateAuthorizationSecurableObject(
1031-
List<String> names,
1032-
String path,
1033-
AuthorizationMetadataObject.Type type,
1034-
Set<AuthorizationPrivilege> privileges);
1031+
AuthorizationMetadataObject object, Set<AuthorizationPrivilege> privileges);
10351032

10361033
public boolean validAuthorizationOperation(List<SecurableObject> securableObjects) {
10371034
return securableObjects.stream()

0 commit comments

Comments
 (0)