in authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHDFSPlugin.java [695:798]
public Boolean onMetadataUpdated(MetadataObjectChange... changes) throws RuntimeException {
for (MetadataObjectChange change : changes) {
if (change instanceof MetadataObjectChange.RenameMetadataObject) {
MetadataObjectChange.RenameMetadataObject renameChange =
(MetadataObjectChange.RenameMetadataObject) change;
MetadataObject metadataObject = renameChange.metadataObject();
MetadataObject newMetadataObject = renameChange.newMetadataObject();
Preconditions.checkArgument(
metadataObject.type() == newMetadataObject.type(),
"The old and new metadata object types must be equal!");
if (metadataObject.type() == MetadataObject.Type.METALAKE) {
// Rename the metalake name
this.metalake = newMetadataObject.name();
// Did not need to update the Ranger policy
continue;
} else if (metadataObject.type() == MetadataObject.Type.CATALOG) {
// Did not need to update the Ranger policy
continue;
}
// Like topics and filesets, their locations don't change, we don't need to modify the
// policies
if (renameChange.locations() == null || renameChange.locations().isEmpty()) {
continue;
}
// Only Hive managed tables will change the location
if (metadataObject.type() == MetadataObject.Type.TABLE) {
NameIdentifier ident = MetadataObjectUtil.toEntityIdent(metalake, newMetadataObject);
NameIdentifier catalogIdent = NameIdentifierUtil.getCatalogIdentifier(ident);
if (GravitinoEnv.getInstance()
.catalogDispatcher()
.loadCatalog(catalogIdent)
.provider()
.equals("hive")) {
Table table = GravitinoEnv.getInstance().tableDispatcher().loadTable(ident);
if (table.properties().get("table-type").equals("EXTERNAL_TABLE")) {
continue;
}
} else {
// Iceberg and other lake houses don't need to change the privileges of locations
continue;
}
}
List<AuthorizationMetadataObject> oldAuthzMetadataObjects = Lists.newArrayList();
renameChange
.locations()
.forEach(
locationPath -> {
PathBasedMetadataObject pathBaseMetadataObject =
new PathBasedMetadataObject(
metadataObject.parent(),
metadataObject.name(),
locationPath,
PathBasedMetadataObject.PathType.get(metadataObject.type()));
pathBaseMetadataObject.validateAuthorizationMetadataObject();
oldAuthzMetadataObjects.add(pathBaseMetadataObject);
});
List<AuthorizationMetadataObject> newAuthzMetadataObjects =
translateMetadataObject(newMetadataObject);
Preconditions.checkArgument(
oldAuthzMetadataObjects.size() == newAuthzMetadataObjects.size(),
"The old and new metadata objects sizes must be equal!");
for (int i = 0; i < oldAuthzMetadataObjects.size(); i++) {
AuthorizationMetadataObject oldAuthMetadataObject = oldAuthzMetadataObjects.get(i);
AuthorizationMetadataObject newAuthzMetadataObject = newAuthzMetadataObjects.get(i);
if (oldAuthMetadataObject.equals(newAuthzMetadataObject)) {
LOG.info(
"The metadata object({}) and new metadata object({}) are equal, so ignoring rename!",
oldAuthMetadataObject.fullName(),
newAuthzMetadataObject.fullName());
continue;
}
renameMetadataObject(oldAuthMetadataObject, newAuthzMetadataObject);
}
} else if (change instanceof MetadataObjectChange.RemoveMetadataObject) {
MetadataObjectChange.RemoveMetadataObject changeMetadataObject =
((MetadataObjectChange.RemoveMetadataObject) change);
List<AuthorizationMetadataObject> authzMetadataObjects = new ArrayList<>();
changeMetadataObject
.getLocations()
.forEach(
locationPath -> {
PathBasedMetadataObject pathBaseMetadataObject =
new PathBasedMetadataObject(
changeMetadataObject.metadataObject().parent(),
changeMetadataObject.metadataObject().name(),
locationPath,
PathBasedMetadataObject.PathType.get(
changeMetadataObject.metadataObject().type()));
pathBaseMetadataObject.validateAuthorizationMetadataObject();
authzMetadataObjects.add(pathBaseMetadataObject);
});
authzMetadataObjects.forEach(this::removeMetadataObject);
} else {
throw new IllegalArgumentException(
"Unsupported metadata object change type: "
+ (change == null ? "null" : change.getClass().getSimpleName()));
}
}
return Boolean.TRUE;
}