in authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHDFSPlugin.java [401:539]
public List<AuthorizationSecurableObject> translatePrivilege(SecurableObject securableObject) {
List<AuthorizationSecurableObject> rangerSecurableObjects = new ArrayList<>();
NameIdentifier identifier =
securableObject.type().equals(MetadataObject.Type.METALAKE)
? NameIdentifier.of(securableObject.fullName())
: NameIdentifier.parse(String.join(".", metalake, securableObject.fullName()));
securableObject.privileges().stream()
.filter(Objects::nonNull)
.forEach(
gravitinoPrivilege -> {
Set<AuthorizationPrivilege> rangerPrivileges = new HashSet<>();
// Ignore unsupported privileges
if (!privilegesMappingRule().containsKey(gravitinoPrivilege.name())) {
return;
}
privilegesMappingRule()
.get(gravitinoPrivilege.name())
.forEach(
rangerPrivilege ->
rangerPrivileges.add(
new RangerPrivileges.RangerHDFSPrivilegeImpl(
rangerPrivilege, gravitinoPrivilege.condition())));
switch (gravitinoPrivilege.name()) {
case USE_CATALOG:
case CREATE_CATALOG:
// When HDFS is used as the Hive storage layer, Hive does not support the
// `USE_CATALOG` and `CREATE_CATALOG` privileges. So, we ignore these
// in the RangerAuthorizationHDFSPlugin.
break;
case USE_SCHEMA:
switch (securableObject.type()) {
case METALAKE:
extractMetalakeLocations(
securableObject,
identifier,
rangerSecurableObjects,
rangerPrivileges,
true);
break;
case CATALOG:
case SCHEMA:
AuthorizationUtils.getMetadataObjectLocation(
identifier, MetadataObjectUtil.toEntityType(securableObject))
.forEach(
locationPath -> {
createPathBasedMetadataObject(
securableObject,
locationPath,
rangerSecurableObjects,
rangerPrivileges,
true);
});
break;
default:
throw new AuthorizationPluginException(
ErrorMessages.PRIVILEGE_NOT_SUPPORTED,
gravitinoPrivilege.name(),
securableObject.type());
}
break;
case CREATE_SCHEMA:
switch (securableObject.type()) {
case METALAKE:
extractMetalakeLocations(
securableObject,
identifier,
rangerSecurableObjects,
rangerPrivileges,
false);
break;
case CATALOG:
AuthorizationUtils.getMetadataObjectLocation(
identifier, MetadataObjectUtil.toEntityType(securableObject))
.forEach(
locationPath ->
createPathBasedMetadataObject(
securableObject,
locationPath,
rangerSecurableObjects,
rangerPrivileges,
false));
break;
default:
throw new AuthorizationPluginException(
ErrorMessages.PRIVILEGE_NOT_SUPPORTED,
gravitinoPrivilege.name(),
securableObject.type());
}
break;
case SELECT_TABLE:
case MODIFY_TABLE:
case READ_FILESET:
case WRITE_FILESET:
if (!gravitinoPrivilege.canBindTo(securableObject.type())) {
throw new AuthorizationPluginException(
ErrorMessages.PRIVILEGE_NOT_SUPPORTED,
gravitinoPrivilege.name(),
securableObject.type());
}
createSecurableObjects(
securableObject,
rangerSecurableObjects,
identifier,
rangerPrivileges,
true,
new TableOrFilesetPathExtractor());
break;
case CREATE_TABLE:
case CREATE_FILESET:
switch (securableObject.type()) {
case METALAKE:
case CATALOG:
case SCHEMA:
createSecurableObjects(
securableObject,
rangerSecurableObjects,
identifier,
rangerPrivileges,
false,
new SchemaPathExtractor());
break;
default:
throw new AuthorizationPluginException(
ErrorMessages.PRIVILEGE_NOT_SUPPORTED,
gravitinoPrivilege.name(),
securableObject.type());
}
break;
default:
throw new AuthorizationPluginException(
ErrorMessages.PRIVILEGE_NOT_SUPPORTED,
gravitinoPrivilege.name(),
securableObject.type());
}
});
return rangerSecurableObjects;
}