in authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHadoopSQLPlugin.java [532:704]
public List<AuthorizationSecurableObject> translatePrivilege(SecurableObject securableObject) {
List<AuthorizationSecurableObject> rangerSecurableObjects = new ArrayList<>();
securableObject.privileges().stream()
.filter(Objects::nonNull)
.forEach(
gravitinoPrivilege -> {
Set<AuthorizationPrivilege> rangerPrivileges = new HashSet<>();
// Ignore unsupported privileges
if (!privilegesMappingRule().containsKey(gravitinoPrivilege.name())) {
return;
}
privilegesMappingRule().get(gravitinoPrivilege.name()).stream()
.forEach(
rangerPrivilege ->
rangerPrivileges.add(
new RangerPrivileges.RangerHivePrivilegeImpl(
rangerPrivilege, gravitinoPrivilege.condition())));
switch (gravitinoPrivilege.name()) {
case CREATE_CATALOG:
// Ignore the Gravitino privilege `CREATE_CATALOG` in the
// RangerAuthorizationHivePlugin
break;
case USE_CATALOG:
switch (securableObject.type()) {
case METALAKE:
case CATALOG:
// Add Ranger privilege(`SELECT`) to SCHEMA(`*`)
rangerSecurableObjects.add(
generateAuthorizationSecurableObject(
ImmutableList.of(RangerHelper.RESOURCE_ALL),
RangerHadoopSQLMetadataObject.Type.SCHEMA,
rangerPrivileges));
break;
default:
throw new AuthorizationPluginException(
ErrorMessages.PRIVILEGE_NOT_SUPPORTED,
gravitinoPrivilege.name(),
securableObject.type());
}
break;
case CREATE_SCHEMA:
switch (securableObject.type()) {
case METALAKE:
case CATALOG:
// Add Ranger privilege(`CREATE`) to SCHEMA(`*`)
rangerSecurableObjects.add(
generateAuthorizationSecurableObject(
ImmutableList.of(RangerHelper.RESOURCE_ALL),
RangerHadoopSQLMetadataObject.Type.SCHEMA,
rangerPrivileges));
break;
default:
throw new AuthorizationPluginException(
ErrorMessages.PRIVILEGE_NOT_SUPPORTED,
gravitinoPrivilege.name(),
securableObject.type());
}
break;
case USE_SCHEMA:
switch (securableObject.type()) {
case METALAKE:
case CATALOG:
// Add Ranger privilege(`SELECT`) to SCHEMA(`*`)
rangerSecurableObjects.add(
generateAuthorizationSecurableObject(
ImmutableList.of(RangerHelper.RESOURCE_ALL),
RangerHadoopSQLMetadataObject.Type.SCHEMA,
rangerPrivileges));
break;
case SCHEMA:
// Add Ranger privilege(`SELECT`) to SCHEMA(`{schema}`)
rangerSecurableObjects.add(
generateAuthorizationSecurableObject(
ImmutableList.of(securableObject.name() /*Schema name*/),
RangerHadoopSQLMetadataObject.Type.SCHEMA,
rangerPrivileges));
break;
default:
throw new AuthorizationPluginException(
ErrorMessages.PRIVILEGE_NOT_SUPPORTED,
gravitinoPrivilege.name(),
securableObject.type());
}
break;
case CREATE_TABLE:
case MODIFY_TABLE:
case SELECT_TABLE:
switch (securableObject.type()) {
case METALAKE:
case CATALOG:
// Add `*.*` for the TABLE permission
rangerSecurableObjects.add(
generateAuthorizationSecurableObject(
ImmutableList.of(
RangerHelper.RESOURCE_ALL, RangerHelper.RESOURCE_ALL),
RangerHadoopSQLMetadataObject.Type.TABLE,
rangerPrivileges));
// Add `*.*.*` for the COLUMN permission
rangerSecurableObjects.add(
generateAuthorizationSecurableObject(
ImmutableList.of(
RangerHelper.RESOURCE_ALL,
RangerHelper.RESOURCE_ALL,
RangerHelper.RESOURCE_ALL),
RangerHadoopSQLMetadataObject.Type.COLUMN,
rangerPrivileges));
break;
case SCHEMA:
// Add `{schema}.*` for the TABLE permission
rangerSecurableObjects.add(
generateAuthorizationSecurableObject(
ImmutableList.of(
securableObject.name() /*Schema name*/,
RangerHelper.RESOURCE_ALL),
RangerHadoopSQLMetadataObject.Type.TABLE,
rangerPrivileges));
// Add `{schema}.*.*` for the COLUMN permission
rangerSecurableObjects.add(
generateAuthorizationSecurableObject(
ImmutableList.of(
securableObject.name() /*Schema name*/,
RangerHelper.RESOURCE_ALL,
RangerHelper.RESOURCE_ALL),
RangerHadoopSQLMetadataObject.Type.COLUMN,
rangerPrivileges));
break;
case TABLE:
if (gravitinoPrivilege.name() == Privilege.Name.CREATE_TABLE) {
throw new AuthorizationPluginException(
ErrorMessages.PRIVILEGE_NOT_SUPPORTED,
gravitinoPrivilege.name(),
securableObject.type());
} else {
translateMetadataObject(securableObject).stream()
.forEach(
rangerMetadataObject -> {
// Add `{schema}.{table}` for the TABLE permission
rangerSecurableObjects.add(
generateAuthorizationSecurableObject(
rangerMetadataObject.names(),
RangerHadoopSQLMetadataObject.Type.TABLE,
rangerPrivileges));
// Add `{schema}.{table}.*` for the COLUMN permission
rangerSecurableObjects.add(
generateAuthorizationSecurableObject(
Stream.concat(
rangerMetadataObject.names().stream(),
Stream.of(RangerHelper.RESOURCE_ALL))
.collect(Collectors.toList()),
RangerHadoopSQLMetadataObject.Type.COLUMN,
rangerPrivileges));
});
}
break;
default:
LOG.warn(
ErrorMessages.PRIVILEGE_NOT_SUPPORTED,
gravitinoPrivilege.name(),
securableObject.type());
}
break;
default:
LOG.warn(
ErrorMessages.PRIVILEGE_NOT_SUPPORTED,
gravitinoPrivilege.name(),
securableObject.type());
}
});
return rangerSecurableObjects;
}