in authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java [461:581]
public Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner, Owner newOwner)
throws AuthorizationPluginException {
Preconditions.checkArgument(newOwner != null, "The newOwner must be not null");
// Add the user or group to the Ranger
String preOwnerUserName = null,
preOwnerGroupName = null,
newOwnerUserName = null,
newOwnerGroupName = null;
AuditInfo auditInfo =
AuditInfo.builder()
.withCreator(PrincipalUtils.getCurrentPrincipal().getName())
.withCreateTime(Instant.now())
.build();
if (preOwner != null) {
if (preOwner.type() == Owner.Type.USER) {
preOwnerUserName = preOwner.name();
} else {
preOwnerGroupName = preOwner.name();
}
}
if (newOwner.type() == Owner.Type.USER) {
newOwnerUserName = newOwner.name();
UserEntity userEntity =
UserEntity.builder()
.withId(1L)
.withName(newOwnerUserName)
.withRoleNames(Collections.emptyList())
.withRoleIds(Collections.emptyList())
.withAuditInfo(auditInfo)
.build();
onUserAdded(userEntity);
} else {
newOwnerGroupName = newOwner.name();
GroupEntity groupEntity =
GroupEntity.builder()
.withId(1L)
.withName(newOwnerGroupName)
.withRoleNames(Collections.emptyList())
.withRoleIds(Collections.emptyList())
.withAuditInfo(auditInfo)
.build();
onGroupAdded(groupEntity);
}
List<AuthorizationSecurableObject> rangerSecurableObjects = translateOwner(metadataObject);
String ownerRoleName;
switch (metadataObject.type()) {
case METALAKE:
case CATALOG:
// The metalake and catalog use role to manage the owner
if (metadataObject.type() == MetadataObject.Type.METALAKE) {
ownerRoleName = RangerHelper.GRAVITINO_METALAKE_OWNER_ROLE;
} else {
ownerRoleName = RangerHelper.GRAVITINO_CATALOG_OWNER_ROLE;
}
rangerHelper.createRangerRoleIfNotExists(ownerRoleName, true);
rangerHelper.createRangerRoleIfNotExists(RangerHelper.GRAVITINO_OWNER_ROLE, true);
try {
if (preOwnerUserName != null || preOwnerGroupName != null) {
GrantRevokeRoleRequest revokeRoleRequest =
rangerHelper.createGrantRevokeRoleRequest(
ownerRoleName, preOwnerUserName, preOwnerGroupName);
rangerClient.revokeRole(rangerServiceName, revokeRoleRequest);
}
if (newOwnerUserName != null || newOwnerGroupName != null) {
GrantRevokeRoleRequest grantRoleRequest =
rangerHelper.createGrantRevokeRoleRequest(
ownerRoleName, newOwnerUserName, newOwnerGroupName);
rangerClient.grantRole(rangerServiceName, grantRoleRequest);
}
} catch (RangerServiceException e) {
// Ignore exception, support idempotent operation
LOG.warn("Grant owner role: {} failed!", ownerRoleName, e);
}
rangerSecurableObjects.forEach(
rangerSecurableObject -> {
RangerPolicy policy = findManagedPolicy(rangerSecurableObject);
try {
if (policy == null) {
policy = addOwnerRoleToNewPolicy(rangerSecurableObject, ownerRoleName);
rangerClient.createPolicy(policy);
} else {
rangerHelper.updatePolicyOwnerRole(policy, ownerRoleName);
rangerClient.updatePolicy(policy.getId(), policy);
}
} catch (RangerServiceException e) {
throw new AuthorizationPluginException(e, "Failed to add the owner to the Ranger!");
}
});
break;
case SCHEMA:
case TABLE:
case FILESET:
// The schema and table use user/group to manage the owner
rangerSecurableObjects.stream()
.forEach(
AuthorizationSecurableObject -> {
RangerPolicy policy = findManagedPolicy(AuthorizationSecurableObject);
try {
if (policy == null) {
policy = addOwnerToNewPolicy(AuthorizationSecurableObject, newOwner);
rangerClient.createPolicy(policy);
} else {
rangerHelper.updatePolicyOwner(policy, preOwner, newOwner);
rangerClient.updatePolicy(policy.getId(), policy);
}
} catch (RangerServiceException e) {
throw new AuthorizationPluginException(
e, "Failed to add the owner to the Ranger!");
}
});
break;
default:
throw new AuthorizationPluginException(
ErrorMessages.OWNER_PRIVILEGE_NOT_SUPPORTED, metadataObject.type());
}
return Boolean.TRUE;
}