[GitHub] [doris] morningman opened a new pull request, #16802: [Refactor](auth)(step-2) Add AccessController to support customized authorization

[via GitHub]

morningman opened a new pull request, #16802:
URL: https://github.com/apache/doris/pull/16802

   # Proposed changes
   
   Issue Number: close #xxx
   
   ## Problem summary
   
   1. Support sepcifying AccessControllerFactory when creating catalog
   
       ```
       create catalog hive properties(
       ...
       "access_controller.name" = "my_access",
       "access_controller.my_access.class" = 
"org.apache.doris.mysql.privilege.RangerAccessControllerFactory",
       "access_controller.my_access.properties.prop1" = "xxx",
       "access_controller.my_access.properties.prop2" = "yyy",
       ...
       )
       ```
   
       So that user can specified their own access controller, such as 
RangerAccessController
   
   2. Add interface to check column level privilege
   
       A new method of CatalogAccessController: `checkColsPriv()`,
       for checking column level privileges.
   
       TODO:
       Support grant column level privileges statements in Doris
   
   3. Add TestExternalCatalog/Database/Table/ScanNode
   
       These classes is used for FE unit test. In unit test you can
       
       ```
       create catalog test1 properties(
           "type" = "test"
           "catalog_provider.class" = 
"org.apache.doris.datasource.ColumnPrivTest$MockedCatalogProvider"
           "access_controller.name" = "my_access",
           "access_controller.my_access.class" = 
"org.apache.doris.mysql.privilege.TestAccessControllerFactory",
           "access_controller.my_access.properties.key1" = "val1",
           "access_controller.my_access.properties.key2" = "val2"
       );
       ```
   
       To create a test catalog, and specify `catalog_provider` to mock 
database/table/schema metadata
   
   4. Set roles in `current user indentity` in connection context
   
       The roles can be used for authorization in access controller.
   
   ## Checklist(Required)
   
   * [ ] Does it affect the original behavior
   * [ ] Has unit tests been added
   * [ ] Has document been added or modified
   * [ ] Does it need to update dependencies
   * [ ] Is this PR support rollback (If NO, please explain WHY)
   
   ## Further comments
   
   If this is a relatively large or complex change, kick off the discussion at 
[d...@doris.apache.org](mailto:d...@doris.apache.org) by explaining why you 
chose the solution you did and what alternatives you considered, etc...
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org