This is an automated email from the ASF dual-hosted git repository.
pradeep pushed a commit to branch ranger-4859_master
in repository https://gitbox.apache.org/repos/asf/ranger.git
commit fe234b0d3f41b5160d2f9069929a0f5a9f25814c
Author: Pradeep AgrawaL <prad...@apache.org>
AuthorDate: Tue Jul 16 11:52:32 2024 +0530
RANGER-4859: Update Trino service-def in Ranger for authorization changes
---
.../service-defs/ranger-servicedef-trino.json | 122 ++-
distro/pom.xml | 36 +-
.../trino/authorizer/RangerConfig.java | 81 --
.../authorizer/RangerSystemAccessControl.java | 1030 --------------------
.../RangerSystemAccessControlFactory.java | 63 --
.../trino/authorizer/TrinoRangerPlugin.java | 34 -
.../authorizer/RangerSystemAccessControlTest.java | 204 ----
pom.xml | 38 +-
.../optimized/current/ranger_core_db_mysql.sql | 2 +
.../optimized/current/ranger_core_db_oracle.sql | 2 +
.../optimized/current/ranger_core_db_postgres.sql | 2 +
.../current/ranger_core_db_sqlanywhere.sql | 4 +
.../optimized/current/ranger_core_db_sqlserver.sql | 2 +
.../patch/PatchForTrinoSvcDefUpdate_J10062.java | 315 ++++++
14 files changed, 451 insertions(+), 1484 deletions(-)
diff --git
a/agents-common/src/main/resources/service-defs/ranger-servicedef-trino.json
b/agents-common/src/main/resources/service-defs/ranger-servicedef-trino.json
index 802c72c7a..76e1b1384 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-trino.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-trino.json
@@ -203,6 +203,70 @@
"label": "Schema Procedure",
"description": "Schema Procedure",
"accessTypeRestrictions": ["execute", "grant"]
+ },
+ {
+ "itemId": 10,
+ "name": "schemafunction",
+ "type": "string",
+ "level": 30,
+ "parent": "schema",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard": true, "ignoreCase": true },
+ "label": "Schema Function",
+ "description": "Schema Function",
+ "accessTypeRestrictions": [ "create", "drop", "show" ]
+ },
+ {
+ "itemId": 11,
+ "name": "queryid",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard": true, "ignoreCase": true },
+ "label": "Query ID",
+ "description": "Query ID",
+ "accessTypeRestrictions": [ "execute" ]
+ },
+ {
+ "itemId": 12,
+ "name": "sysinfo",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard": true, "ignoreCase": true },
+ "label": "System Information",
+ "description": "Trino System Information",
+ "accessTypeRestrictions": [ "read_sysinfo", "write_sysinfo" ]
+ },
+ {
+ "itemId": 13,
+ "name": "role",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher":
"org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": { "wildCard": true, "ignoreCase": true },
+ "label": "Role",
+ "description": "Trino Role",
+ "accessTypeRestrictions": [ "create", "drop", "show", "grant", "revoke" ]
}
],
"accessTypes": [
@@ -288,14 +352,28 @@
"revoke",
"show",
"impersonate",
- "execute"
+ "execute",
+ "read_sysinfo",
+ "write_sysinfo"
]
},
{
"itemId": 13,
"name": "execute",
- "label": "execute",
+ "label": "Execute",
"category": "READ"
+ },
+ {
+ "itemId": 14,
+ "name": "read_sysinfo",
+ "label": "Read System Information",
+ "category": "MANAGE"
+ },
+ {
+ "itemId": 15,
+ "name": "write_sysinfo",
+ "label": "Write System Information",
+ "category": "MANAGE"
}
],
"configs": [
@@ -338,6 +416,44 @@
"validationRegEx": "",
"validationMessage": "",
"uiHint": ""
+ },
+ {
+ "itemId": 5,
+ "name": "ranger.plugin.audit.filters",
+ "type": "string",
+ "defaultValue":
"[{'accessResult':'DENIED','isAudited':true},{'isAudited':false,'resources':{'queryid':{'values':['*']}},'accessTypes':['execute']},{'isAudited':false,'resources':{'trinouser':{'values':['{USER}']}},'accessTypes':['impersonate']}]"
+ },
+ {
+ "itemId": 6,
+ "name": "ranger.plugin.super.users",
+ "label": "Superusers",
+ "description": "Superusers will have all access on resources in this
Trino instance",
+ "type": "string",
+ "defaultValue": "trino"
+ },
+ {
+ "itemId": 7,
+ "name": "ranger.plugin.super.groups",
+ "label": "Superuser groups",
+ "description": "Users in superuser groups will have all access on
resources in this Trino instance",
+ "type": "string",
+ "defaultValue": "trino"
+ },
+ {
+ "itemId": 8,
+ "name": "service.admin.users",
+ "label": "Service admin users",
+ "description": "Service admin users can create authorization policies
for any resource in this Trino instance",
+ "type": "string",
+ "defaultValue": "trino"
+ },
+ {
+ "itemId": 9,
+ "name": "service.admin.groups",
+ "label": "Service admin usergroups",
+ "description": "Users in service admin usergroups can create
authorization policies for any resource in this Trino instance",
+ "type": "string",
+ "defaultValue": "trino"
}
],
"enums": [
@@ -482,4 +598,4 @@
]
}
-}
\ No newline at end of file
+}
diff --git a/distro/pom.xml b/distro/pom.xml
index c228c22ea..239d395f1 100644
--- a/distro/pom.xml
+++ b/distro/pom.xml
@@ -75,42 +75,8 @@
<descriptor>src/main/assembly/plugin-elasticsearch.xml</descriptor>
<descriptor>src/main/assembly/plugin-schema-registry.xml</descriptor>
<descriptor>src/main/assembly/plugin-presto.xml</descriptor>
-
<descriptor>src/main/assembly/sample-client.xml</descriptor>
- </descriptors>
- </configuration>
- </execution>
- </executions>
- </plugin>
- </plugins>
- </build>
- </profile>
-
- <profile>
- <id>ranger-jdk11</id>
- <activation>
- <jdk>11</jdk>
- </activation>
- <build>
- <plugins>
- <plugin>
- <artifactId>maven-assembly-plugin</artifactId>
- <version>${assembly.plugin.version}</version>
- <configuration>
- <finalName>ranger-${project.version}</finalName>
- <outputDirectory>../target</outputDirectory>
- </configuration>
- <executions>
- <execution>
- <goals>
- <goal>single</goal>
- </goals>
- <phase>package</phase>
- <configuration>
- <skipAssembly>false</skipAssembly>
- <descriptors>
-
<descriptor>src/main/assembly/admin-web.xml</descriptor>
-
<descriptor>src/main/assembly/solr_audit_conf.xml</descriptor>
<descriptor>src/main/assembly/plugin-trino.xml</descriptor>
+
<descriptor>src/main/assembly/sample-client.xml</descriptor>
</descriptors>
</configuration>
</execution>
diff --git
a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerConfig.java
b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerConfig.java
deleted file mode 100644
index 53e1eac9a..000000000
---
a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerConfig.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ranger.authorization.trino.authorizer;
-
-import io.airlift.configuration.Config;
-import io.airlift.configuration.ConfigDescription;
-
-public class RangerConfig
-{
- private String keytab;
- private String principal;
- private boolean useUgi;
- private String hadoopConfigPath;
-
- public String getKeytab()
- {
- return keytab;
- }
-
- @Config("ranger.keytab")
- @ConfigDescription("Keytab for authentication against Ranger")
- @SuppressWarnings("unused")
- public RangerConfig setKeytab(String keytab)
- {
- this.keytab = keytab;
- return this;
- }
-
- public String getPrincipal()
- {
- return principal;
- }
-
- @Config("ranger.principal")
- @ConfigDescription("Principal for authentication against Ranger with
keytab")
- @SuppressWarnings("unused")
- public RangerConfig setPrincipal(String principal)
- {
- this.principal = principal;
- return this;
- }
-
- public boolean isUseUgi()
- {
- return useUgi;
- }
-
- @Config("ranger.use_ugi")
- @ConfigDescription("Use Hadoop User Group Information instead of Trino
groups")
- @SuppressWarnings("unused")
- public RangerConfig setUseUgi(boolean useUgi)
- {
- this.useUgi = useUgi;
- return this;
- }
-
- @Config("ranger.hadoop_config")
- @ConfigDescription("Path to hadoop configuration. Defaults to
trino-ranger-site.xml in classpath")
- @SuppressWarnings("unused")
- public RangerConfig setHadoopConfigPath(String hadoopConfigPath)
- {
- this.hadoopConfigPath = hadoopConfigPath;
- return this;
- }
-
- public String getHadoopConfigPath()
- {
- return hadoopConfigPath;
- }
-}
diff --git
a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
deleted file mode 100644
index 4fb5dfa9a..000000000
---
a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
+++ /dev/null
@@ -1,1030 +0,0 @@
-/*
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ranger.authorization.trino.authorizer;
-
-import com.google.common.collect.ImmutableList;
-import com.google.inject.Inject;
-import io.trino.spi.connector.CatalogSchemaName;
-import io.trino.spi.connector.CatalogSchemaRoutineName;
-import io.trino.spi.connector.CatalogSchemaTableName;
-import io.trino.spi.connector.SchemaTableName;
-import io.trino.spi.security.AccessDeniedException;
-import io.trino.spi.security.Privilege;
-import io.trino.spi.security.SystemAccessControl;
-import io.trino.spi.security.SystemSecurityContext;
-import io.trino.spi.security.TrinoPrincipal;
-import io.trino.spi.security.ViewExpression;
-import io.trino.spi.type.Type;
-import org.apache.commons.lang.StringUtils;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
-import org.apache.ranger.plugin.model.RangerPolicy;
-import org.apache.ranger.plugin.model.RangerServiceDef;
-import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
-import org.apache.ranger.plugin.policyengine.RangerAccessResult;
-import org.apache.ranger.plugin.service.RangerBasePlugin;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.IOException;
-import java.net.URL;
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Date;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
-
-import static java.util.Locale.ENGLISH;
-
-public class RangerSystemAccessControl
- implements SystemAccessControl
-{
- private static final Logger LOG =
LoggerFactory.getLogger(RangerSystemAccessControl.class);
-
- public static final String RANGER_TRINO_DEFAULT_HADOOP_CONF =
"trino-ranger-site.xml";
- public static final String RANGER_TRINO_SERVICETYPE = "trino";
- public static final String RANGER_TRINO_APPID = "trino";
-
- private final RangerBasePlugin rangerPlugin;
- private final boolean useUgi;
-
- @Inject
- public RangerSystemAccessControl(RangerConfig config)
- {
- super();
-
- Configuration hadoopConf = new Configuration();
-
- if (config.getHadoopConfigPath() != null) {
- URL url = hadoopConf.getResource(config.getHadoopConfigPath());
-
- if (url == null) {
- LOG.warn("Hadoop config " + config.getHadoopConfigPath() + "
not found");
- }
- else {
- hadoopConf.addResource(url);
- }
- }
- else {
- URL url = hadoopConf.getResource(RANGER_TRINO_DEFAULT_HADOOP_CONF);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("Trying to load Hadoop config from " + url + " (can
be null)");
- }
-
- if (url != null) {
- hadoopConf.addResource(url);
- }
- }
-
- UserGroupInformation.setConfiguration(hadoopConf);
-
- if (config.getKeytab() != null && config.getPrincipal() != null) {
- String keytab = config.getKeytab();
- String principal = config.getPrincipal();
-
- LOG.info("Performing kerberos login with principal " + principal +
" and keytab " + keytab);
-
- try {
- UserGroupInformation.loginUserFromKeytab(principal, keytab);
- }
- catch (IOException ioe) {
- LOG.error("Kerberos login failed", ioe);
-
- throw new RuntimeException(ioe);
- }
- }
-
- useUgi = config.isUseUgi();
- rangerPlugin = new RangerBasePlugin(RANGER_TRINO_SERVICETYPE,
RANGER_TRINO_APPID);
-
- rangerPlugin.init();
- rangerPlugin.setResultProcessor(new RangerDefaultAuditHandler());
- }
-
- /** FILTERING AND DATA MASKING **/
-
- private RangerAccessResult getDataMaskResult(RangerTrinoAccessRequest
request)
- {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> getDataMaskResult(request=" + request + ")");
- }
-
- RangerAccessResult ret = rangerPlugin.evalDataMaskPolicies(request,
null);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== getDataMaskResult(request=" + request + "): ret=" +
ret);
- }
-
- return ret;
- }
-
- private RangerAccessResult getRowFilterResult(RangerTrinoAccessRequest
request)
- {
- if (LOG.isDebugEnabled()) {
- LOG.debug("==> getRowFilterResult(request=" + request + ")");
- }
-
- RangerAccessResult ret = rangerPlugin.evalRowFilterPolicies(request,
null);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("<== getRowFilterResult(request=" + request + "): ret="
+ ret);
- }
-
- return ret;
- }
-
- private boolean isDataMaskEnabled(RangerAccessResult result)
- {
- return result != null && result.isMaskEnabled();
- }
-
- private boolean isRowFilterEnabled(RangerAccessResult result)
- {
- return result != null && result.isRowFilterEnabled();
- }
-
- @Override
- public Optional<ViewExpression> getRowFilter(SystemSecurityContext
context, CatalogSchemaTableName tableName)
- {
- RangerTrinoAccessRequest request =
createAccessRequest(createResource(tableName), context, TrinoAccessType.SELECT);
- RangerAccessResult result = getRowFilterResult(request);
- ViewExpression viewExpression = null;
-
- if (isRowFilterEnabled(result)) {
- String filter = result.getFilterExpr();
-
- viewExpression = new
ViewExpression(context.getIdentity().getUser(),
Optional.of(tableName.getCatalogName()),
Optional.of(tableName.getSchemaTableName().getSchemaName()), filter);
- }
-
- return Optional.ofNullable(viewExpression);
- }
-
- @Override
- public List<ViewExpression> getRowFilters(SystemSecurityContext context,
CatalogSchemaTableName tableName)
- {
- return getRowFilter(context,
tableName).map(ImmutableList::of).orElseGet(ImmutableList::of);
- }
-
- @Override
- public Optional<ViewExpression> getColumnMask(SystemSecurityContext
context, CatalogSchemaTableName tableName, String columnName, Type type)
- {
- RangerTrinoAccessRequest request =
createAccessRequest(createResource(tableName.getCatalogName(),
tableName.getSchemaTableName().getSchemaName(),
tableName.getSchemaTableName().getTableName(), Optional.of(columnName)),
context, TrinoAccessType.SELECT);
- RangerAccessResult result = getDataMaskResult(request);
- ViewExpression viewExpression = null;
-
- if (isDataMaskEnabled(result)) {
- String maskType = result.getMaskType();
- RangerServiceDef.RangerDataMaskTypeDef maskTypeDef =
result.getMaskTypeDef();
- String transformer = null;
-
- if (maskTypeDef != null) {
- transformer = maskTypeDef.getTransformer();
- }
-
- if (StringUtils.equalsIgnoreCase(maskType,
RangerPolicy.MASK_TYPE_NULL)) {
- transformer = "NULL";
- }
- else if (StringUtils.equalsIgnoreCase(maskType,
RangerPolicy.MASK_TYPE_CUSTOM)) {
- String maskedValue = result.getMaskedValue();
-
- if (maskedValue == null) {
- transformer = "NULL";
- }
- else {
- transformer = maskedValue;
- }
- }
-
- if (StringUtils.isNotEmpty(transformer)) {
- transformer = transformer.replace("{col}",
columnName).replace("{type}", type.getDisplayName());
- }
-
- viewExpression = new
ViewExpression(context.getIdentity().getUser(),
Optional.of(tableName.getCatalogName()),
Optional.of(tableName.getSchemaTableName().getSchemaName()), transformer);
-
- if (LOG.isDebugEnabled()) {
- LOG.debug("getColumnMask: user: %s, catalog: %s, schema: %s,
transformer: %s");
- }
- }
-
- return Optional.ofNullable(viewExpression);
- }
-
- @Override
- public List<ViewExpression> getColumnMasks(SystemSecurityContext context,
CatalogSchemaTableName tableName, String columnName, Type type)
- {
- return getColumnMask(context, tableName, columnName,
type).map(ImmutableList::of).orElseGet(ImmutableList::of);
- }
-
- @Override
- public Set<String> filterCatalogs(SystemSecurityContext context,
Set<String> catalogs)
- {
- LOG.debug("==> RangerSystemAccessControl.filterCatalogs(" + catalogs +
")");
-
- Set<String> filteredCatalogs = new HashSet<>(catalogs.size());
-
- for (String catalog : catalogs) {
- if (hasPermission(createResource(catalog), context,
TrinoAccessType.SELECT)) {
- filteredCatalogs.add(catalog);
- }
- }
-
- return filteredCatalogs;
- }
-
- @Override
- public Set<String> filterSchemas(SystemSecurityContext context, String
catalogName, Set<String> schemaNames)
- {
- LOG.debug("==> RangerSystemAccessControl.filterSchemas(" + catalogName
+ ")");
-
- Set<String> filteredSchemaNames = new HashSet<>(schemaNames.size());
-
- for (String schemaName : schemaNames) {
- if (hasPermission(createResource(catalogName, schemaName),
context, TrinoAccessType.SELECT)) {
- filteredSchemaNames.add(schemaName);
- }
- }
-
- return filteredSchemaNames;
- }
-
- @Override
- public Set<SchemaTableName> filterTables(SystemSecurityContext context,
String catalogName, Set<SchemaTableName> tableNames)
- {
- LOG.debug("==> RangerSystemAccessControl.filterTables(" + catalogName
+ ")");
-
- Set<SchemaTableName> filteredTableNames = new
HashSet<>(tableNames.size());
-
- for (SchemaTableName tableName : tableNames) {
- RangerTrinoResource res = createResource(catalogName,
tableName.getSchemaName(), tableName.getTableName());
- if (hasPermission(res, context, TrinoAccessType.SELECT)) {
- filteredTableNames.add(tableName);
- }
- }
-
- return filteredTableNames;
- }
-
- /** PERMISSION CHECKS ORDERED BY SYSTEM, CATALOG, SCHEMA, TABLE, VIEW,
COLUMN, QUERY, FUNCTIONS, PROCEDURES **/
-
- /** SYSTEM **/
-
- @Override
- public void checkCanSetSystemSessionProperty(SystemSecurityContext
context, String propertyName)
- {
- if (!hasPermission(createSystemPropertyResource(propertyName),
context, TrinoAccessType.ALTER)) {
-
LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty denied");
-
- AccessDeniedException.denySetSystemSessionProperty(propertyName);
- }
- }
-
- @Override
- public void checkCanImpersonateUser(SystemSecurityContext context, String
userName)
- {
- if (!hasPermission(createUserResource(userName), context,
TrinoAccessType.IMPERSONATE)) {
- LOG.debug("RangerSystemAccessControl.checkCanImpersonateUser(" +
userName + ") denied");
-
-
AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(),
userName);
- }
- }
-
- @Override
- public void checkCanSetUser(Optional<Principal> principal, String userName)
- {
- // pass as it is deprecated
- }
-
- /** CATALOG **/
- @Override
- public void checkCanSetCatalogSessionProperty(SystemSecurityContext
context, String catalogName, String propertyName)
- {
- if (!hasPermission(createCatalogSessionResource(catalogName,
propertyName), context, TrinoAccessType.ALTER)) {
-
LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty(" +
catalogName + ") denied");
-
- AccessDeniedException.denySetCatalogSessionProperty(catalogName,
propertyName);
- }
- }
-
- @Override
- public void checkCanShowRoles(SystemSecurityContext context)
- {
- //allow
- }
-
- @Override
- public void checkCanShowCurrentRoles(SystemSecurityContext context)
- {
- //allow
- }
-
- @Override
- public void checkCanShowRoleGrants(SystemSecurityContext context)
- {
- //allow
- }
-
- @Override
- public void checkCanAccessCatalog(SystemSecurityContext context, String
catalogName)
- {
- if (!hasPermission(createResource(catalogName), context,
TrinoAccessType.USE)) {
- LOG.debug("RangerSystemAccessControl.checkCanAccessCatalog(" +
catalogName + ") denied");
-
- AccessDeniedException.denyCatalogAccess(catalogName);
- }
- }
-
- @Override
- public void checkCanShowSchemas(SystemSecurityContext context, String
catalogName)
- {
- if (!hasPermission(createResource(catalogName), context,
TrinoAccessType.SHOW)) {
- LOG.debug("RangerSystemAccessControl.checkCanShowSchemas(" +
catalogName + ") denied");
-
- AccessDeniedException.denyShowSchemas(catalogName);
- }
- }
-
- /** SCHEMA **/
-
- @Override
- public void checkCanSetSchemaAuthorization(SystemSecurityContext context,
CatalogSchemaName schema, TrinoPrincipal principal)
- {
- if (!hasPermission(createResource(schema.getCatalogName(),
schema.getSchemaName()), context, TrinoAccessType.GRANT)) {
-
LOG.debug("RangerSystemAccessControl.checkCanSetSchemaAuthorization(" +
schema.getSchemaName() + ") denied");
-
-
AccessDeniedException.denySetSchemaAuthorization(schema.getSchemaName(),
principal);
- }
- }
-
- @Override
- public void checkCanShowCreateSchema(SystemSecurityContext context,
CatalogSchemaName schema)
- {
- if (!hasPermission(createResource(schema.getCatalogName(),
schema.getSchemaName()), context, TrinoAccessType.SHOW)) {
- LOG.debug("RangerSystemAccessControl.checkCanShowCreateSchema(" +
schema.getSchemaName() + ") denied");
-
- AccessDeniedException.denyShowCreateSchema(schema.getSchemaName());
- }
- }
-
- /**
- * Create schema is evaluated on the level of the Catalog. This means that
it is assumed you have permission
- * to create a schema when you have create rights on the catalog level
- */
- @Override
- public void checkCanCreateSchema(SystemSecurityContext context,
CatalogSchemaName schema)
- {
- if (!hasPermission(createResource(schema.getCatalogName()), context,
TrinoAccessType.CREATE)) {
- LOG.debug("RangerSystemAccessControl.checkCanCreateSchema(" +
schema.getSchemaName() + ") denied");
-
- AccessDeniedException.denyCreateSchema(schema.getSchemaName());
- }
- }
-
- /**
- * This is evaluated against the schema name as ownership information is
not available
- */
- @Override
- public void checkCanDropSchema(SystemSecurityContext context,
CatalogSchemaName schema)
- {
- if (!hasPermission(createResource(schema.getCatalogName(),
schema.getSchemaName()), context, TrinoAccessType.DROP)) {
- LOG.debug("RangerSystemAccessControl.checkCanDropSchema(" +
schema.getSchemaName() + ") denied");
-
- AccessDeniedException.denyDropSchema(schema.getSchemaName());
- }
- }
-
- /**
- * This is evaluated against the schema name as ownership information is
not available
- */
- @Override
- public void checkCanRenameSchema(SystemSecurityContext context,
CatalogSchemaName schema, String newSchemaName)
- {
- RangerTrinoResource res = createResource(schema.getCatalogName(),
schema.getSchemaName());
- if (!hasPermission(res, context, TrinoAccessType.ALTER)) {
- LOG.debug("RangerSystemAccessControl.checkCanRenameSchema(" +
schema.getSchemaName() + ") denied");
-
- AccessDeniedException.denyRenameSchema(schema.getSchemaName(),
newSchemaName);
- }
- }
-
- /** TABLE **/
-
- @Override
- public void checkCanShowTables(SystemSecurityContext context,
CatalogSchemaName schema)
- {
- if (!hasPermission(createResource(schema), context,
TrinoAccessType.SHOW)) {
- LOG.debug("RangerSystemAccessControl.checkCanShowTables(" +
schema.toString() + ") denied");
-
- AccessDeniedException.denyShowTables(schema.toString());
- }
- }
-
- @Override
- public void checkCanShowCreateTable(SystemSecurityContext context,
CatalogSchemaTableName table)
- {
- if (!hasPermission(createResource(table), context,
TrinoAccessType.SHOW)) {
- LOG.debug("RangerSystemAccessControl.checkCanShowTables(" +
table.toString() + ") denied");
-
- AccessDeniedException.denyShowCreateTable(table.toString());
- }
- }
-
- /**
- * Create table is verified on schema level
- */
- @Override
- public void checkCanCreateTable(SystemSecurityContext context,
CatalogSchemaTableName table, Map<String, Object> properties)
- {
- if (!hasPermission(createResource(table.getCatalogName(),
table.getSchemaTableName().getSchemaName()), context, TrinoAccessType.CREATE)) {
- LOG.debug("RangerSystemAccessControl.checkCanCreateTable(" +
table.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyCreateTable(table.getSchemaTableName().getTableName());
- }
- }
-
- /**
- * This is evaluated against the table name as ownership information is
not available
- */
- @Override
- public void checkCanDropTable(SystemSecurityContext context,
CatalogSchemaTableName table)
- {
- if (!hasPermission(createResource(table), context,
TrinoAccessType.DROP)) {
- LOG.debug("RangerSystemAccessControl.checkCanDropTable(" +
table.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyDropTable(table.getSchemaTableName().getTableName());
- }
- }
-
- /**
- * This is evaluated against the table name as ownership information is
not available
- */
- @Override
- public void checkCanRenameTable(SystemSecurityContext context,
CatalogSchemaTableName table, CatalogSchemaTableName newTable)
- {
- RangerTrinoResource res = createResource(table);
-
- if (!hasPermission(res, context, TrinoAccessType.ALTER)) {
- LOG.debug("RangerSystemAccessControl.checkCanRenameTable(" +
table.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyRenameTable(table.getSchemaTableName().getTableName(),
newTable.getSchemaTableName().getTableName());
- }
- }
-
- @Override
- public void checkCanInsertIntoTable(SystemSecurityContext context,
CatalogSchemaTableName table)
- {
- RangerTrinoResource res = createResource(table);
-
- if (!hasPermission(res, context, TrinoAccessType.INSERT)) {
- LOG.debug("RangerSystemAccessControl.checkCanInsertIntoTable(" +
table.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyInsertTable(table.getSchemaTableName().getTableName());
- }
- }
-
- @Override
- public void checkCanDeleteFromTable(SystemSecurityContext context,
CatalogSchemaTableName table)
- {
- if (!hasPermission(createResource(table), context,
TrinoAccessType.DELETE)) {
- LOG.debug("RangerSystemAccessControl.checkCanDeleteFromTable(" +
table.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyDeleteTable(table.getSchemaTableName().getTableName());
- }
- }
-
- @Override
- public void checkCanTruncateTable(SystemSecurityContext context,
CatalogSchemaTableName table)
- {
- if (!hasPermission(createResource(table), context,
TrinoAccessType.DELETE)) {
- LOG.debug("RangerSystemAccessControl.checkCanTruncateTable(" +
table.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyTruncateTable(table.getSchemaTableName().getTableName());
- }
- }
-
- @Override
- public void checkCanGrantTablePrivilege(SystemSecurityContext context,
Privilege privilege, CatalogSchemaTableName table, TrinoPrincipal grantee,
boolean withGrantOption)
- {
- if (!hasPermission(createResource(table), context,
TrinoAccessType.GRANT)) {
- LOG.debug("RangerSystemAccessControl.checkCanGrantTablePrivilege("
+ table + ") denied");
-
-
AccessDeniedException.denyGrantTablePrivilege(privilege.toString(),
table.toString());
- }
- }
-
- @Override
- public void checkCanRevokeTablePrivilege(SystemSecurityContext context,
Privilege privilege, CatalogSchemaTableName table, TrinoPrincipal revokee,
boolean grantOptionFor)
- {
- if (!hasPermission(createResource(table), context,
TrinoAccessType.REVOKE)) {
-
LOG.debug("RangerSystemAccessControl.checkCanRevokeTablePrivilege(" + table +
") denied");
-
-
AccessDeniedException.denyRevokeTablePrivilege(privilege.toString(),
table.toString());
- }
- }
-
- @Override
- public void checkCanSetTableComment(SystemSecurityContext context,
CatalogSchemaTableName table)
- {
- if (!hasPermission(createResource(table), context,
TrinoAccessType.ALTER)) {
- LOG.debug("RangerSystemAccessControl.checkCanSetTableComment(" +
table.toString() + ") denied");
-
- AccessDeniedException.denyCommentTable(table.toString());
- }
- }
-
- @Override
- public void checkCanSetColumnComment(SystemSecurityContext context,
CatalogSchemaTableName table)
- {
- if (!hasPermission(createResource(table), context,
TrinoAccessType.ALTER)) {
- LOG.debug("RangerSystemAccessControl.checkCanSetColumnComment(" +
table.toString() + ") denied");
-
- AccessDeniedException.denyCommentColumn(table.toString());
- }
- }
-
- /**
- * Create view is verified on schema level
- */
- @Override
- public void checkCanCreateView(SystemSecurityContext context,
CatalogSchemaTableName view)
- {
- if (!hasPermission(createResource(view.getCatalogName(),
view.getSchemaTableName().getSchemaName()), context, TrinoAccessType.CREATE)) {
- LOG.debug("RangerSystemAccessControl.checkCanCreateView(" +
view.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyCreateView(view.getSchemaTableName().getTableName());
- }
- }
-
- /**
- * This is evaluated against the table name as ownership information is
not available
- */
- @Override
- public void checkCanDropView(SystemSecurityContext context,
CatalogSchemaTableName view)
- {
- if (!hasPermission(createResource(view), context,
TrinoAccessType.DROP)) {
- LOG.debug("RangerSystemAccessControl.checkCanDropView(" +
view.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyDropView(view.getSchemaTableName().getTableName());
- }
- }
-
- @Override
- public void checkCanSetViewAuthorization(SystemSecurityContext context,
CatalogSchemaTableName view, TrinoPrincipal principal)
- {
- if (!hasPermission(createResource(view), context,
TrinoAccessType.ALTER)) {
-
LOG.debug("RangerSystemAccessControl.checkCanSetViewAuthorization(" +
view.getSchemaTableName().getTableName() + ") denied");
-
- AccessDeniedException.denySetViewAuthorization(view.toString(),
principal);
- }
- }
-
- /**
- * This check equals the check for checkCanCreateView
- */
- @Override
- public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext
context, CatalogSchemaTableName table, Set<String> columns)
- {
- try {
- checkCanCreateView(context, table);
- }
- catch (AccessDeniedException ade) {
-
LOG.debug("RangerSystemAccessControl.checkCanCreateViewWithSelectFromColumns("
+ table.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyCreateViewWithSelect(table.getSchemaTableName().getTableName(),
context.getIdentity());
- }
- }
-
- /**
- *
- * check if materialized view can be created
- */
- @Override
- public void checkCanCreateMaterializedView(SystemSecurityContext context,
CatalogSchemaTableName materializedView, Map<String, Object> properties)
- {
- if (!hasPermission(createResource(materializedView), context,
TrinoAccessType.CREATE)) {
-
LOG.debug("RangerSystemAccessControl.checkCanCreateMaterializedView( " +
materializedView.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyCreateMaterializedView(materializedView.getSchemaTableName().getTableName());
- }
- }
-
- @Override
- public void checkCanDropMaterializedView(SystemSecurityContext context,
CatalogSchemaTableName materializedView)
- {
- if (!hasPermission(createResource(materializedView), context,
TrinoAccessType.DROP)) {
-
LOG.debug("RangerSystemAccessControl.checkCanDropMaterializedView(" +
materializedView.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyCreateView(materializedView.getSchemaTableName().getTableName());
- }
- }
-
- /**
- * This is evaluated against the table name as ownership information is
not available
- */
- @Override
- public void checkCanRenameView(SystemSecurityContext context,
CatalogSchemaTableName view, CatalogSchemaTableName newView)
- {
- if (!hasPermission(createResource(view), context,
TrinoAccessType.ALTER)) {
- LOG.debug("RangerSystemAccessControl.checkCanRenameView(" +
view.toString() + ") denied");
-
- AccessDeniedException.denyRenameView(view.toString(),
newView.toString());
- }
- }
-
- /** COLUMN **/
-
- /**
- * This is evaluated on table level
- */
- @Override
- public void checkCanAddColumn(SystemSecurityContext context,
CatalogSchemaTableName table)
- {
- RangerTrinoResource res = createResource(table);
-
- if (!hasPermission(res, context, TrinoAccessType.ALTER)) {
-
AccessDeniedException.denyAddColumn(table.getSchemaTableName().getTableName());
- }
- }
-
- /**
- * This is evaluated on table level
- */
- @Override
- public void checkCanDropColumn(SystemSecurityContext context,
CatalogSchemaTableName table)
- {
- RangerTrinoResource res = createResource(table);
-
- if (!hasPermission(res, context, TrinoAccessType.DROP)) {
- LOG.debug("RangerSystemAccessControl.checkCanDropColumn(" +
table.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyDropColumn(table.getSchemaTableName().getTableName());
- }
- }
-
- /**
- * This is evaluated on table level
- */
- @Override
- public void checkCanRenameColumn(SystemSecurityContext context,
CatalogSchemaTableName table)
- {
- RangerTrinoResource res = createResource(table);
-
- if (!hasPermission(res, context, TrinoAccessType.ALTER)) {
- LOG.debug("RangerSystemAccessControl.checkCanRenameColumn(" +
table.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denyRenameColumn(table.getSchemaTableName().getTableName());
- }
- }
-
- /**
- * This is evaluated on table level
- */
- @Override
- public void checkCanShowColumns(SystemSecurityContext context,
CatalogSchemaTableName table)
- {
- if (!hasPermission(createResource(table), context,
TrinoAccessType.SHOW)) {
- LOG.debug("RangerSystemAccessControl.checkCanShowTables(" +
table.toString() + ") denied");
- AccessDeniedException.denyShowColumns(table.toString());
- }
- }
-
- @Override
- public void checkCanSelectFromColumns(SystemSecurityContext context,
CatalogSchemaTableName table, Set<String> columns)
- {
- for (RangerTrinoResource res : createResource(table, columns)) {
- if (!hasPermission(res, context, TrinoAccessType.SELECT)) {
-
LOG.debug("RangerSystemAccessControl.checkCanSelectFromColumns(" +
table.getSchemaTableName().getTableName() + ") denied");
-
-
AccessDeniedException.denySelectColumns(table.getSchemaTableName().getTableName(),
columns);
- }
- }
- }
-
- /**
- * This is a NOOP, no filtering is applied
- */
- @Override
- public Set<String> filterColumns(SystemSecurityContext context,
CatalogSchemaTableName table, Set<String> columns)
- {
- return columns;
- }
-
- /** QUERY **/
-
- /**
- * This is a NOOP. Everyone can execute a query
- */
- @Override
- public void checkCanExecuteQuery(SystemSecurityContext context)
- {
- }
-
- @Override
- public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String
queryOwner)
- {
- if (!hasPermission(createUserResource(queryOwner), context,
TrinoAccessType.IMPERSONATE)) {
- LOG.debug("RangerSystemAccessControl.checkCanViewQueryOwnedBy(" +
queryOwner + ") denied");
-
-
AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(),
queryOwner);
- }
- }
-
- /**
- * This is a NOOP, no filtering is applied
- */
- @Override
- public Set<String> filterViewQueryOwnedBy(SystemSecurityContext context,
Set<String> queryOwners)
- {
- return queryOwners;
- }
-
- @Override
- public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String
queryOwner)
- {
- if (!hasPermission(createUserResource(queryOwner), context,
TrinoAccessType.IMPERSONATE)) {
- LOG.debug("RangerSystemAccessControl.checkCanKillQueryOwnedBy(" +
queryOwner + ") denied");
-
-
AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(),
queryOwner);
- }
- }
-
- /** FUNCTIONS **/
- @Override
- public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext
context, String function, TrinoPrincipal grantee, boolean grantOption)
- {
- if (!hasPermission(createFunctionResource(function), context,
TrinoAccessType.GRANT)) {
-
LOG.debug("RangerSystemAccessControl.checkCanGrantExecuteFunctionPrivilege(" +
function + ") denied");
-
- AccessDeniedException.denyGrantExecuteFunctionPrivilege(function,
context.getIdentity(), grantee.getName());
- }
- }
-
- @Override
- public void checkCanExecuteFunction(SystemSecurityContext context, String
function)
- {
- if (!hasPermission(createFunctionResource(function), context,
TrinoAccessType.EXECUTE)) {
- LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" +
function + ") denied");
-
- AccessDeniedException.denyExecuteFunction(function);
- }
- }
-
- /** PROCEDURES **/
- @Override
- public void checkCanExecuteProcedure(SystemSecurityContext context,
CatalogSchemaRoutineName procedure)
- {
- if (!hasPermission(createProcedureResource(procedure), context,
TrinoAccessType.EXECUTE)) {
- LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" +
procedure.getSchemaRoutineName().getRoutineName() + ") denied");
-
-
AccessDeniedException.denyExecuteProcedure(procedure.getSchemaRoutineName().getRoutineName());
- }
- }
-
- @Override
- public void checkCanExecuteTableProcedure(SystemSecurityContext context,
CatalogSchemaTableName catalogSchemaTableName, String procedure)
- {
- if (!hasPermission(createResource(catalogSchemaTableName), context,
TrinoAccessType.ALTER)) {
- LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" +
procedure + ") denied");
-
-
AccessDeniedException.denyExecuteTableProcedure(catalogSchemaTableName.toString(),
procedure);
- }
- }
-
- /** HELPER FUNCTIONS **/
-
- private RangerTrinoAccessRequest createAccessRequest(RangerTrinoResource
resource, SystemSecurityContext context, TrinoAccessType accessType)
- {
- Set<String> userGroups = null;
-
- if (useUgi) {
- UserGroupInformation ugi =
UserGroupInformation.createRemoteUser(context.getIdentity().getUser());
- String[] groups = ugi != null ? ugi.getGroupNames() : null;
-
- if (groups != null && groups.length > 0) {
- userGroups = new HashSet<>(Arrays.asList(groups));
- }
- }
- else {
- userGroups = context.getIdentity().getGroups();
- }
-
- RangerTrinoAccessRequest request = new
RangerTrinoAccessRequest(resource, context.getIdentity().getUser(), userGroups,
accessType);
-
- return request;
- }
-
- private boolean hasPermission(RangerTrinoResource resource,
SystemSecurityContext context, TrinoAccessType accessType)
- {
- RangerTrinoAccessRequest request = createAccessRequest(resource,
context, accessType);
- RangerAccessResult result = rangerPlugin.isAccessAllowed(request);
-
- return result != null && result.getIsAllowed();
- }
-
- private static RangerTrinoResource createUserResource(String userName)
- {
- RangerTrinoResource res = new RangerTrinoResource();
-
- res.setValue(RangerTrinoResource.KEY_USER, userName);
-
- return res;
- }
-
- private static RangerTrinoResource createFunctionResource(String function)
- {
- RangerTrinoResource res = new RangerTrinoResource();
-
- res.setValue(RangerTrinoResource.KEY_FUNCTION, function);
-
- return res;
- }
-
- private static RangerTrinoResource
createProcedureResource(CatalogSchemaRoutineName procedure)
- {
- RangerTrinoResource res = new RangerTrinoResource();
-
- res.setValue(RangerTrinoResource.KEY_CATALOG,
procedure.getCatalogName());
- res.setValue(RangerTrinoResource.KEY_SCHEMA,
procedure.getSchemaRoutineName().getSchemaName());
- res.setValue(RangerTrinoResource.KEY_PROCEDURE,
procedure.getSchemaRoutineName().getRoutineName());
-
- return res;
- }
-
- private static RangerTrinoResource createCatalogSessionResource(String
catalogName, String propertyName)
- {
- RangerTrinoResource res = new RangerTrinoResource();
-
- res.setValue(RangerTrinoResource.KEY_CATALOG, catalogName);
- res.setValue(RangerTrinoResource.KEY_SESSION_PROPERTY, propertyName);
-
- return res;
- }
-
- private static RangerTrinoResource createSystemPropertyResource(String
property)
- {
- RangerTrinoResource res = new RangerTrinoResource();
-
- res.setValue(RangerTrinoResource.KEY_SYSTEM_PROPERTY, property);
-
- return res;
- }
-
- private static RangerTrinoResource createResource(CatalogSchemaName
catalogSchemaName)
- {
- return createResource(catalogSchemaName.getCatalogName(),
catalogSchemaName.getSchemaName());
- }
-
- private static RangerTrinoResource createResource(CatalogSchemaTableName
catalogSchemaTableName)
- {
- return createResource(catalogSchemaTableName.getCatalogName(),
catalogSchemaTableName.getSchemaTableName().getSchemaName(),
catalogSchemaTableName.getSchemaTableName().getTableName());
- }
-
- private static RangerTrinoResource createResource(String catalogName)
- {
- return new RangerTrinoResource(catalogName, Optional.empty(),
Optional.empty());
- }
-
- private static RangerTrinoResource createResource(String catalogName,
String schemaName)
- {
- return new RangerTrinoResource(catalogName, Optional.of(schemaName),
Optional.empty());
- }
-
- private static RangerTrinoResource createResource(String catalogName,
String schemaName, final String tableName)
- {
- return new RangerTrinoResource(catalogName, Optional.of(schemaName),
Optional.of(tableName));
- }
-
- private static RangerTrinoResource createResource(String catalogName,
String schemaName, final String tableName, final Optional<String> column)
- {
- return new RangerTrinoResource(catalogName, Optional.of(schemaName),
Optional.of(tableName), column);
- }
-
- private static List<RangerTrinoResource>
createResource(CatalogSchemaTableName table, Set<String> columns)
- {
- List<RangerTrinoResource> colRequests = new ArrayList<>();
-
- if (columns.size() > 0) {
- for (String column : columns) {
- RangerTrinoResource rangerTrinoResource =
createResource(table.getCatalogName(),
table.getSchemaTableName().getSchemaName(),
table.getSchemaTableName().getTableName(), Optional.of(column));
-
- colRequests.add(rangerTrinoResource);
- }
- }
- else {
- colRequests.add(createResource(table.getCatalogName(),
table.getSchemaTableName().getSchemaName(),
table.getSchemaTableName().getTableName(), Optional.empty()));
- }
-
- return colRequests;
- }
-
- private static class RangerTrinoResource
- extends RangerAccessResourceImpl
- {
- public static final String KEY_CATALOG = "catalog";
- public static final String KEY_SCHEMA = "schema";
- public static final String KEY_TABLE = "table";
- public static final String KEY_COLUMN = "column";
- public static final String KEY_USER = "trinouser";
- public static final String KEY_FUNCTION = "function";
- public static final String KEY_PROCEDURE = "procedure";
- public static final String KEY_SYSTEM_PROPERTY = "systemproperty";
- public static final String KEY_SESSION_PROPERTY = "sessionproperty";
-
- public RangerTrinoResource()
- {
- }
-
- public RangerTrinoResource(String catalogName, Optional<String>
schema, Optional<String> table)
- {
- setValue(KEY_CATALOG, catalogName);
-
- if (schema.isPresent()) {
- setValue(KEY_SCHEMA, schema.get());
- }
-
- if (table.isPresent()) {
- setValue(KEY_TABLE, table.get());
- }
- }
-
- public RangerTrinoResource(String catalogName, Optional<String>
schema, Optional<String> table, Optional<String> column)
- {
- setValue(KEY_CATALOG, catalogName);
-
- if (schema.isPresent()) {
- setValue(KEY_SCHEMA, schema.get());
- }
-
- if (table.isPresent()) {
- setValue(KEY_TABLE, table.get());
- }
-
- if (column.isPresent()) {
- setValue(KEY_COLUMN, column.get());
- }
- }
-
- public String getCatalogName()
- {
- return (String) getValue(KEY_CATALOG);
- }
-
- public String getTable()
- {
- return (String) getValue(KEY_TABLE);
- }
-
- public String getCatalog()
- {
- return (String) getValue(KEY_CATALOG);
- }
-
- public String getSchema()
- {
- return (String) getValue(KEY_SCHEMA);
- }
-
- public Optional<SchemaTableName> getSchemaTable()
- {
- final String schema = getSchema();
-
- if (StringUtils.isNotEmpty(schema)) {
- return Optional.of(new SchemaTableName(schema,
Optional.ofNullable(getTable()).orElse("*")));
- }
-
- return Optional.empty();
- }
- }
-
- private static class RangerTrinoAccessRequest
- extends RangerAccessRequestImpl
- {
- public RangerTrinoAccessRequest(RangerTrinoResource resource, String
user, Set<String> userGroups, TrinoAccessType trinoAccessType)
- {
- super(resource, trinoAccessType.name().toLowerCase(ENGLISH), user,
userGroups, null);
-
- setAccessTime(new Date());
- }
- }
-
- private static enum TrinoAccessType {
- CREATE, DROP, SELECT, INSERT, DELETE, USE, ALTER, ALL, GRANT, REVOKE,
SHOW, IMPERSONATE, EXECUTE;
- }
-}
diff --git
a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlFactory.java
b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlFactory.java
deleted file mode 100644
index 919646fbf..000000000
---
a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlFactory.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ranger.authorization.trino.authorizer;
-
-import com.google.inject.Injector;
-import com.google.inject.Scopes;
-import io.airlift.bootstrap.Bootstrap;
-import io.trino.spi.security.SystemAccessControl;
-import io.trino.spi.security.SystemAccessControlFactory;
-
-import java.util.Map;
-
-import static com.google.common.base.Throwables.throwIfUnchecked;
-import static io.airlift.configuration.ConfigBinder.configBinder;
-import static java.util.Objects.requireNonNull;
-
-public class RangerSystemAccessControlFactory
- implements SystemAccessControlFactory
-{
- private static final String NAME = "ranger";
-
- @Override
- public String getName()
- {
- return NAME;
- }
-
- @Override
- public SystemAccessControl create(Map<String, String> config)
- {
- requireNonNull(config, "config is null");
-
- try {
- Bootstrap app = new Bootstrap(binder ->
- {
- configBinder(binder).bindConfig(RangerConfig.class);
-
binder.bind(RangerSystemAccessControl.class).in(Scopes.SINGLETON);
- });
-
- Injector injector = app
- .doNotInitializeLogging()
- .setRequiredConfigurationProperties(config)
- .initialize();
-
- return injector.getInstance(RangerSystemAccessControl.class);
- }
- catch (Exception e) {
- throwIfUnchecked(e);
- throw new RuntimeException(e);
- }
- }
-}
diff --git
a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/TrinoRangerPlugin.java
b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/TrinoRangerPlugin.java
deleted file mode 100644
index 5a83b12d7..000000000
---
a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/TrinoRangerPlugin.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ranger.authorization.trino.authorizer;
-
-import io.trino.spi.Plugin;
-import io.trino.spi.security.SystemAccessControlFactory;
-
-import java.util.ArrayList;
-
-public class TrinoRangerPlugin
- implements Plugin
-{
- @Override
- public Iterable<SystemAccessControlFactory>
getSystemAccessControlFactories()
- {
- ArrayList<SystemAccessControlFactory> list = new ArrayList<>();
- SystemAccessControlFactory factory = new
RangerSystemAccessControlFactory();
-
- list.add(factory);
-
- return list;
- }
-}
diff --git
a/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java
b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java
deleted file mode 100644
index 220c8c252..000000000
---
a/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.ranger.authorization.trino.authorizer;
-
-import com.google.common.collect.ImmutableSet;
-import io.trino.spi.connector.CatalogSchemaName;
-import io.trino.spi.connector.CatalogSchemaRoutineName;
-import io.trino.spi.connector.CatalogSchemaTableName;
-import io.trino.spi.connector.SchemaTableName;
-import io.trino.spi.security.AccessDeniedException;
-import io.trino.spi.security.Identity;
-import io.trino.spi.security.SystemSecurityContext;
-import io.trino.spi.security.TrinoPrincipal;
-import io.trino.spi.security.ViewExpression;
-import io.trino.spi.type.VarcharType;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import javax.security.auth.kerberos.KerberosPrincipal;
-
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
-
-import static io.trino.spi.security.PrincipalType.USER;
-import static io.trino.spi.security.Privilege.SELECT;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertTrue;
-
-public class RangerSystemAccessControlTest
-{
- static RangerSystemAccessControl accessControlManager;
-
- private static final Identity alice = Identity.ofUser("alice");
- private static final Identity admin = Identity.ofUser("admin");
- //private static final Identity aliceWithGroups =
Identity.from(alice).withGroups(new HashSet(Arrays.asList("users",
"friends"))).build();
- //private static final Identity kerberosValidAlice =
Identity.from(alice).withPrincipal(new
KerberosPrincipal("alice/example....@example.com")).build();
- //private static final Identity kerberosValidNonAsciiUser =
Identity.forUser("\u0194\u0194\u0194").withPrincipal(new
KerberosPrincipal("\u0194\u0194\u0194/example....@example.com")).build();
- private static final Identity kerberosInvalidAlice =
Identity.from(alice).withPrincipal(new
KerberosPrincipal("mallory/example....@example.com")).build();
- private static final Identity bob = Identity.ofUser("bob");
- //private static final Identity nonAsciiUser =
Identity.ofUser("\u0194\u0194\u0194");
-
- private static final Set<String> allCatalogs =
ImmutableSet.of("open-to-all", "all-allowed", "alice-catalog");
- private static final Set<String> queryOwners = ImmutableSet.of("bob",
"alice", "frank");
- private static final String aliceCatalog = "alice-catalog";
- private static final CatalogSchemaName aliceSchema = new
CatalogSchemaName("alice-catalog", "schema");
- private static final CatalogSchemaTableName aliceTable = new
CatalogSchemaTableName("alice-catalog", "schema", "table");
- private static final CatalogSchemaTableName aliceView = new
CatalogSchemaTableName("alice-catalog", "schema", "view");
- private static final CatalogSchemaRoutineName aliceProcedure = new
CatalogSchemaRoutineName("alice-catalog", "schema", "procedure");
- private static final String functionName = new String("function");
-
- @BeforeClass
- public static void setUpBeforeClass()
- throws Exception
- {
- accessControlManager = new RangerSystemAccessControl(new
RangerConfig());
- }
-
- @Test
- @SuppressWarnings("PMD")
- public void testCanSetUserOperations()
- {
- try {
- accessControlManager.checkCanImpersonateUser(context(alice),
bob.getUser());
- throw new AssertionError("expected AccessDeniedExeption");
- }
- catch (AccessDeniedException expected) {
- }
-
- accessControlManager.checkCanImpersonateUser(context(admin),
bob.getUser());
-
- try {
-
accessControlManager.checkCanImpersonateUser(context(kerberosInvalidAlice),
bob.getUser());
- throw new AssertionError("expected AccessDeniedExeption");
- }
- catch (AccessDeniedException expected) {
- }
- }
-
- @Test
- public void testCatalogOperations()
- {
- assertEquals(accessControlManager.filterCatalogs(context(alice),
allCatalogs), allCatalogs);
- Set<String> bobCatalogs = ImmutableSet.of("open-to-all",
"all-allowed");
- assertEquals(accessControlManager.filterCatalogs(context(bob),
allCatalogs), bobCatalogs);
- //Set<String> nonAsciiUserCatalogs = ImmutableSet.of("open-to-all",
"all-allowed", "\u0200\u0200\u0200");
-
//assertEquals(accessControlManager.filterCatalogs(context(nonAsciiUser),
allCatalogs), nonAsciiUserCatalogs);
- }
-
- @Test
- @SuppressWarnings("PMD")
- public void testSchemaOperations()
- {
- Set<String> aliceSchemas = ImmutableSet.of("schema");
- assertEquals(accessControlManager.filterSchemas(context(alice),
aliceCatalog, aliceSchemas), aliceSchemas);
- assertEquals(accessControlManager.filterSchemas(context(bob),
"alice-catalog", aliceSchemas), ImmutableSet.of());
-
- accessControlManager.checkCanCreateSchema(context(alice), aliceSchema);
- accessControlManager.checkCanDropSchema(context(alice), aliceSchema);
- accessControlManager.checkCanRenameSchema(context(alice), aliceSchema,
"new-schema");
- accessControlManager.checkCanShowSchemas(context(alice), aliceCatalog);
-
- try {
- accessControlManager.checkCanCreateSchema(context(bob),
aliceSchema);
- }
- catch (AccessDeniedException expected) {
- }
-
- accessControlManager.checkCanSetSchemaAuthorization(context(alice),
aliceSchema, new TrinoPrincipal(USER, "principal"));
- accessControlManager.checkCanShowCreateSchema(context(alice),
aliceSchema);
- }
-
- @Test
- @SuppressWarnings("PMD")
- public void testTableOperations()
- {
- Set<SchemaTableName> aliceTables = ImmutableSet.of(new
SchemaTableName("schema", "table"));
- assertEquals(accessControlManager.filterTables(context(alice),
aliceCatalog, aliceTables), aliceTables);
- assertEquals(accessControlManager.filterTables(context(bob),
"alice-catalog", aliceTables), ImmutableSet.of());
-
- accessControlManager.checkCanCreateTable(context(alice), aliceTable,
Map.of());
- accessControlManager.checkCanDropTable(context(alice), aliceTable);
- accessControlManager.checkCanSelectFromColumns(context(alice),
aliceTable, ImmutableSet.of());
- accessControlManager.checkCanInsertIntoTable(context(alice),
aliceTable);
- accessControlManager.checkCanDeleteFromTable(context(alice),
aliceTable);
- accessControlManager.checkCanRenameColumn(context(alice), aliceTable);
-
- try {
- accessControlManager.checkCanCreateTable(context(bob), aliceTable,
Map.of());
- }
- catch (AccessDeniedException expected) {
- }
- }
-
- @Test
- @SuppressWarnings("PMD")
- public void testViewOperations()
- {
- accessControlManager.checkCanCreateView(context(alice), aliceView);
- accessControlManager.checkCanDropView(context(alice), aliceView);
- accessControlManager.checkCanSelectFromColumns(context(alice),
aliceView, ImmutableSet.of());
-
accessControlManager.checkCanCreateViewWithSelectFromColumns(context(alice),
aliceTable, ImmutableSet.of());
-
accessControlManager.checkCanCreateViewWithSelectFromColumns(context(alice),
aliceView, ImmutableSet.of());
- accessControlManager.checkCanSetCatalogSessionProperty(context(alice),
aliceCatalog, "property");
- accessControlManager.checkCanGrantTablePrivilege(context(alice),
SELECT, aliceTable, new TrinoPrincipal(USER, "grantee"), true);
- accessControlManager.checkCanRevokeTablePrivilege(context(alice),
SELECT, aliceTable, new TrinoPrincipal(USER, "revokee"), true);
-
- try {
- accessControlManager.checkCanCreateView(context(bob), aliceView);
- }
- catch (AccessDeniedException expected) {
- }
- }
-
- @Test
- @SuppressWarnings("PMD")
- public void testMisc()
- {
-
assertEquals(accessControlManager.filterViewQueryOwnedBy(context(alice),
queryOwners), queryOwners);
-
- // check {type} / {col} replacement
- final VarcharType varcharType = VarcharType.createVarcharType(20);
-
- Optional<ViewExpression> ret =
accessControlManager.getColumnMask(context(alice), aliceTable, "cast_me",
varcharType);
- List<ViewExpression> retArray =
accessControlManager.getColumnMasks(context(alice), aliceTable, "cast_me",
varcharType);
- assertNotNull(ret.get());
- assertEquals(ret.get().getExpression(), "cast cast_me as varchar(20)");
- assertEquals(1, retArray.size());
- assertEquals("cast cast_me as varchar(20)",
retArray.get(0).getExpression());
-
- ret = accessControlManager.getColumnMask(context(alice), aliceTable,
"do-not-cast-me", varcharType);
- retArray = accessControlManager.getColumnMasks(context(alice),
aliceTable, "do-not-cast-me", varcharType);
- assertFalse(ret.isPresent());
- assertTrue(retArray.isEmpty());
-
- ret = accessControlManager.getRowFilter(context(alice), aliceTable);
- retArray = accessControlManager.getRowFilters(context(alice),
aliceTable);
- assertFalse(ret.isPresent());
- assertTrue(retArray.isEmpty());
-
- accessControlManager.checkCanExecuteFunction(context(alice),
functionName);
-
accessControlManager.checkCanGrantExecuteFunctionPrivilege(context(alice),
functionName, new TrinoPrincipal(USER, "grantee"), true);
- accessControlManager.checkCanExecuteProcedure(context(alice),
aliceProcedure);
- }
-
- private SystemSecurityContext context(Identity id)
- {
- return new SystemSecurityContext(id, Optional.empty());
- }
-}
diff --git a/pom.xml b/pom.xml
index fee54735f..bd8008b8d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -184,7 +184,7 @@
<owasp-java-html-sanitizer.version>20211018.2</owasp-java-html-sanitizer.version>
<paranamer.version>2.3</paranamer.version>
<presto.version>333</presto.version>
- <trino.version>377</trino.version>
+ <trino.version>451</trino.version>
<poi.version>5.2.2</poi.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<protobuf-java.version>3.19.3</protobuf-java.version>
@@ -323,45 +323,14 @@
<module>ranger-kylin-plugin-shim</module>
<module>plugin-elasticsearch</module>
<module>ranger-elasticsearch-plugin-shim</module>
- <!--
- 'distro' should be the last module. If a module gets
inserted after
- ranger-elasticsearch-plugin-shim, make sure to update
dependency in distro/pom.xml
- -->
- <module>distro</module>
- </modules>
- </profile>
-
- <profile>
- <id>ranger-jdk11</id>
- <activation>
- <jdk>11</jdk>
- </activation>
- <modules>
- <!-- ranger-admin requirements -->
- <module>security-admin</module>
- <module>agents-audit</module>
- <module>agents-common</module>
- <module>agents-cred</module>
- <module>jisql</module>
- <module>embeddedwebserver</module>
- <module>credentialbuilder</module>
- <module>ranger-util</module>
- <module>ugsync-util</module>
- <module>unixauthclient</module>
- <module>ranger-plugin-classloader</module>
- <module>ranger-authn</module>
- <module>ranger-metrics</module>
- <!-- trino-plugin requirements -->
- <module>agents-installer</module>
<module>plugin-trino</module>
<!--
'distro' should be the last module. If a module gets
inserted after
- plugin-nestedstructure, make sure to update dependency in
distro/pom.xml
+ ranger-elasticsearch-plugin-shim, make sure to update
dependency in distro/pom.xml
-->
<module>distro</module>
</modules>
</profile>
-
<profile>
<id>ranger-examples</id>
<modules>
@@ -600,7 +569,6 @@
<module>ranger-plugin-classloader</module>
<module>ranger-util</module>
<module>plugin-trino</module>
- <module>ranger-trino-plugin-shim</module>
</modules>
</profile>
<profile>
@@ -681,6 +649,7 @@
<module>ranger-elasticsearch-plugin-shim</module>
<module>ranger-authn</module>
<module>ranger-metrics</module>
+ <module>plugin-trino</module>
<!--
'distro' should be the last module. If a module gets
inserted after
ranger-elasticsearch-plugin-shim, make sure to update
dependency in distro/pom.xml
@@ -765,6 +734,7 @@
<module>ranger-kylin-plugin-shim</module>
<module>plugin-elasticsearch</module>
<module>ranger-elasticsearch-plugin-shim</module>
+ <module>plugin-trino</module>
</modules>
<build>
<plugins>
diff --git a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
index e1e2274b6..81494bdea 100644
--- a/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
+++ b/security-admin/db/mysql/optimized/current/ranger_core_db_mysql.sql
@@ -2088,4 +2088,6 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10055',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10056',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10060',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10061',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10062',UTC_TIMESTAMP(),'Ranger 3.0.0',UTC_TIMESTAMP(),'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('JAVA_PATCHES',UTC_TIMESTAMP(),'Ranger 1.0.0',UTC_TIMESTAMP(),'localhost','Y');
diff --git
a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
index ec0a5ba3a..3f01a42d1 100644
--- a/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
+++ b/security-admin/db/oracle/optimized/current/ranger_core_db_oracle.sql
@@ -2061,5 +2061,7 @@ INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,act
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10055',sys_extract_utc(systimestamp),'Ranger
3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10056',sys_extract_utc(systimestamp),'Ranger
3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10060',sys_extract_utc(systimestamp),'Ranger
3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
+INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10061',sys_extract_utc(systimestamp),'Ranger
3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
+INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'J10062',sys_extract_utc(systimestamp),'Ranger
3.0.0',sys_extract_utc(systimestamp),'localhost','Y');
INSERT INTO x_db_version_h
(id,version,inst_at,inst_by,updated_at,updated_by,active) VALUES
(X_DB_VERSION_H_SEQ.nextval,'JAVA_PATCHES',sys_extract_utc(systimestamp),'Ranger
1.0.0',sys_extract_utc(systimestamp),'localhost','Y');
commit;
diff --git
a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
index bbe5975e8..27ef48c3c 100644
--- a/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
+++ b/security-admin/db/postgres/optimized/current/ranger_core_db_postgres.sql
@@ -2244,6 +2244,8 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10055',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10056',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10060',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10061',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10062',current_timestamp,'Ranger 3.0.0',current_timestamp,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('JAVA_PATCHES',current_timestamp,'Ranger
1.0.0',current_timestamp,'localhost','Y');
DROP VIEW IF EXISTS vx_principal;
diff --git
a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
index 2e0a000a3..660cc52be 100644
---
a/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
+++
b/security-admin/db/sqlanywhere/optimized/current/ranger_core_db_sqlanywhere.sql
@@ -2430,6 +2430,10 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
GO
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10060',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10061',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+GO
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10062',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+GO
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger
1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
exit
diff --git
a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
index 7a7b3a5c8..6e445d5ab 100644
--- a/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
+++ b/security-admin/db/sqlserver/optimized/current/ranger_core_db_sqlserver.sql
@@ -4218,5 +4218,7 @@ INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10055',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10056',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10060',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10061',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
+INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('J10062',CURRENT_TIMESTAMP,'Ranger 3.0.0',CURRENT_TIMESTAMP,'localhost','Y');
INSERT INTO x_db_version_h
(version,inst_at,inst_by,updated_at,updated_by,active) VALUES
('JAVA_PATCHES',CURRENT_TIMESTAMP,'Ranger
1.0.0',CURRENT_TIMESTAMP,'localhost','Y');
GO
diff --git
a/security-admin/src/main/java/org/apache/ranger/patch/PatchForTrinoSvcDefUpdate_J10062.java
b/security-admin/src/main/java/org/apache/ranger/patch/PatchForTrinoSvcDefUpdate_J10062.java
new file mode 100644
index 000000000..57d55f50c
--- /dev/null
+++
b/security-admin/src/main/java/org/apache/ranger/patch/PatchForTrinoSvcDefUpdate_J10062.java
@@ -0,0 +1,315 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.patch;
+
+import org.apache.commons.collections.CollectionUtils;
+import org.apache.log4j.Logger;
+import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.common.GUIDUtil;
+import org.apache.ranger.common.RangerValidatorFactory;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXService;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicyResourceSignature;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
+import org.apache.ranger.plugin.model.validation.RangerValidator.Action;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.util.CLIUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.stereotype.Component;
+import org.springframework.transaction.PlatformTransactionManager;
+import org.springframework.transaction.TransactionDefinition;
+import org.springframework.transaction.TransactionStatus;
+import org.springframework.transaction.support.TransactionCallback;
+import org.springframework.transaction.support.TransactionTemplate;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+@Component
+public class PatchForTrinoSvcDefUpdate_J10062 extends BaseLoader {
+ public static final String LOGIN_ID_ADMIN = "admin";
+ public static final String WILDCARD_ASTERISK = "*";
+ public static final String POlICY_NAME_FOR_ALL_SYSINFO = "all - sysinfo";
+ public static final String POlICY_NAME_FOR_ALL_CATALOG_SCHEMA_FUNCTION =
"all - catalog, schema, schemafunction";
+ public static final String POlICY_NAME_FOR_ALL_QUERY = "all - queryid";
+ public static final String POlICY_NAME_FOR_ALL_ROLE = "all - role";
+ public static final String RESOURCE_SYSINFO = "sysinfo";
+ public static final String RESOURCE_CATALOG = "catalog";
+ public static final String RESOURCE_SCHEMA = "schema";
+ public static final String RESOURCE_QUERYID = "queryid";
+ public static final String RESOURCE_ROLE = "role";
+ public static final String RESOURCE_SCHEMAFUNCTION = "schemafunction";
+ public static final String ACCESS_TYPE_READ_SYSINFO = "read_sysinfo";
+ public static final String ACCESS_TYPE_WRITE_SYSINFO = "write_sysinfo";
+ public static final String ACCESS_TYPE_CREATE = "create";
+ public static final String ACCESS_TYPE_DROP = "drop";
+ public static final String ACCESS_TYPE_SHOW = "show";
+ public static final String ACCESS_TYPE_GRANT = "grant";
+ public static final String ACCESS_TYPE_REVOKE = "revoke";
+ public static final String ACCESS_TYPE_EXECUTE = "execute";
+ public static final String ACCESS_TYPE_SELECT = "select";
+ private static final Logger logger =
Logger.getLogger(PatchForTrinoSvcDefUpdate_J10062.class);
+ private static final String TRINO_SVC_DEF_NAME =
EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TRINO_NAME;
+ @Autowired
+ GUIDUtil guidUtil;
+ @Autowired
+ ServiceDBStore svcDBStore;
+ @Autowired
+ @Qualifier(value = "transactionManager")
+ PlatformTransactionManager txManager;
+ @Autowired
+ private RangerDaoManager daoMgr;
+ @Autowired
+ private RangerValidatorFactory validatorFactory;
+
+ public static void main(String[] args) {
+ logger.info("main()");
+ try {
+ PatchForTrinoSvcDefUpdate_J10062 loader =
(PatchForTrinoSvcDefUpdate_J10062)
CLIUtil.getBean(PatchForTrinoSvcDefUpdate_J10062.class);
+ loader.init();
+ while (loader.isMoreToProcess()) {
+ loader.load();
+ }
+ logger.info("Load complete. Exiting!!!");
+ System.exit(0);
+ } catch (Exception e) {
+ logger.error("Error loading", e);
+ System.exit(1);
+ }
+ }
+
+ @Override
+ public void init() throws Exception {
+ // DO NOTHING
+ }
+
+ @Override
+ public void printStats() {
+ logger.info("PatchForTrinoSvcDefUpdate_J10062 logs ");
+ }
+
+ @Override
+ public void execLoad() {
+ logger.info("==> PatchForTrinoSvcDefUpdate_J10062.execLoad()");
+ try {
+ TransactionTemplate txTemplate = new
TransactionTemplate(txManager);
+
txTemplate.setPropagationBehavior(TransactionDefinition.PROPAGATION_REQUIRES_NEW);
+ try {
+ txTemplate.execute(new TransactionCallback<Object>() {
+ @Override
+ public Object doInTransaction(TransactionStatus status) {
+ RangerServiceDef dbRangerServiceDef = null;
+ RangerServiceDef embeddedTrinoServiceDef = null;
+ try {
+ embeddedTrinoServiceDef =
EmbeddedServiceDefsUtil.instance().getEmbeddedServiceDef(TRINO_SVC_DEF_NAME);
+ } catch (Exception ex) {
+ logger.error("Error while loading service-def: " +
TRINO_SVC_DEF_NAME, ex);
+ }
+ if (embeddedTrinoServiceDef == null) {
+ logger.error("The embedded Trino
service-definition does not exist.");
+ throw new RuntimeException("Error while updating "
+ TRINO_SVC_DEF_NAME + " service-def");
+ }
+ if (embeddedTrinoServiceDef != null) {
+ try {
+ dbRangerServiceDef =
svcDBStore.getServiceDefByName(TRINO_SVC_DEF_NAME);
+ } catch (Exception e) {
+ logger.error("The Trino service-definition
does not exist in ranger db.");
+ } finally {
+ if (dbRangerServiceDef == null) {
+ logger.error("The Trino service-definition
does not exist.");
+ throw new RuntimeException("Error while
updating " + TRINO_SVC_DEF_NAME + " service-def");
+ }
+ }
+ }
+ dbRangerServiceDef =
updateTrinoSvcDef(embeddedTrinoServiceDef, dbRangerServiceDef);
+ if (dbRangerServiceDef != null) {
+ try {
+ createDefaultPolicies(dbRangerServiceDef);
+ } catch (Exception e) {
+ logger.error("Error while creating default
ranger policies for " + TRINO_SVC_DEF_NAME + " service-def");
+ throw new RuntimeException("Error while
creating default ranger policies for " + TRINO_SVC_DEF_NAME + " service-def");
+ }
+ } else {
+ logger.error("Error while updating " +
TRINO_SVC_DEF_NAME + " service-def");
+ throw new RuntimeException("Error while updating "
+ TRINO_SVC_DEF_NAME + " service-def");
+ }
+ return null;
+ }
+ });
+ } catch (Throwable ex) {
+ logger.error("Error while updating " + TRINO_SVC_DEF_NAME + "
service-def");
+ throw new RuntimeException(ex.getMessage());
+ }
+ } catch (Exception e) {
+ logger.error("Error while executing
PatchForTrinoSvcDefUpdate_J10062, Error - ", e);
+ throw new RuntimeException(e.getMessage());
+ }
+ logger.info("<== PatchForTrinoSvcDefUpdate_J10062.execLoad()");
+ }
+
+ private RangerServiceDef updateTrinoSvcDef(RangerServiceDef
embeddedTrinoServiceDef, RangerServiceDef dbRangerServiceDef) {
+ logger.info("==>
PatchForTrinoSvcDefUpdate_J10062.updateTrinoSvcDef()");
+ RangerServiceDef ret = null;
+ try {
+
dbRangerServiceDef.setResources(embeddedTrinoServiceDef.getResources());
+
dbRangerServiceDef.setAccessTypes(embeddedTrinoServiceDef.getAccessTypes());
+
dbRangerServiceDef.setConfigs(embeddedTrinoServiceDef.getConfigs());
+ RangerServiceDefValidator validator =
validatorFactory.getServiceDefValidator(this.svcDBStore);
+ validator.validate(dbRangerServiceDef, Action.UPDATE);
+ ret = this.svcDBStore.updateServiceDef(dbRangerServiceDef);
+ logger.info(TRINO_SVC_DEF_NAME + " service-def has been updated");
+ } catch (Exception e) {
+ logger.error("Error while updating" + TRINO_SVC_DEF_NAME + "
service-def", e);
+ throw new RuntimeException(e);
+ }
+ logger.info("<==
PatchForTrinoSvcDefUpdate_J10062.updateTrinoSvcDef()");
+ return ret;
+ }
+
+ private void createDefaultPolicies(RangerServiceDef dbRangerServiceDef)
throws Exception {
+ List<XXService> dbServices =
daoMgr.getXXService().findByServiceDefId(dbRangerServiceDef.getId());
+ if (CollectionUtils.isNotEmpty(dbServices)) {
+ for (XXService dbService : dbServices) {
+ addDefaultPolicies(dbService.getName(), null);
+ }
+ }
+ }
+
+ private void addDefaultPolicies(String serviceName, String zoneName)
throws Exception {
+ logger.info("===> addDefaultPolicies ServiceName : " + serviceName + "
ZoneName : " + zoneName);
+ List<String> resources = new ArrayList<>();
+ resources.add(RESOURCE_SYSINFO);
+ RangerPolicy allSysInfoPolicy = getPolicy(serviceName, zoneName,
POlICY_NAME_FOR_ALL_SYSINFO, resources);
+ List<RangerPolicy> policies =
svcDBStore.getPoliciesByResourceSignature(serviceName,
allSysInfoPolicy.getResourceSignature(), true);
+ if (CollectionUtils.isEmpty(policies)) {
+ logger.info("No policy found with resource sysinfo = * creating
new policy");
+ svcDBStore.createPolicy(allSysInfoPolicy);
+ }
+
+ resources.clear();
+ policies.clear();
+ resources.add(RESOURCE_CATALOG);
+ resources.add(RESOURCE_SCHEMA);
+ resources.add(RESOURCE_SCHEMAFUNCTION);
+ RangerPolicy allCatalogSchemaFunctionPolicy = getPolicy(serviceName,
zoneName, POlICY_NAME_FOR_ALL_CATALOG_SCHEMA_FUNCTION, resources);
+ policies = svcDBStore.getPoliciesByResourceSignature(serviceName,
allCatalogSchemaFunctionPolicy.getResourceSignature(), true);
+ if (CollectionUtils.isEmpty(policies)) {
+ logger.info("No policy found with resource catalog, schema,
schemafunction = *; creating new policy");
+ svcDBStore.createPolicy(allCatalogSchemaFunctionPolicy);
+ }
+
+ resources.clear();
+ policies.clear();
+ resources.add(RESOURCE_QUERYID);
+ RangerPolicy allQueryIdPolicy = getPolicy(serviceName, zoneName,
POlICY_NAME_FOR_ALL_QUERY, resources);
+ policies = svcDBStore.getPoliciesByResourceSignature(serviceName,
allQueryIdPolicy.getResourceSignature(), true);
+ if (CollectionUtils.isEmpty(policies)) {
+ logger.info("No policy found with resource queryId = *; creating
new policy");
+ svcDBStore.createPolicy(allQueryIdPolicy);
+ }
+
+ resources.clear();
+ policies.clear();
+ resources.add(RESOURCE_ROLE);
+ RangerPolicy allRolePolicy = getPolicy(serviceName, zoneName,
POlICY_NAME_FOR_ALL_ROLE, resources);
+ policies = svcDBStore.getPoliciesByResourceSignature(serviceName,
allRolePolicy.getResourceSignature(), true);
+ if (CollectionUtils.isEmpty(policies)) {
+ logger.info("No policy found with resource role = *; creating new
policy");
+ svcDBStore.createPolicy(allRolePolicy);
+ }
+ logger.info("<=== addDefaultPolicies");
+ }
+
+ private RangerPolicy getPolicy(String serviceName, String zoneName, String
policyName, List<String> resources) {
+ logger.info("===> getPolicy ");
+ RangerPolicy policy;
+ Map<String, RangerPolicy.RangerPolicyResource> policyResources = new
HashMap<>();
+ for (String resource : resources) {
+ policyResources.put(resource, new
RangerPolicy.RangerPolicyResource(WILDCARD_ASTERISK));
+ }
+ policy = new RangerPolicy();
+ policy.setService(serviceName);
+ policy.setName(policyName);
+ policy.setDescription("Policy for " + policyName);
+ policy.setIsAuditEnabled(true);
+ policy.setCreatedBy(LOGIN_ID_ADMIN);
+ policy.setResources(policyResources);
+ policy.setPolicyType(RangerPolicy.POLICY_TYPE_ACCESS);
+ policy.setGuid(guidUtil.genGUID());
+ policy.setZoneName(zoneName);
+ List<RangerPolicy.RangerPolicyItem> policyItems = new ArrayList<>();
+ policyItems.add(getPolicyItem(policyName, "trino", true));
+ policyItems.add(getPolicyItem("select", "rangerlookup", false));
+ policy.setPolicyItems(policyItems);
+ policy.setResourceSignature(new
RangerPolicyResourceSignature(policy).getSignature());
+ if (logger.isDebugEnabled()) {
+ logger.debug("===> getPolicy policy ResourceSignature " +
policy.getResourceSignature());
+ logger.debug("===> getPolicy policy : " + policy);
+ }
+ logger.info("<=== getPolicy ");
+ return policy;
+ }
+
+ private RangerPolicy.RangerPolicyItem getPolicyItem(String policyName,
String user, boolean delegateAdmin) {
+ RangerPolicy.RangerPolicyItem policyItem = new
RangerPolicy.RangerPolicyItem();
+ policyItem.setUsers(new ArrayList<String>() {{
+ add(user);
+ }});
+ policyItem.setAccesses(getAccessList(policyName));
+ policyItem.setDelegateAdmin(delegateAdmin);
+ return policyItem;
+ }
+
+ private List<RangerPolicy.RangerPolicyItemAccess> getAccessList(String
policyName) {
+ List<RangerPolicy.RangerPolicyItemAccess> accessList = new
ArrayList<RangerPolicy.RangerPolicyItemAccess>();
+ switch (policyName) {
+ case POlICY_NAME_FOR_ALL_SYSINFO:
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_READ_SYSINFO));
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_WRITE_SYSINFO));
+ break;
+ case POlICY_NAME_FOR_ALL_CATALOG_SCHEMA_FUNCTION:
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_CREATE));
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_DROP));
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_SHOW));
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_GRANT));
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_EXECUTE));
+ break;
+ case POlICY_NAME_FOR_ALL_ROLE:
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_CREATE));
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_DROP));
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_SHOW));
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_GRANT));
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_REVOKE));
+ break;
+ case POlICY_NAME_FOR_ALL_QUERY:
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_EXECUTE));
+ break;
+ default:
+ accessList.add(new
RangerPolicy.RangerPolicyItemAccess(ACCESS_TYPE_SELECT));
+ break;
+ }
+ return accessList;
+ }
+
+}
\ No newline at end of file
