-
Notifications
You must be signed in to change notification settings - Fork 378
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[#5661] feat(auth): Add JDBC authorization plugin interface
- Loading branch information
Showing
11 changed files
with
1,521 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. The ASF licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
description = "authorization-jdbc" | ||
|
||
plugins { | ||
`maven-publish` | ||
id("java") | ||
id("idea") | ||
} | ||
|
||
dependencies { | ||
implementation(project(":api")) { | ||
exclude(group = "*") | ||
} | ||
implementation(project(":core")) { | ||
exclude(group = "*") | ||
} | ||
|
||
implementation(libs.bundles.log4j) | ||
implementation(libs.commons.lang3) | ||
implementation(libs.guava) | ||
implementation(libs.javax.jaxb.api) { | ||
exclude("*") | ||
} | ||
implementation(libs.javax.ws.rs.api) | ||
implementation(libs.jettison) | ||
compileOnly(libs.lombok) | ||
implementation(libs.mail) | ||
implementation(libs.rome) | ||
implementation(libs.commons.dbcp2) | ||
|
||
testImplementation(project(":common")) | ||
testImplementation(project(":clients:client-java")) | ||
testImplementation(project(":server")) | ||
testImplementation(project(":catalogs:catalog-common")) | ||
testImplementation(project(":integration-test-common", "testArtifacts")) | ||
testImplementation(libs.junit.jupiter.api) | ||
testImplementation(libs.mockito.core) | ||
testImplementation(libs.testcontainers) | ||
testRuntimeOnly(libs.junit.jupiter.engine) | ||
} | ||
|
||
tasks { | ||
val runtimeJars by registering(Copy::class) { | ||
from(configurations.runtimeClasspath) | ||
into("build/libs") | ||
} | ||
|
||
val copyAuthorizationLibs by registering(Copy::class) { | ||
dependsOn("jar", runtimeJars) | ||
from("build/libs") { | ||
exclude("guava-*.jar") | ||
exclude("log4j-*.jar") | ||
exclude("slf4j-*.jar") | ||
} | ||
into("$rootDir/distribution/package/authorizations/ranger/libs") | ||
} | ||
|
||
register("copyLibAndConfig", Copy::class) { | ||
dependsOn(copyAuthorizationLibs) | ||
} | ||
|
||
jar { | ||
dependsOn(runtimeJars) | ||
} | ||
} | ||
|
||
tasks.test { | ||
doFirst { | ||
environment("HADOOP_USER_NAME", "gravitino") | ||
} | ||
dependsOn(":catalogs:catalog-hive:jar", ":catalogs:catalog-hive:runtimeJars") | ||
|
||
val skipITs = project.hasProperty("skipITs") | ||
if (skipITs) { | ||
// Exclude integration tests | ||
exclude("**/integration/test/**") | ||
} else { | ||
dependsOn(tasks.jar) | ||
} | ||
} |
93 changes: 93 additions & 0 deletions
93
...n-jdbc/src/main/java/org/apache/gravitino/authorization/jdbc/JdbcAuthorizationObject.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. The ASF licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
package org.apache.gravitino.authorization.jdbc; | ||
|
||
import com.google.common.base.Preconditions; | ||
import com.google.common.collect.Lists; | ||
import java.util.List; | ||
import javax.annotation.Nullable; | ||
import org.apache.gravitino.MetadataObject; | ||
import org.apache.gravitino.authorization.AuthorizationPrivilege; | ||
import org.apache.gravitino.authorization.AuthorizationSecurableObject; | ||
|
||
/** | ||
* JdbcAuthorizationObject is used for translating securable object to authorization securable | ||
* object. JdbcAuthorizationObject has the database and table name. When table name is null, the | ||
* object represents a database. The database can't be null. | ||
*/ | ||
public class JdbcAuthorizationObject implements AuthorizationSecurableObject { | ||
|
||
public static final String ALL = "*"; | ||
private String database; | ||
private String table; | ||
|
||
List<AuthorizationPrivilege> privileges; | ||
|
||
JdbcAuthorizationObject(String database, String table, List<AuthorizationPrivilege> privileges) { | ||
Preconditions.checkNotNull(database, "Jdbc authorization object database can't null"); | ||
this.database = database; | ||
this.table = table; | ||
this.privileges = privileges; | ||
} | ||
|
||
@Nullable | ||
@Override | ||
public String parent() { | ||
if (table != null) { | ||
return database; | ||
} | ||
|
||
return null; | ||
} | ||
|
||
@Override | ||
public String name() { | ||
if (table != null) { | ||
return table; | ||
} | ||
|
||
return database; | ||
} | ||
|
||
@Override | ||
public List<String> names() { | ||
List<String> names = Lists.newArrayList(); | ||
names.add(database); | ||
if (table != null) { | ||
names.add(table); | ||
} | ||
return names; | ||
} | ||
|
||
@Override | ||
public Type type() { | ||
if (table != null) { | ||
return () -> MetadataObject.Type.TABLE; | ||
} | ||
return () -> MetadataObject.Type.SCHEMA; | ||
} | ||
|
||
@Override | ||
public void validateAuthorizationMetadataObject() throws IllegalArgumentException {} | ||
|
||
@Override | ||
public List<AuthorizationPrivilege> privileges() { | ||
return privileges; | ||
} | ||
} |
117 changes: 117 additions & 0 deletions
117
...tion-jdbc/src/main/java/org/apache/gravitino/authorization/jdbc/JdbcAuthorizationSQL.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
/* | ||
* Licensed to the Apache Software Foundation (ASF) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. The ASF licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
package org.apache.gravitino.authorization.jdbc; | ||
|
||
import java.util.List; | ||
import org.apache.gravitino.MetadataObject; | ||
import org.apache.gravitino.annotation.Unstable; | ||
import org.apache.gravitino.authorization.Owner; | ||
|
||
/** Interface for SQL operations of the underlying access control system. */ | ||
@Unstable | ||
interface JdbcAuthorizationSQL { | ||
|
||
/** | ||
* Get SQL statements for creating a user. | ||
* | ||
* @param username the username to create | ||
* @return a SQL statement to create a user | ||
*/ | ||
String getCreateUserSQL(String username); | ||
|
||
/** | ||
* Get SQL statements for creating a group. | ||
* | ||
* @param username the username to drop | ||
* @return a SQL statement to drop a user | ||
*/ | ||
String getDropUserSQL(String username); | ||
|
||
/** | ||
* Get SQL statements for creating a role. | ||
* | ||
* @param roleName the role name to create | ||
* @return a SQL statement to create a role | ||
*/ | ||
String getCreateRoleSQL(String roleName); | ||
|
||
/** | ||
* Get SQL statements for dropping a role. | ||
* | ||
* @param roleName the role name to drop | ||
* @return a SQL statement to drop a role | ||
*/ | ||
String getDropRoleSQL(String roleName); | ||
|
||
/** | ||
* Get SQL statements for granting privileges. | ||
* | ||
* @param privilege the privilege to grant | ||
* @param objectType the object type in the database system | ||
* @param objectName the object name in the database system | ||
* @param roleName the role name to grant | ||
* @return a sql statement to grant privilege | ||
*/ | ||
String getGrantPrivilegeSQL( | ||
String privilege, String objectType, String objectName, String roleName); | ||
|
||
/** | ||
* Get SQL statements for revoking privileges. | ||
* | ||
* @param privilege the privilege to revoke | ||
* @param objectType the object type in the database system | ||
* @param objectName the object name in the database system | ||
* @param roleName the role name to revoke | ||
* @return a sql statement to revoke privilege | ||
*/ | ||
String getRevokePrivilegeSQL( | ||
String privilege, String objectType, String objectName, String roleName); | ||
|
||
/** | ||
* Get SQL statements for granting role. | ||
* | ||
* @param roleName the role name to grant | ||
* @param grantorType the grantor type, usually USER or ROLE | ||
* @param grantorName the grantor name | ||
* @return a sql statement to grant role | ||
*/ | ||
String getGrantRoleSQL(String roleName, String grantorType, String grantorName); | ||
|
||
/** | ||
* Get SQL statements for revoking roles. | ||
* | ||
* @param roleName the role name to revoke | ||
* @param revokerType the revoker type, usually USER or ROLE | ||
* @param revokerName the revoker name | ||
* @return a sql statement to revoke role | ||
*/ | ||
String getRevokeRoleSQL(String roleName, String revokerType, String revokerName); | ||
|
||
/** | ||
* Get SQL statements for setting owner. | ||
* | ||
* @param type The metadata object type | ||
* @param objectName the object name in the database system | ||
* @param preOwner the previous owner of the object | ||
* @param newOwner the new owner of the object | ||
* @return the sql statement list to set owner | ||
*/ | ||
List<String> getSetOwnerSQL( | ||
MetadataObject.Type type, String objectName, Owner preOwner, Owner newOwner); | ||
} |
Oops, something went wrong.