Skip to content

Commit

Permalink
[#5661] feat(auth): Add JDBC authorization plugin interface
Browse files Browse the repository at this point in the history
  • Loading branch information
jerqi committed Dec 19, 2024
1 parent b953226 commit c178a6d
Show file tree
Hide file tree
Showing 11 changed files with 1,521 additions and 1 deletion.
3 changes: 3 additions & 0 deletions .github/workflows/access-control-integration-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@ jobs:
./gradlew -PtestMode=embedded -PjdbcBackend=h2 -PjdkVersion=${{ matrix.java-version }} -PskipDockerTests=false :authorizations:authorization-ranger:test
./gradlew -PtestMode=deploy -PjdbcBackend=mysql -PjdkVersion=${{ matrix.java-version }} -PskipDockerTests=false :authorizations:authorization-ranger:test
./gradlew -PtestMode=deploy -PjdbcBackend=postgresql -PjdkVersion=${{ matrix.java-version }} -PskipDockerTests=false :authorizations:authorization-ranger:test
./gradlew -PtestMode=embedded -PjdbcBackend=h2 -PjdkVersion=${{ matrix.java-version }} -PskipDockerTests=false :authorizations:authorization-jdbc:test
./gradlew -PtestMode=deploy -PjdbcBackend=mysql -PjdkVersion=${{ matrix.java-version }} -PskipDockerTests=false :authorizations:authorization-jdbc:test
./gradlew -PtestMode=deploy -PjdbcBackend=postgresql -PjdkVersion=${{ matrix.java-version }} -PskipDockerTests=false :authorizations:authorization-jdbc:test
- name: Upload integrate tests reports
uses: actions/upload-artifact@v3
Expand Down
97 changes: 97 additions & 0 deletions authorizations/authorization-jdbc/build.gradle.kts
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
description = "authorization-jdbc"

plugins {
`maven-publish`
id("java")
id("idea")
}

dependencies {
implementation(project(":api")) {
exclude(group = "*")
}
implementation(project(":core")) {
exclude(group = "*")
}

implementation(libs.bundles.log4j)
implementation(libs.commons.lang3)
implementation(libs.guava)
implementation(libs.javax.jaxb.api) {
exclude("*")
}
implementation(libs.javax.ws.rs.api)
implementation(libs.jettison)
compileOnly(libs.lombok)
implementation(libs.mail)
implementation(libs.rome)
implementation(libs.commons.dbcp2)

testImplementation(project(":common"))
testImplementation(project(":clients:client-java"))
testImplementation(project(":server"))
testImplementation(project(":catalogs:catalog-common"))
testImplementation(project(":integration-test-common", "testArtifacts"))
testImplementation(libs.junit.jupiter.api)
testImplementation(libs.mockito.core)
testImplementation(libs.testcontainers)
testRuntimeOnly(libs.junit.jupiter.engine)
}

tasks {
val runtimeJars by registering(Copy::class) {
from(configurations.runtimeClasspath)
into("build/libs")
}

val copyAuthorizationLibs by registering(Copy::class) {
dependsOn("jar", runtimeJars)
from("build/libs") {
exclude("guava-*.jar")
exclude("log4j-*.jar")
exclude("slf4j-*.jar")
}
into("$rootDir/distribution/package/authorizations/ranger/libs")
}

register("copyLibAndConfig", Copy::class) {
dependsOn(copyAuthorizationLibs)
}

jar {
dependsOn(runtimeJars)
}
}

tasks.test {
doFirst {
environment("HADOOP_USER_NAME", "gravitino")
}
dependsOn(":catalogs:catalog-hive:jar", ":catalogs:catalog-hive:runtimeJars")

val skipITs = project.hasProperty("skipITs")
if (skipITs) {
// Exclude integration tests
exclude("**/integration/test/**")
} else {
dependsOn(tasks.jar)
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.gravitino.authorization.jdbc;

import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import java.util.List;
import javax.annotation.Nullable;
import org.apache.gravitino.MetadataObject;
import org.apache.gravitino.authorization.AuthorizationPrivilege;
import org.apache.gravitino.authorization.AuthorizationSecurableObject;

/**
* JdbcAuthorizationObject is used for translating securable object to authorization securable
* object. JdbcAuthorizationObject has the database and table name. When table name is null, the
* object represents a database. The database can't be null.
*/
public class JdbcAuthorizationObject implements AuthorizationSecurableObject {

public static final String ALL = "*";
private String database;
private String table;

List<AuthorizationPrivilege> privileges;

JdbcAuthorizationObject(String database, String table, List<AuthorizationPrivilege> privileges) {
Preconditions.checkNotNull(database, "Jdbc authorization object database can't null");
this.database = database;
this.table = table;
this.privileges = privileges;
}

@Nullable
@Override
public String parent() {
if (table != null) {
return database;
}

return null;
}

@Override
public String name() {
if (table != null) {
return table;
}

return database;
}

@Override
public List<String> names() {
List<String> names = Lists.newArrayList();
names.add(database);
if (table != null) {
names.add(table);
}
return names;
}

@Override
public Type type() {
if (table != null) {
return () -> MetadataObject.Type.TABLE;
}
return () -> MetadataObject.Type.SCHEMA;
}

@Override
public void validateAuthorizationMetadataObject() throws IllegalArgumentException {}

@Override
public List<AuthorizationPrivilege> privileges() {
return privileges;
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.gravitino.authorization.jdbc;

import java.util.List;
import org.apache.gravitino.MetadataObject;
import org.apache.gravitino.annotation.Unstable;
import org.apache.gravitino.authorization.Owner;

/** Interface for SQL operations of the underlying access control system. */
@Unstable
interface JdbcAuthorizationSQL {

/**
* Get SQL statements for creating a user.
*
* @param username the username to create
* @return a SQL statement to create a user
*/
String getCreateUserSQL(String username);

/**
* Get SQL statements for creating a group.
*
* @param username the username to drop
* @return a SQL statement to drop a user
*/
String getDropUserSQL(String username);

/**
* Get SQL statements for creating a role.
*
* @param roleName the role name to create
* @return a SQL statement to create a role
*/
String getCreateRoleSQL(String roleName);

/**
* Get SQL statements for dropping a role.
*
* @param roleName the role name to drop
* @return a SQL statement to drop a role
*/
String getDropRoleSQL(String roleName);

/**
* Get SQL statements for granting privileges.
*
* @param privilege the privilege to grant
* @param objectType the object type in the database system
* @param objectName the object name in the database system
* @param roleName the role name to grant
* @return a sql statement to grant privilege
*/
String getGrantPrivilegeSQL(
String privilege, String objectType, String objectName, String roleName);

/**
* Get SQL statements for revoking privileges.
*
* @param privilege the privilege to revoke
* @param objectType the object type in the database system
* @param objectName the object name in the database system
* @param roleName the role name to revoke
* @return a sql statement to revoke privilege
*/
String getRevokePrivilegeSQL(
String privilege, String objectType, String objectName, String roleName);

/**
* Get SQL statements for granting role.
*
* @param roleName the role name to grant
* @param grantorType the grantor type, usually USER or ROLE
* @param grantorName the grantor name
* @return a sql statement to grant role
*/
String getGrantRoleSQL(String roleName, String grantorType, String grantorName);

/**
* Get SQL statements for revoking roles.
*
* @param roleName the role name to revoke
* @param revokerType the revoker type, usually USER or ROLE
* @param revokerName the revoker name
* @return a sql statement to revoke role
*/
String getRevokeRoleSQL(String roleName, String revokerType, String revokerName);

/**
* Get SQL statements for setting owner.
*
* @param type The metadata object type
* @param objectName the object name in the database system
* @param preOwner the previous owner of the object
* @param newOwner the new owner of the object
* @return the sql statement list to set owner
*/
List<String> getSetOwnerSQL(
MetadataObject.Type type, String objectName, Owner preOwner, Owner newOwner);
}
Loading

0 comments on commit c178a6d

Please sign in to comment.