Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#5790] auth(chain): Chain authorization properties #5791

Merged
merged 10 commits into from
Dec 17, 2024
Merged

[#5790] auth(chain): Chain authorization properties #5791

merged 10 commits into from
Dec 17, 2024

Conversation

xunliu
Copy link
Member

@xunliu xunliu commented Dec 7, 2024
edited
Loading

What changes were proposed in this pull request?

  1. Add AuthorizationProperties interface
  2. Add ChainAuthorizationProperties class

Why are the changes needed?

Fix: #5790

Does this PR introduce any user-facing change?

N/A

How was this patch tested?

Add test

@xunliu xunliu requested a review from mchades December 7, 2024 05:59
@xunliu xunliu self-assigned this Dec 7, 2024
@orenccl
Copy link
Collaborator

orenccl commented Dec 7, 2024

Kindly note that this PR should reference fix:5790, not fix:5779.

@xunliu xunliu changed the title [#5779] feat(core): Wildcard properties meta [#5790] feat(core): Wildcard properties meta Dec 9, 2024
@xunliu
Copy link
Member Author

xunliu commented Dec 9, 2024

@orenccl Thank you for your help check it. Thanks.

@xunliu
Copy link
Member Author

xunliu commented Dec 9, 2024

@mchades I fixed all problems, Please help me review again, thanks!

mchades
mchades reviewed Dec 10, 2024
View reviewed changes
@xunliu
Copy link
Member Author

xunliu commented Dec 10, 2024

@mchades I fixed all the problems, please help me review it again. Thanks.

@xunliu
Copy link
Member Author

xunliu commented Dec 11, 2024

@mchades I fixed all the problems, please help me review it again. Thanks.

@xunliu xunliu changed the title [#5790] feat(core): Wildcard properties meta [#5790] auth(chain): Chain authorization properties Dec 13, 2024
@xunliu xunliu requested a review from diqiu50 December 13, 2024 07:42
@xunliu
Copy link
Member Author

xunliu commented Dec 13, 2024

@tengqm @mchades @yuqi1129 I am refactoring this PR, Please help me review it, Thanks.

@xunliu xunliu requested review from yuqi1129 and removed request for diqiu50 December 13, 2024 07:49
mchades
mchades reviewed Dec 16, 2024
View reviewed changes
mchades
mchades reviewed Dec 16, 2024
View reviewed changes
...er/src/main/java/org/apache/gravitino/authorization/ranger/ChainAuthorizationProperties.java Outdated
}
}

resultProperties.forEach((key, value) -> System.out.println(key + " = " + value));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

plz remove the println

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DONE

jerqi
jerqi reviewed Dec 16, 2024
View reviewed changes
...er/src/main/java/org/apache/gravitino/authorization/ranger/ChainAuthorizationProperties.java Outdated
* "authorization.chain.hive1.ranger.password" = "admin"; <br>
* "authorization.chain.hive1.ranger.service.name" = "hiveDev"; <br>
* "authorization.chain.hdfs1.provider" = "ranger"; <br>
* "authorization.chain.hdfs1.catalog-provider" = "hadoop"; <br>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't reasonable. The plugins of the chain should have the same catalog provider.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DONE

jerqi
jerqi reviewed Dec 16, 2024
View reviewed changes
...er/src/main/java/org/apache/gravitino/authorization/ranger/ChainAuthorizationProperties.java Outdated
@@ -34,28 +34,25 @@
* Configuration Example: <br>
* "authorization.chain.plugins" = "hive1,hdfs1" <br>
* "authorization.chain.hive1.provider" = "ranger"; <br>
* "authorization.chain.hive1.catalog-provider" = "hive"; <br>
* "authorization.chain.hive1.ranger.service.type" = "hive"; <br>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hadoop SQL is more suitable?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DONE

mchades
mchades reviewed Dec 16, 2024
View reviewed changes
...er/src/main/java/org/apache/gravitino/authorization/ranger/ChainAuthorizationProperties.java
properties.containsKey(CHAIN_PLUGINS_PROPERTIES_KEY),
String.format("%s is required", CHAIN_PLUGINS_PROPERTIES_KEY));

String[] pluginNames = properties.get(CHAIN_PLUGINS_PROPERTIES_KEY).split(PLUGINS_SPLITTER);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential NPE when properties.get(CHAIN_PLUGINS_PROPERTIES_KEY) return null

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DONE

...er/src/main/java/org/apache/gravitino/authorization/ranger/ChainAuthorizationProperties.java Outdated

String[] pluginNames = properties.get(CHAIN_PLUGINS_PROPERTIES_KEY).split(PLUGINS_SPLITTER);
Preconditions.checkArgument(
pluginNames.length > 0,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

redundant check since the below check Arrays.asList(pluginNames).contains(pluginName) already includes this

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DONE

jerqi
jerqi reviewed Dec 17, 2024
View reviewed changes
docs/security/authorization-pushdown.md Outdated
@@ -24,7 +24,8 @@ In order to use the Ranger Hadoop SQL Plugin, you need to configure the followin
| `authorization.ranger.auth.type` | The Apache Ranger authentication type `simple` or `kerberos`. | `simple` | No | 0.6.0-incubating |
| `authorization.ranger.username` | The Apache Ranger admin web login username (auth type=simple), or kerberos principal(auth type=kerberos), Need have Ranger administrator permission. | (none) | No | 0.6.0-incubating |
| `authorization.ranger.password` | The Apache Ranger admin web login user password (auth type=simple), or path of the keytab file(auth type=kerberos) | (none) | No | 0.6.0-incubating |
| `authorization.ranger.service.name` | The Apache Ranger service name. | (none) | No | 0.6.0-incubating |
| `authorization.ranger.service.type` | The Apache Ranger service type. | (none) | No | 0.6.0-incubating |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0.8.0-incubating?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DONE

jerqi
jerqi reviewed Dec 17, 2024
View reviewed changes
...er/src/main/java/org/apache/gravitino/authorization/ranger/ChainAuthorizationProperties.java
Arrays.asList(pluginNames).contains(pluginName),
String.format("pluginName %s must be one of %s", pluginName, Arrays.toString(pluginNames)));

String regex = "^authorization\\.chain\\.(" + pluginName + ")\\..*";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hesitate about regex expression. Usually regex expression will make code hard to understand. Is it neccessary although the regex epression seems simple.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I need to use regular expressions:

  1. Check whether the plugin name meets requirements. For example, the plugin name cannot be included . symbol.
  2. Check that the plugin name must be one of several values specified
  3. Delete plugin name from the chain attribute to generate plugin attribute configuration.
    Only the simplest regular expressions are used here, which I don't think is a problem.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can get the configuration by configuration prefix like authorization.pluginName.xxxx.

Copy link
Member Author

@xunliu xunliu Dec 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ChainAuthorizationProperties is just a regular expression.

"authorization.chain.plugins" = "hive1,hdfs1" <br>
"authorization.chain.*.provider" = "ranger"; <br>
"authorization.chain.*.ranger.service.type" = "HadoopSQL"; <br>
"authorization.chain.*.ranger.service.name" = "hiveDev"; <br>
"authorization.chain.*.ranger.auth.type" = "simple"; <br>
"authorization.chain.*.ranger.admin.url" = "http://localhost:6080"; <br>
"authorization.chain.*.ranger.username" = "admin"; <br>
"authorization.chain.*.ranger.password" = "admin"; <br>

We can use ChainAuthorizationProperties to configuration multiple plugin properties.:

Configuration Example: <br>
"authorization.chain.plugins" = "hive1,hdfs1" <br>
"authorization.chain.hive1.provider" = "ranger"; <br>
"authorization.chain.hive1.ranger.service.type" = "HadoopSQL"; <br>
"authorization.chain.hive1.ranger.service.name" = "hiveDev"; <br>
"authorization.chain.hive1.ranger.auth.type" = "simple"; <br>
"authorization.chain.hive1.ranger.admin.url" = "http://localhost:6080"; <br>
"authorization.chain.hive1.ranger.username" = "admin"; <br>
"authorization.chain.hive1.ranger.password" = "admin"; <br>
"authorization.chain.hdfs1.provider" = "ranger"; <br>
"authorization.chain.hdfs1.ranger.service.type" = "HDFS"; <br>
"authorization.chain.hdfs1.ranger.service.name" = "hdfsDev"; <br>
"authorization.chain.hdfs1.ranger.auth.type" = "simple"; <br>
"authorization.chain.hdfs1.ranger.admin.url" = "http://localhost:6080"; <br>
"authorization.chain.hdfs1.ranger.username" = "admin"; <br>
"authorization.chain.hdfs1.ranger.password" = "admin"; <br>

jerqi
jerqi approved these changes Dec 17, 2024
View reviewed changes
Copy link
Contributor

@jerqi jerqi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After discussion, I still think prefix match is better than regex expression. But I think we don't need to block the pull request because of this point.

@xunliu
Copy link
Member Author

xunliu commented Dec 17, 2024

We can strictly check user properties configurations in the chain by using regular.
Checking with strings is less elegant.
Can I reference in TestChainAuthorizationProperties.java Some test cases in Java.

@xunliu xunliu merged commit 983ce4b into apache:main Dec 17, 2024
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tengqm tengqm tengqm left review comments

@mchades mchades mchades left review comments

@jerqi jerqi jerqi approved these changes

@yuqi1129 yuqi1129 Awaiting requested review from yuqi1129

Assignees

@xunliu xunliu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Subtask] Wildcard properties meta
5 participants
@xunliu @orenccl @tengqm @jerqi @mchades