[#5118] feat(auth): Lakehouse Iceberg catalog supports Ranger authori…

…zation plugin (#5467) ### What changes were proposed in this pull request? Lakehouse Iceberg catalog supports Ranger authorization plugin ### Why are the changes needed? Fix: #5118 ### Does this PR introduce _any_ user-facing change? Add the document. ### How was this patch tested? Add E2E tests.
apache · Nov 6, 2024 · 6776402 · 6776402
1 parent facfe83
commit 6776402
Show file tree

Hide file tree

Showing 11 changed files with 1,305 additions and 931 deletions.
diff --git a/api/src/main/java/org/apache/gravitino/authorization/Privilege.java b/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
@@ -61,7 +61,7 @@ enum Name {
     USE_SCHEMA(0L, 1L << 4),
     /** The privilege to create a table. */
     CREATE_TABLE(0L, 1L << 5),
-    /** The privilege to execute SQL `ALTER`, `INSERT`, `UPDATE`, or `DELETE` for a table. */
+    /** The privilege to write data to a table or modify the table schema. */
     MODIFY_TABLE(0L, 1L << 6),
     /** The privilege to select data from a table. */
     SELECT_TABLE(0L, 1L << 7),

diff --git a/api/src/main/java/org/apache/gravitino/authorization/Privileges.java b/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
@@ -407,7 +407,7 @@ public boolean canBindTo(MetadataObject.Type type) {
     }
   }
 
-  /** The privilege to execute SQL `ALTER`, `INSERT`, `UPDATE`, or `DELETE` for a table. */
+  /** The privilege to write data to a table or modify the table schema. */
   public static class ModifyTable extends GenericPrivilege<ModifyTable> {
     private static final ModifyTable ALLOW_INSTANCE =
         new ModifyTable(Condition.ALLOW, Name.MODIFY_TABLE);

diff --git a/authorizations/authorization-ranger/build.gradle.kts b/authorizations/authorization-ranger/build.gradle.kts
@@ -27,6 +27,8 @@ plugins {
 val scalaVersion: String = project.properties["scalaVersion"] as? String ?: extra["defaultScalaVersion"].toString()
 val sparkVersion: String = libs.versions.spark35.get()
 val kyuubiVersion: String = libs.versions.kyuubi4spark35.get()
+val sparkMajorVersion: String = sparkVersion.substringBeforeLast(".")
+val icebergVersion: String = libs.versions.iceberg4spark.get()
 
 dependencies {
   implementation(project(":api")) {
@@ -97,6 +99,7 @@ dependencies {
     exclude("javax.servlet", "servlet-api")
     exclude("io.netty")
   }
+  testImplementation("org.apache.iceberg:iceberg-spark-runtime-${sparkMajorVersion}_$scalaVersion:$icebergVersion")
 }
 
 tasks {
@@ -126,7 +129,7 @@ tasks {
 
 tasks.test {
   doFirst {
-    environment("HADOOP_USER_NAME", "test")
+    environment("HADOOP_USER_NAME", "gravitino")
   }
   dependsOn(":catalogs:catalog-hive:jar", ":catalogs:catalog-hive:runtimeJars")
 

diff --git a/...n-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java b/...n-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
@@ -33,7 +33,8 @@ public String shortName() {
   protected AuthorizationPlugin newPlugin(String catalogProvider, Map<String, String> config) {
     switch (catalogProvider) {
       case "hive":
-        return RangerAuthorizationHivePlugin.getInstance(config);
+      case "lakehouse-iceberg":
+        return RangerAuthorizationHadoopSQLPlugin.getInstance(config);
       default:
         throw new IllegalArgumentException("Unknown catalog provider: " + catalogProvider);
     }

diff --git a/...ranger/RangerAuthorizationHivePlugin.java → ...r/RangerAuthorizationHadoopSQLPlugin.java b/...ranger/RangerAuthorizationHivePlugin.java → ...r/RangerAuthorizationHadoopSQLPlugin.java
@@ -41,19 +41,21 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-public class RangerAuthorizationHivePlugin extends RangerAuthorizationPlugin {
-  private static final Logger LOG = LoggerFactory.getLogger(RangerAuthorizationHivePlugin.class);
-  private static volatile RangerAuthorizationHivePlugin instance = null;
+public class RangerAuthorizationHadoopSQLPlugin extends RangerAuthorizationPlugin {
+  private static final Logger LOG =
+      LoggerFactory.getLogger(RangerAuthorizationHadoopSQLPlugin.class);
+  private static volatile RangerAuthorizationHadoopSQLPlugin instance = null;
 
-  private RangerAuthorizationHivePlugin(Map<String, String> config) {
+  private RangerAuthorizationHadoopSQLPlugin(Map<String, String> config) {
     super(config);
   }
 
-  public static synchronized RangerAuthorizationHivePlugin getInstance(Map<String, String> config) {
+  public static synchronized RangerAuthorizationHadoopSQLPlugin getInstance(
+      Map<String, String> config) {
     if (instance == null) {
-      synchronized (RangerAuthorizationHivePlugin.class) {
+      synchronized (RangerAuthorizationHadoopSQLPlugin.class) {
         if (instance == null) {
-          instance = new RangerAuthorizationHivePlugin(config);
+          instance = new RangerAuthorizationHadoopSQLPlugin(config);
         }
       }
     }