From f38a67bf0aacdeb62903487b1b38ce6f5a2c5302 Mon Sep 17 00:00:00 2001 From: zhangdong <493738387@qq.com> Date: Tue, 30 Jul 2024 17:26:57 +0800 Subject: [PATCH] [enhance](auth)support cache ranger datamask and row filter (#37723) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Ranger plugin is relatively slow in obtaining datamask and row filter policies, and the time consumed will become slower as the number of policies configured on the Ranger increases optimized logic: cache result in memory of doris, cache will invalidate when ranger plugin discover policy updates before: mysql> select * from zd.user; Empty set (0.19 sec) after: mysql> select * from zd.user; Empty set (0.06 sec) --- .../java/org/apache/doris/common/Config.java | 6 + .../cache/CatalogCacheAccessController.java | 91 +++++++++++++++ .../ranger/cache/DatamaskCacheKey.java | 89 +++++++++++++++ .../authorizer/ranger/cache/RangerCache.java | 107 ++++++++++++++++++ .../cache/RangerCacheInvalidateListener.java | 41 +++++++ .../ranger/cache/RowFilterCacheKey.java | 82 ++++++++++++++ .../RangerCacheDorisAccessController.java | 44 +++++++ .../doris/RangerDorisAccessController.java | 7 +- .../ranger/doris/RangerDorisPlugin.java | 6 + .../hive/RangerCacheHiveAccessController.java | 47 ++++++++ .../hive/RangerHiveAccessController.java | 8 +- .../RangerHiveAccessControllerFactory.java | 2 +- .../ranger/hive/RangerHivePlugin.java | 6 + .../privilege/AccessControllerManager.java | 4 +- 14 files changed, 535 insertions(+), 5 deletions(-) create mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java create mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java create mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java create mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java create mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java create mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java create mode 100644 fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java index 938b41915ae1a8..7495b0db9ecb2f 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java @@ -2267,6 +2267,12 @@ public class Config extends ConfigBase { @ConfField public static long stats_cache_size = 50_0000; + /** + * This config used for ranger cache data mask/row policy + */ + @ConfField + public static long ranger_cache_size = 10000; + /** * This configuration is used to enable the statistics of query information, which will record * the access status of databases, tables, and columns, and can be used to guide the diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java new file mode 100644 index 00000000000000..4b2aca0628a59a --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java @@ -0,0 +1,91 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.cache; + +import org.apache.doris.analysis.ResourceTypeEnum; +import org.apache.doris.analysis.UserIdentity; +import org.apache.doris.common.AuthorizationException; +import org.apache.doris.mysql.privilege.CatalogAccessController; +import org.apache.doris.mysql.privilege.DataMaskPolicy; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.mysql.privilege.RowFilterPolicy; + +import java.util.List; +import java.util.Optional; +import java.util.Set; + +public abstract class CatalogCacheAccessController implements CatalogAccessController { + public abstract CatalogAccessController getProxyController(); + + public abstract RangerCache getCache(); + + + @Override + public boolean checkGlobalPriv(UserIdentity currentUser, PrivPredicate wanted) { + return getProxyController().checkGlobalPriv(currentUser, wanted); + } + + @Override + public boolean checkCtlPriv(UserIdentity currentUser, String ctl, PrivPredicate wanted) { + return getProxyController().checkCtlPriv(currentUser, ctl, wanted); + } + + @Override + public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted) { + return getProxyController().checkDbPriv(currentUser, ctl, db, wanted); + } + + @Override + public boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, String tbl, PrivPredicate wanted) { + return getProxyController().checkTblPriv(currentUser, ctl, db, tbl, wanted); + } + + @Override + public boolean checkResourcePriv(UserIdentity currentUser, String resourceName, PrivPredicate wanted) { + return getProxyController().checkResourcePriv(currentUser, resourceName, wanted); + } + + @Override + public boolean checkWorkloadGroupPriv(UserIdentity currentUser, String workloadGroupName, PrivPredicate wanted) { + return getProxyController().checkWorkloadGroupPriv(currentUser, workloadGroupName, wanted); + } + + @Override + public void checkColsPriv(UserIdentity currentUser, String ctl, String db, String tbl, Set cols, + PrivPredicate wanted) throws AuthorizationException { + getProxyController().checkColsPriv(currentUser, ctl, db, tbl, cols, wanted); + } + + @Override + public boolean checkCloudPriv(UserIdentity currentUser, String resourceName, PrivPredicate wanted, + ResourceTypeEnum type) { + return getProxyController().checkCloudPriv(currentUser, resourceName, wanted, type); + } + + @Override + public Optional evalDataMaskPolicy(UserIdentity currentUser, String ctl, String db, String tbl, + String col) { + return getCache().getDataMask(new DatamaskCacheKey(currentUser, ctl, db, tbl, col)); + } + + @Override + public List evalRowFilterPolicies(UserIdentity currentUser, String ctl, String db, + String tbl) { + return getCache().getRowFilters(new RowFilterCacheKey(currentUser, ctl, db, tbl)); + } +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java new file mode 100644 index 00000000000000..d2262d094f9cef --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java @@ -0,0 +1,89 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.cache; + +import org.apache.doris.analysis.UserIdentity; + +import com.google.common.base.Objects; + +public class DatamaskCacheKey { + private UserIdentity userIdentity; + private String ctl; + private String db; + private String tbl; + private String col; + + public DatamaskCacheKey(UserIdentity userIdentity, String ctl, String db, String tbl, String col) { + this.userIdentity = userIdentity; + this.ctl = ctl; + this.db = db; + this.tbl = tbl; + this.col = col; + } + + public UserIdentity getUserIdentity() { + return userIdentity; + } + + public String getCtl() { + return ctl; + } + + public String getDb() { + return db; + } + + public String getTbl() { + return tbl; + } + + public String getCol() { + return col; + } + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + DatamaskCacheKey that = (DatamaskCacheKey) o; + return Objects.equal(userIdentity, that.userIdentity) + && Objects.equal(ctl, that.ctl) && Objects.equal(db, that.db) + && Objects.equal(tbl, that.tbl) && Objects.equal(col, + that.col); + } + + @Override + public int hashCode() { + return Objects.hashCode(userIdentity, ctl, db, tbl, col); + } + + @Override + public String toString() { + return "DatamaskCacheKey{" + + "userIdentity=" + userIdentity + + ", ctl='" + ctl + '\'' + + ", db='" + db + '\'' + + ", tbl='" + tbl + '\'' + + ", col='" + col + '\'' + + '}'; + } +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java new file mode 100644 index 00000000000000..29c068b1aff991 --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java @@ -0,0 +1,107 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.cache; + +import org.apache.doris.common.Config; +import org.apache.doris.datasource.CacheException; +import org.apache.doris.mysql.privilege.CatalogAccessController; +import org.apache.doris.mysql.privilege.DataMaskPolicy; +import org.apache.doris.mysql.privilege.RowFilterPolicy; + +import com.google.common.cache.CacheBuilder; +import com.google.common.cache.CacheLoader; +import com.google.common.cache.LoadingCache; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.List; +import java.util.Objects; +import java.util.Optional; +import java.util.concurrent.ExecutionException; + +public class RangerCache { + private static final Logger LOG = LoggerFactory.getLogger(RangerCache.class); + + private CatalogAccessController controller; + private LoadingCache> datamaskCache = CacheBuilder.newBuilder() + .maximumSize(Config.ranger_cache_size) + .build(new CacheLoader>() { + @Override + public Optional load(DatamaskCacheKey key) { + return loadDataMask(key); + } + }); + + private LoadingCache> rowFilterCache = CacheBuilder.newBuilder() + .maximumSize(Config.ranger_cache_size) + .build(new CacheLoader>() { + @Override + public List load(RowFilterCacheKey key) { + return loadRowFilter(key); + } + }); + + public RangerCache() { + } + + public void init(CatalogAccessController controller) { + this.controller = controller; + } + + private Optional loadDataMask(DatamaskCacheKey key) { + Objects.requireNonNull(controller, "controller can not be null"); + if (LOG.isDebugEnabled()) { + LOG.debug("load datamask: {}", key); + } + return controller.evalDataMaskPolicy(key.getUserIdentity(), key.getCtl(), key.getDb(), key.getTbl(), + key.getCol()); + } + + private List loadRowFilter(RowFilterCacheKey key) { + Objects.requireNonNull(controller, "controller can not be null"); + if (LOG.isDebugEnabled()) { + LOG.debug("load row filter: {}", key); + } + return controller.evalRowFilterPolicies(key.getUserIdentity(), key.getCtl(), key.getDb(), key.getTbl()); + } + + public void invalidateDataMaskCache() { + datamaskCache.invalidateAll(); + } + + public void invalidateRowFilterCache() { + rowFilterCache.invalidateAll(); + } + + public Optional getDataMask(DatamaskCacheKey key) { + try { + return datamaskCache.get(key); + } catch (ExecutionException e) { + throw new CacheException("failed to get datamask for:" + key, e); + } + } + + public List getRowFilters(RowFilterCacheKey key) { + try { + return rowFilterCache.get(key); + } catch (ExecutionException e) { + throw new CacheException("failed to get row filter for:" + key, e); + } + } + +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java new file mode 100644 index 00000000000000..4af56a8ff1bacf --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java @@ -0,0 +1,41 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.cache; + +import org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController; + +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.apache.ranger.plugin.service.RangerAuthContextListener; + +public class RangerCacheInvalidateListener implements RangerAuthContextListener { + private static final Logger LOG = LogManager.getLogger(RangerDorisAccessController.class); + + private RangerCache cache; + + public RangerCacheInvalidateListener(RangerCache cache) { + this.cache = cache; + } + + @Override + public void contextChanged() { + LOG.info("ranger context changed"); + cache.invalidateDataMaskCache(); + cache.invalidateRowFilterCache(); + } +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java new file mode 100644 index 00000000000000..08afcb40fcb59b --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java @@ -0,0 +1,82 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.cache; + +import org.apache.doris.analysis.UserIdentity; + +import com.google.common.base.Objects; + +public class RowFilterCacheKey { + private UserIdentity userIdentity; + private String ctl; + private String db; + private String tbl; + + public RowFilterCacheKey(UserIdentity userIdentity, String ctl, String db, String tbl) { + this.userIdentity = userIdentity; + this.ctl = ctl; + this.db = db; + this.tbl = tbl; + } + + public UserIdentity getUserIdentity() { + return userIdentity; + } + + public String getCtl() { + return ctl; + } + + public String getDb() { + return db; + } + + public String getTbl() { + return tbl; + } + + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + RowFilterCacheKey that = (RowFilterCacheKey) o; + return Objects.equal(userIdentity, that.userIdentity) + && Objects.equal(ctl, that.ctl) && Objects.equal(db, that.db) + && Objects.equal(tbl, that.tbl); + } + + @Override + public int hashCode() { + return Objects.hashCode(userIdentity, ctl, db, tbl); + } + + @Override + public String toString() { + return "DatamaskCacheKey{" + + "userIdentity=" + userIdentity + + ", ctl='" + ctl + '\'' + + ", db='" + db + '\'' + + ", tbl='" + tbl + '\'' + + '}'; + } +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java new file mode 100644 index 00000000000000..2cbc8111d52c9c --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java @@ -0,0 +1,44 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.doris; + +import org.apache.doris.catalog.authorizer.ranger.cache.CatalogCacheAccessController; +import org.apache.doris.catalog.authorizer.ranger.cache.RangerCache; +import org.apache.doris.catalog.authorizer.ranger.cache.RangerCacheInvalidateListener; +import org.apache.doris.mysql.privilege.CatalogAccessController; + +public class RangerCacheDorisAccessController extends CatalogCacheAccessController { + private CatalogAccessController proxyController; + private RangerCache cache; + + public RangerCacheDorisAccessController(String serviceName) { + this.cache = new RangerCache(); + this.proxyController = new RangerDorisAccessController(serviceName, new RangerCacheInvalidateListener(cache)); + this.cache.init(proxyController); + } + + @Override + public CatalogAccessController getProxyController() { + return proxyController; + } + + @Override + public RangerCache getCache() { + return cache; + } +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java index 2060242b024df6..b0deea1887b370 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java @@ -33,6 +33,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor; +import org.apache.ranger.plugin.service.RangerAuthContextListener; import org.apache.ranger.plugin.service.RangerBasePlugin; import java.util.ArrayList; @@ -50,7 +51,11 @@ public class RangerDorisAccessController extends RangerAccessController { // private RangerHiveAuditHandler auditHandler; public RangerDorisAccessController(String serviceName) { - dorisPlugin = new RangerDorisPlugin(serviceName); + this(serviceName, null); + } + + public RangerDorisAccessController(String serviceName, RangerAuthContextListener rangerAuthContextListener) { + dorisPlugin = new RangerDorisPlugin(serviceName, rangerAuthContextListener); // auditHandler = new RangerHiveAuditHandler(dorisPlugin.getConfig()); // start a timed log flusher // logFlushTimer.scheduleAtFixedRate(new RangerHiveAuditLogFlusher(auditHandler), 10, 20L, TimeUnit.SECONDS); diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisPlugin.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisPlugin.java index 34f098c8df8cf5..0da65aaeb7f097 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisPlugin.java +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisPlugin.java @@ -17,11 +17,17 @@ package org.apache.doris.catalog.authorizer.ranger.doris; +import org.apache.ranger.plugin.service.RangerAuthContextListener; import org.apache.ranger.plugin.service.RangerBasePlugin; public class RangerDorisPlugin extends RangerBasePlugin { public RangerDorisPlugin(String serviceName) { + this(serviceName, null); + } + + public RangerDorisPlugin(String serviceName, RangerAuthContextListener rangerAuthContextListener) { super(serviceName, null, null); super.init(); + super.registerAuthContextEventListener(rangerAuthContextListener); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java new file mode 100644 index 00000000000000..f4f510a12e641c --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java @@ -0,0 +1,47 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.hive; + +import org.apache.doris.catalog.authorizer.ranger.cache.CatalogCacheAccessController; +import org.apache.doris.catalog.authorizer.ranger.cache.RangerCache; +import org.apache.doris.catalog.authorizer.ranger.cache.RangerCacheInvalidateListener; +import org.apache.doris.mysql.privilege.CatalogAccessController; + +import java.util.Map; + +public class RangerCacheHiveAccessController extends CatalogCacheAccessController { + + private CatalogAccessController proxyController; + private RangerCache cache; + + public RangerCacheHiveAccessController(Map properties) { + this.cache = new RangerCache(); + this.proxyController = new RangerHiveAccessController(properties, new RangerCacheInvalidateListener(cache)); + this.cache.init(proxyController); + } + + @Override + public CatalogAccessController getProxyController() { + return proxyController; + } + + @Override + public RangerCache getCache() { + return cache; + } +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java index c2298345a5ddd0..5ca0589aefb73b 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java @@ -35,6 +35,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; +import org.apache.ranger.plugin.service.RangerAuthContextListener; import org.apache.ranger.plugin.service.RangerBasePlugin; import java.util.ArrayList; @@ -55,8 +56,13 @@ public class RangerHiveAccessController extends RangerAccessController { private RangerHiveAuditHandler auditHandler; public RangerHiveAccessController(Map properties) { + this(properties, null); + } + + public RangerHiveAccessController(Map properties, + RangerAuthContextListener rangerAuthContextListener) { String serviceName = properties.get("ranger.service.name"); - hivePlugin = new RangerHivePlugin(serviceName); + hivePlugin = new RangerHivePlugin(serviceName, rangerAuthContextListener); auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); // start a timed log flusher logFlushTimer.scheduleAtFixedRate(new RangerHiveAuditLogFlusher(auditHandler), 10, 20L, TimeUnit.SECONDS); diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java index 3e9f11d9f8ec56..545e7a26836761 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java @@ -25,6 +25,6 @@ public class RangerHiveAccessControllerFactory implements AccessControllerFactory { @Override public CatalogAccessController createAccessController(Map prop) { - return new RangerHiveAccessController(prop); + return new RangerCacheHiveAccessController(prop); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHivePlugin.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHivePlugin.java index cf675b9a1025e4..7ee393bae454e0 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHivePlugin.java +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHivePlugin.java @@ -17,11 +17,17 @@ package org.apache.doris.catalog.authorizer.ranger.hive; +import org.apache.ranger.plugin.service.RangerAuthContextListener; import org.apache.ranger.plugin.service.RangerBasePlugin; public class RangerHivePlugin extends RangerBasePlugin { public RangerHivePlugin(String serviceName) { + super(serviceName, null); + } + + public RangerHivePlugin(String serviceName, RangerAuthContextListener rangerAuthContextListener) { super(serviceName, null, null); super.init(); + super.registerAuthContextEventListener(rangerAuthContextListener); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java index e12b0a737dc6f8..ba23c91e27df78 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java @@ -22,7 +22,7 @@ import org.apache.doris.analysis.UserIdentity; import org.apache.doris.catalog.AuthorizationInfo; import org.apache.doris.catalog.Env; -import org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController; +import org.apache.doris.catalog.authorizer.ranger.doris.RangerCacheDorisAccessController; import org.apache.doris.common.Config; import org.apache.doris.common.UserException; import org.apache.doris.datasource.CatalogIf; @@ -58,7 +58,7 @@ public class AccessControllerManager { public AccessControllerManager(Auth auth) { this.auth = auth; if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) { - defaultAccessController = new RangerDorisAccessController("doris"); + defaultAccessController = new RangerCacheDorisAccessController("doris"); } else { defaultAccessController = new InternalAccessController(auth); }