[Refactor](auth)(step-2) Add AccessController to support customized authorization #16802
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
area/planner
7 tasks
morningman
added
the
api-review
|
clang-tidy review says "All clean, LGTM! 👍" |
morningman
force-pushed
the
column_priv_interface
branch
from
1aba215 to
b0be82f
Compare
|
clang-tidy review says "All clean, LGTM! 👍" |
2 similar comments
|
clang-tidy review says "All clean, LGTM! 👍" |
|
clang-tidy review says "All clean, LGTM! 👍" |
morningman
force-pushed
the
column_priv_interface
branch
from
39d744a to
e7d51f5
Compare
github-actions
bot
added
area/load
|
clang-tidy review says "All clean, LGTM! 👍" |
Yulei-Yang
reviewed
Feb 16, 2023
| import java.util.List; | ||
|
|
||
| /** | ||
| * Elasticsearch external table. |
| throw new RuntimeException(e); | ||
| } catch (IllegalAccessException e) { | ||
| throw new RuntimeException(e); | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
need a deleteAccessController method
There was a problem hiding this comment.
fixed. the access controller will be removed when catalog is dropped
morningman
force-pushed
the
column_priv_interface
branch
from
e7d51f5 to
6fd56d3
Compare
|
clang-tidy review says "All clean, LGTM! 👍" |
morningman
force-pushed
the
column_priv_interface
branch
from
6fd56d3 to
73d0419
Compare
|
clang-tidy review says "All clean, LGTM! 👍" |
github-actions
bot
added
the
approved
|
PR approved by at least one committer and no changes requested. |
|
PR approved by anyone and no changes requested. |
yagagagaga
pushed a commit
to yagagagaga/doris
that referenced
this pull request
Mar 9, 2023
…uthorization (apache#16802) Support specifying AccessControllerFactory when creating catalog create catalog hive properties( ... "access_controller.class" = "org.apache.doris.mysql.privilege.RangerAccessControllerFactory", "access_controller.properties.prop1" = "xxx", "access_controller.properties.prop2" = "yyy", ... ) So that user can specified their own access controller, such as RangerAccessController Add interface to check column level privilege A new method of CatalogAccessController: checkColsPriv(), for checking column level privileges. TODO: Support grant column level privileges statements in Doris Add TestExternalCatalog/Database/Table/ScanNode These classes are used for FE unit test. In unit test you can create catalog test1 properties( "type" = "test" "catalog_provider.class" = "org.apache.doris.datasource.ColumnPrivTest$MockedCatalogProvider" "access_controller.class" = "org.apache.doris.mysql.privilege.TestAccessControllerFactory", "access_controller.properties.key1" = "val1", "access_controller.properties.key2" = "val2" ); To create a test catalog, and specify catalog_provider to mock database/table/schema metadata Set roles in current user identity in connection context The roles can be used for authorization in access controller.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
Issue Number: #16762
Problem summary
Support specifying AccessControllerFactory when creating catalog
So that user can specified their own access controller, such as RangerAccessController
Add interface to check column level privilege
A new method of CatalogAccessController:
checkColsPriv(),for checking column level privileges.
TODO:
Support grant column level privileges statements in Doris
Add TestExternalCatalog/Database/Table/ScanNode
These classes are used for FE unit test. In unit test you can
To create a test catalog, and specify
catalog_providerto mock database/table/schema metadataSet roles in
current user identityin connection contextThe roles can be used for authorization in access controller.
Checklist(Required)
Further comments
If this is a relatively large or complex change, kick off the discussion at dev@doris.apache.org by explaining why you chose the solution you did and what alternatives you considered, etc...