Skip to content

Commit

Permalink
[apache#5180][part-1] improvement(test): Add more integration tests a…
Browse files Browse the repository at this point in the history
…bout access control (apache#5190)

### What changes were proposed in this pull request?

1) Add more integration tests about access control.

2) Fix the can't create a role in authorization plugin with
`CREATE_ROLE`, `MANAGE_USERS`.

3) Fix creating a role contains metalake, it won't take effect.

### Why are the changes needed?

Fix: apache#5180 

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

Just tests.
  • Loading branch information
jerqi committed Oct 28, 2024
1 parent fd8ede1 commit 8b7709b
Show file tree
Hide file tree
Showing 7 changed files with 419 additions and 102 deletions.
3 changes: 3 additions & 0 deletions authorizations/authorization-ranger/build.gradle.kts
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,9 @@ tasks {
}

tasks.test {
doFirst {
environment("HADOOP_USER_NAME", "test")
}
dependsOn(":catalogs:catalog-hive:jar", ":catalogs:catalog-hive:runtimeJars")

val skipITs = project.hasProperty("skipITs")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,10 @@ public List<RangerSecurableObject> translatePrivilege(SecurableObject securableO
.forEach(
gravitinoPrivilege -> {
Set<RangerPrivilege> rangerPrivileges = new HashSet<>();
// Ignore unsupported privileges
if (!privilegesMappingRule().containsKey(gravitinoPrivilege.name())) {
return;
}
privilegesMappingRule().get(gravitinoPrivilege.name()).stream()
.forEach(
rangerPrivilege ->
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1088,15 +1088,6 @@ public boolean validAuthorizationOperation(List<SecurableObject> securableObject
securableObject.privileges().stream()
.forEach(
privilege -> {
if (!allowPrivilegesRule().contains(privilege.name())) {
LOG.error(
"Authorization to ignore privilege({}) on metadata object({})!",
privilege.name(),
securableObject.fullName());
match.set(false);
return;
}

if (!privilege.canBindTo(securableObject.type())) {
LOG.error(
"The privilege({}) is not supported for the metadata object({})!",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -332,11 +332,11 @@ public void testValidAuthorizationOperation() {
String.format("catalog.schema"),
MetadataObject.Type.SCHEMA,
Lists.newArrayList(Privileges.ReadFileset.allow()));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(createFilesetInMetalake)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(createFilesetInCatalog)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(createFilesetInSchema)));

// Ignore the Topic operation
Expand All @@ -360,13 +360,13 @@ public void testValidAuthorizationOperation() {
String.format("catalog.schema.fileset"),
MetadataObject.Type.FILESET,
Lists.newArrayList(Privileges.WriteFileset.allow()));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(writeFilesetInMetalake)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(writeFilesetInCatalog)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(writeFilesetInScheam)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(writeFileset)));

// Ignore the Fileset operation
Expand All @@ -390,14 +390,13 @@ public void testValidAuthorizationOperation() {
String.format("catalog.schema.table"),
MetadataObject.Type.FILESET,
Lists.newArrayList(Privileges.ReadFileset.allow()));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(readFilesetInMetalake)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(readFilesetInCatalog)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(readFilesetInSchema)));
Assertions.assertFalse(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(readFileset)));
Assertions.assertTrue(rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(readFileset)));

// Ignore the Topic operation
SecurableObject createTopicInMetalake =
Expand All @@ -415,11 +414,11 @@ public void testValidAuthorizationOperation() {
String.format("catalog.schema"),
MetadataObject.Type.SCHEMA,
Lists.newArrayList(Privileges.CreateTopic.allow()));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(createTopicInMetalake)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(createTopicInCatalog)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(createTopicInSchema)));

SecurableObject produceTopicInMetalake =
Expand All @@ -442,13 +441,13 @@ public void testValidAuthorizationOperation() {
String.format("catalog.schema.fileset"),
MetadataObject.Type.TOPIC,
Lists.newArrayList(Privileges.ProduceTopic.allow()));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(produceTopicInMetalake)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(produceTopicInCatalog)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(produceTopicInSchema)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(produceTopic)));

SecurableObject consumeTopicInMetalake =
Expand All @@ -471,13 +470,13 @@ public void testValidAuthorizationOperation() {
String.format("catalog.schema.topic"),
MetadataObject.Type.TOPIC,
Lists.newArrayList(Privileges.ConsumeTopic.allow()));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(consumeTopicInMetalake)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(consumeTopicInCatalog)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(consumeTopicInSchema)));
Assertions.assertFalse(
Assertions.assertTrue(
rangerAuthPlugin.validAuthorizationOperation(Arrays.asList(consumeTopic)));
}

Expand Down
Loading

0 comments on commit 8b7709b

Please sign in to comment.