This is an automated email from the ASF dual-hosted git repository.

liuxun pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git


The following commit(s) were added to refs/heads/main by this push:
     new 46a6a20cf [#4759] feat(auth-ranger): Use Spark verify Ranger 
authorization Hive (#4948)
46a6a20cf is described below

commit 46a6a20cf56ac7a1eb60849dac1b928ce6d06f86
Author: Xun <x...@datastrato.com>
AuthorDate: Fri Sep 27 08:58:50 2024 +0800

    [#4759] feat(auth-ranger): Use Spark verify Ranger authorization Hive 
(#4948)
    
    ### What changes were proposed in this pull request?
    
    1. Shadow integration-test-common module.
    2. Add Ranger authorization Hive IT, use Spark to verify Ranger
    authorization Hive.
    
    ### Why are the changes needed?
    
    Fix: #4759
    
    ### Does this PR introduce _any_ user-facing change?
    
    N/A
    
    ### How was this patch tested?
    
    CI Passed.
---
 .../authorization-ranger/build.gradle.kts          |  42 +--
 .../authorization/ranger/RangerHelper.java         |   5 +-
 .../ranger/integration/test/RangerHiveE2EIT.java   | 294 ++++++++++++++-------
 .../ranger/integration/test/RangerHiveIT.java      | 103 +-------
 .../ranger/integration/test/RangerITEnv.java       |  33 ++-
 .../src/test/resources/log4j2.properties           |  73 +++++
 .../resources/ranger-spark-security.xml.template   |  45 ++++
 integration-test-common/build.gradle.kts           |   1 -
 .../test/container/RangerContainer.java            |   6 +-
 .../integration/test/util/AbstractIT.java          |   7 +-
 10 files changed, 388 insertions(+), 221 deletions(-)

diff --git a/authorizations/authorization-ranger/build.gradle.kts 
b/authorizations/authorization-ranger/build.gradle.kts
index 47ec7eba5..13f4cc753 100644
--- a/authorizations/authorization-ranger/build.gradle.kts
+++ b/authorizations/authorization-ranger/build.gradle.kts
@@ -24,6 +24,10 @@ plugins {
   id("idea")
 }
 
+val scalaVersion: String = project.properties["scalaVersion"] as? String ?: 
extra["defaultScalaVersion"].toString()
+val sparkVersion: String = libs.versions.spark35.get()
+val kyuubiVersion: String = libs.versions.kyuubi4spark35.get()
+
 dependencies {
   implementation(project(":api")) {
     exclude(group = "*")
@@ -69,24 +73,30 @@ dependencies {
   testImplementation(libs.mockito.core)
   testImplementation(libs.testcontainers)
   testRuntimeOnly(libs.junit.jupiter.engine)
-  testImplementation(libs.ranger.intg) {
-    exclude("org.apache.hive", "hive-storage-api")
-    exclude("org.apache.lucene")
-    exclude("org.apache.solr")
-    exclude("org.apache.kafka")
-    exclude("org.eclipse.jetty")
-    exclude("org.elasticsearch")
-    exclude("org.elasticsearch.client")
-    exclude("org.elasticsearch.plugin")
-    exclude("javax.ws.rs")
-    exclude("org.apache.ranger", "ranger-plugin-classloader")
-  }
-  testImplementation(libs.hive2.jdbc) {
-    exclude("org.slf4j")
-    exclude("org.eclipse.jetty.aggregate")
-  }
   testImplementation(libs.mysql.driver)
   testImplementation(libs.postgresql.driver)
+  testImplementation(libs.postgresql.driver)
+  testImplementation("org.apache.spark:spark-hive_$scalaVersion:$sparkVersion")
+  testImplementation("org.apache.spark:spark-sql_$scalaVersion:$sparkVersion") 
{
+    exclude("org.apache.avro")
+    exclude("org.apache.hadoop")
+    exclude("org.apache.zookeeper")
+    exclude("io.dropwizard.metrics")
+    exclude("org.rocksdb")
+  }
+  
testImplementation("org.apache.kyuubi:kyuubi-spark-authz_$scalaVersion:$kyuubiVersion")
 {
+    exclude("com.sun.jersey")
+  }
+  testImplementation(libs.hadoop3.client)
+  testImplementation(libs.hadoop3.common) {
+    exclude("com.sun.jersey")
+    exclude("javax.servlet", "servlet-api")
+  }
+  testImplementation(libs.hadoop3.hdfs) {
+    exclude("com.sun.jersey")
+    exclude("javax.servlet", "servlet-api")
+    exclude("io.netty")
+  }
 }
 
 tasks {
diff --git 
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
 
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
index e34fe5685..13f5a5cba 100644
--- 
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
+++ 
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
@@ -36,6 +36,7 @@ import org.apache.gravitino.authorization.Privilege;
 import org.apache.gravitino.authorization.SecurableObject;
 import org.apache.gravitino.authorization.SecurableObjects;
 import org.apache.gravitino.exceptions.AuthorizationPluginException;
+import org.apache.ranger.RangerClient;
 import org.apache.ranger.RangerServiceException;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerRole;
@@ -60,12 +61,12 @@ public class RangerHelper {
   /** The policy search keys */
   private final List<String> policyResourceDefines;
 
-  private final RangerClientExtension rangerClient;
+  private final RangerClient rangerClient;
   private final String rangerAdminName;
   private final String rangerServiceName;
 
   public RangerHelper(
-      RangerClientExtension rangerClient,
+      RangerClient rangerClient,
       String rangerAdminName,
       String rangerServiceName,
       Map<Privilege.Name, Set<RangerPrivilege>> privilegesMapping,
diff --git 
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java
 
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java
index 1c57a0001..2769d2fbc 100644
--- 
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java
+++ 
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java
@@ -19,7 +19,8 @@
 package org.apache.gravitino.authorization.ranger.integration.test;
 
 import static org.apache.gravitino.Catalog.AUTHORIZATION_PROVIDER;
-import static 
org.apache.gravitino.connector.AuthorizationPropertiesMeta.RANGER_ADMIN_URL;
+import static 
org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.currentFunName;
+import static 
org.apache.gravitino.catalog.hive.HiveConstants.IMPERSONATION_ENABLE;
 import static 
org.apache.gravitino.connector.AuthorizationPropertiesMeta.RANGER_AUTH_TYPE;
 import static 
org.apache.gravitino.connector.AuthorizationPropertiesMeta.RANGER_PASSWORD;
 import static 
org.apache.gravitino.connector.AuthorizationPropertiesMeta.RANGER_SERVICE_NAME;
@@ -29,17 +30,21 @@ import static 
org.apache.gravitino.integration.test.container.RangerContainer.RA
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
+import java.io.File;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.time.Instant;
+import java.util.Arrays;
 import java.util.Collections;
+import java.util.List;
 import java.util.Map;
+import org.apache.commons.io.FileUtils;
 import org.apache.gravitino.Catalog;
 import org.apache.gravitino.Configs;
 import org.apache.gravitino.MetadataObject;
-import org.apache.gravitino.NameIdentifier;
 import org.apache.gravitino.Schema;
-import org.apache.gravitino.auth.AuthConstants;
+import org.apache.gravitino.auth.AuthenticatorType;
 import org.apache.gravitino.authorization.Privileges;
-import org.apache.gravitino.authorization.Role;
 import org.apache.gravitino.authorization.SecurableObject;
 import org.apache.gravitino.authorization.SecurableObjects;
 import org.apache.gravitino.authorization.ranger.RangerAuthorizationHivePlugin;
@@ -51,18 +56,12 @@ import 
org.apache.gravitino.integration.test.container.HiveContainer;
 import org.apache.gravitino.integration.test.container.RangerContainer;
 import org.apache.gravitino.integration.test.util.AbstractIT;
 import org.apache.gravitino.integration.test.util.GravitinoITUtils;
-import org.apache.gravitino.rel.Column;
-import org.apache.gravitino.rel.Table;
-import org.apache.gravitino.rel.expressions.NamedReference;
-import org.apache.gravitino.rel.expressions.distributions.Distribution;
-import org.apache.gravitino.rel.expressions.distributions.Distributions;
-import org.apache.gravitino.rel.expressions.distributions.Strategy;
-import org.apache.gravitino.rel.expressions.sorts.NullOrdering;
-import org.apache.gravitino.rel.expressions.sorts.SortDirection;
-import org.apache.gravitino.rel.expressions.sorts.SortOrder;
-import org.apache.gravitino.rel.expressions.sorts.SortOrders;
-import org.apache.gravitino.rel.expressions.transforms.Transforms;
-import org.apache.gravitino.rel.types.Types;
+import org.apache.gravitino.meta.AuditInfo;
+import org.apache.gravitino.meta.RoleEntity;
+import org.apache.gravitino.meta.UserEntity;
+import org.apache.spark.sql.Dataset;
+import org.apache.spark.sql.Row;
+import org.apache.spark.sql.SparkSession;
 import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeAll;
@@ -77,63 +76,195 @@ public class RangerHiveE2EIT extends AbstractIT {
 
   private static RangerAuthorizationPlugin rangerAuthPlugin;
   public static final String metalakeName =
-      
GravitinoITUtils.genRandomName("RangerHiveAuthIT_metalake").toLowerCase();
+      GravitinoITUtils.genRandomName("RangerHiveE2EIT_metalake").toLowerCase();
   public static final String catalogName =
-      GravitinoITUtils.genRandomName("RangerHiveAuthIT_catalog").toLowerCase();
+      GravitinoITUtils.genRandomName("RangerHiveE2EIT_catalog").toLowerCase();
   public static final String schemaName =
-      GravitinoITUtils.genRandomName("RangerHiveAuthIT_schema").toLowerCase();
-  public static final String tableName =
-      GravitinoITUtils.genRandomName("RangerHiveAuthIT_table").toLowerCase();
-
-  public static final String HIVE_COL_NAME1 = "hive_col_name1";
-  public static final String HIVE_COL_NAME2 = "hive_col_name2";
-  public static final String HIVE_COL_NAME3 = "hive_col_name3";
+      GravitinoITUtils.genRandomName("RangerHiveE2EIT_schema").toLowerCase();
 
   private static GravitinoMetalake metalake;
   private static Catalog catalog;
   private static final String provider = "hive";
   private static String HIVE_METASTORE_URIS;
 
+  private static SparkSession sparkSession = null;
+  private final AuditInfo auditInfo =
+      
AuditInfo.builder().withCreator("test").withCreateTime(Instant.now()).build();
+  private static final String HADOOP_USER_NAME = "HADOOP_USER_NAME";
+  private static final String TEST_USER_NAME = "e2e_it_user";
+
+  private static final String SQL_SHOW_DATABASES =
+      String.format("SHOW DATABASES like '%s'", schemaName);
+
+  private static String RANGER_ADMIN_URL = null;
+
   @BeforeAll
   public static void startIntegrationTest() throws Exception {
+    // Enable Gravitino Authorization mode
     Map<String, String> configs = Maps.newHashMap();
     configs.put(Configs.ENABLE_AUTHORIZATION.getKey(), String.valueOf(true));
-    configs.put(Configs.SERVICE_ADMINS.getKey(), AuthConstants.ANONYMOUS_USER);
+    configs.put(Configs.SERVICE_ADMINS.getKey(), RangerITEnv.HADOOP_USER_NAME);
+    configs.put(Configs.AUTHENTICATORS.getKey(), 
AuthenticatorType.SIMPLE.name().toLowerCase());
+    configs.put("SimpleAuthUserName", TEST_USER_NAME);
     registerCustomConfigs(configs);
     AbstractIT.startIntegrationTest();
 
     RangerITEnv.setup();
-    containerSuite.startHiveContainer();
+    RangerITEnv.startHiveRangerContainer();
+
+    RANGER_ADMIN_URL =
+        String.format(
+            "http://%s:%d";,
+            containerSuite.getRangerContainer().getContainerIpAddress(), 
RANGER_SERVER_PORT);
+
     HIVE_METASTORE_URIS =
         String.format(
             "thrift://%s:%d",
-            containerSuite.getHiveContainer().getContainerIpAddress(),
+            containerSuite.getHiveRangerContainer().getContainerIpAddress(),
             HiveContainer.HIVE_METASTORE_PORT);
 
+    generateRangerSparkSecurityXML();
+
+    sparkSession =
+        SparkSession.builder()
+            .master("local[1]")
+            .appName("Ranger Hive E2E integration test")
+            .config("hive.metastore.uris", HIVE_METASTORE_URIS)
+            .config(
+                "spark.sql.warehouse.dir",
+                String.format(
+                    "hdfs://%s:%d/user/hive/warehouse",
+                    
containerSuite.getHiveRangerContainer().getContainerIpAddress(),
+                    HiveContainer.HDFS_DEFAULTFS_PORT))
+            .config("spark.sql.storeAssignmentPolicy", "LEGACY")
+            .config("mapreduce.input.fileinputformat.input.dir.recursive", 
"true")
+            .config(
+                "spark.sql.extensions",
+                
"org.apache.kyuubi.plugin.spark.authz.ranger.RangerSparkExtension")
+            .enableHiveSupport()
+            .getOrCreate();
+
     createMetalake();
     createCatalogAndRangerAuthPlugin();
-    createSchema();
-    createHiveTable();
+  }
+
+  private static void generateRangerSparkSecurityXML() throws IOException {
+    String templatePath =
+        String.join(
+            File.separator,
+            System.getenv("GRAVITINO_ROOT_DIR"),
+            "authorizations",
+            "authorization-ranger",
+            "src",
+            "test",
+            "resources",
+            "ranger-spark-security.xml.template");
+    String xmlPath =
+        String.join(
+            File.separator,
+            System.getenv("GRAVITINO_ROOT_DIR"),
+            "authorizations",
+            "authorization-ranger",
+            "build",
+            "resources",
+            "test",
+            "ranger-spark-security.xml");
+
+    String templateContext =
+        FileUtils.readFileToString(new File(templatePath), 
StandardCharsets.UTF_8);
+    templateContext =
+        templateContext
+            .replace("__REPLACE__RANGER_ADMIN_URL", RANGER_ADMIN_URL)
+            .replace("__REPLACE__RANGER_HIVE_REPO_NAME", 
RangerITEnv.RANGER_HIVE_REPO_NAME);
+    FileUtils.writeStringToFile(new File(xmlPath), templateContext, 
StandardCharsets.UTF_8);
   }
 
   @AfterAll
   public static void stop() throws IOException {
+    if (client != null) {
+      Arrays.stream(catalog.asSchemas().listSchemas())
+          .filter(schema -> !schema.equals("default"))
+          .forEach(
+              (schema -> {
+                catalog.asSchemas().dropSchema(schema, true);
+              }));
+      Arrays.stream(metalake.listCatalogs())
+          .forEach(
+              (catalogName -> {
+                metalake.dropCatalog(catalogName);
+              }));
+      client.dropMetalake(metalakeName);
+    }
+    if (sparkSession != null) {
+      sparkSession.close();
+    }
+    try {
+      closer.close();
+    } catch (Exception e) {
+      LOG.error("Failed to close CloseableGroup", e);
+    }
+
     AbstractIT.client = null;
   }
 
   @Test
-  void testCreateRole() {
-    String roleName = RangerITEnv.currentFunName();
-    Map<String, String> properties = Maps.newHashMap();
-    properties.put("k1", "v1");
+  void testAllowUseSchemaPrivilege() throws InterruptedException {
+    // First, create a schema use Gravitino client
+    createSchema();
 
-    SecurableObject table1 =
+    // Use Spark to show this databases(schema)
+    Dataset dataset1 = sparkSession.sql(SQL_SHOW_DATABASES);
+    dataset1.show();
+    List<Row> rows1 = dataset1.collectAsList();
+    // The schema should not be shown, because the user does not have the 
permission
+    Assertions.assertEquals(
+        0, rows1.stream().filter(row -> 
row.getString(0).equals(schemaName)).count());
+
+    // Create a role with CREATE_SCHEMA privilege
+    SecurableObject securableObject1 =
         SecurableObjects.parse(
-            String.format("%s.%s.%s", catalogName, schemaName, tableName),
-            MetadataObject.Type.TABLE,
-            Lists.newArrayList(Privileges.SelectTable.allow()));
-    Role role = metalake.createRole(roleName, properties, 
Lists.newArrayList(table1));
-    RangerITEnv.verifyRoleInRanger(rangerAuthPlugin, role);
+            String.format("%s.%s", catalogName, schemaName),
+            MetadataObject.Type.SCHEMA,
+            Lists.newArrayList(Privileges.CreateSchema.allow()));
+    RoleEntity role =
+        RoleEntity.builder()
+            .withId(1L)
+            .withName(currentFunName())
+            .withAuditInfo(auditInfo)
+            .withSecurableObjects(Lists.newArrayList(securableObject1))
+            .build();
+    rangerAuthPlugin.onRoleCreated(role);
+
+    // Granted this role to the spark execution user `HADOOP_USER_NAME`
+    String userName1 = System.getenv(HADOOP_USER_NAME);
+    UserEntity userEntity1 =
+        UserEntity.builder()
+            .withId(1L)
+            .withName(userName1)
+            .withRoleNames(Collections.emptyList())
+            .withRoleIds(Collections.emptyList())
+            .withAuditInfo(auditInfo)
+            .build();
+    Assertions.assertTrue(
+        rangerAuthPlugin.onGrantedRolesToUser(Lists.newArrayList(role), 
userEntity1));
+
+    // After Ranger Authorization, Must wait a period of time for the Ranger 
Spark plugin to update
+    // the policy Sleep time must be greater than the policy update interval
+    // (ranger.plugin.spark.policy.pollIntervalMs) in the
+    // `resources/ranger-spark-security.xml.template`
+    Thread.sleep(1000L);
+
+    // Use Spark to show this databases(schema) again
+    Dataset dataset2 = sparkSession.sql(SQL_SHOW_DATABASES);
+    dataset2.show(100, 100);
+    List<Row> rows2 = dataset2.collectAsList();
+    rows2.stream()
+        .filter(row -> row.getString(0).equals(schemaName))
+        .findFirst()
+        .orElseThrow(() -> new IllegalStateException("Database not found: " + 
schemaName));
+    // The schema should be shown, because the user has the permission
+    Assertions.assertEquals(
+        1, rows2.stream().filter(row -> 
row.getString(0).equals(schemaName)).count());
   }
 
   private static void createMetalake() {
@@ -153,31 +284,34 @@ public class RangerHiveE2EIT extends AbstractIT {
         RangerAuthorizationHivePlugin.getInstance(
             ImmutableMap.of(
                 AuthorizationPropertiesMeta.RANGER_ADMIN_URL,
-                String.format(
-                    "http://%s:%d";,
-                    
containerSuite.getRangerContainer().getContainerIpAddress(),
-                    RangerContainer.RANGER_SERVER_PORT),
-                AuthorizationPropertiesMeta.RANGER_AUTH_TYPE,
+                RANGER_ADMIN_URL,
+                RANGER_AUTH_TYPE,
                 RangerContainer.authType,
-                AuthorizationPropertiesMeta.RANGER_USERNAME,
+                RANGER_USERNAME,
                 RangerContainer.rangerUserName,
-                AuthorizationPropertiesMeta.RANGER_PASSWORD,
+                RANGER_PASSWORD,
                 RangerContainer.rangerPassword,
-                AuthorizationPropertiesMeta.RANGER_SERVICE_NAME,
+                RANGER_SERVICE_NAME,
                 RangerITEnv.RANGER_HIVE_REPO_NAME));
 
-    Map<String, String> properties = Maps.newHashMap();
-    properties.put(HiveConstants.METASTORE_URIS, HIVE_METASTORE_URIS);
-    properties.put(AUTHORIZATION_PROVIDER, "ranger");
-    properties.put(RANGER_SERVICE_NAME, RangerITEnv.RANGER_HIVE_REPO_NAME);
-    properties.put(
-        RANGER_ADMIN_URL,
-        String.format(
-            "http://localhost:%s";,
-            
containerSuite.getRangerContainer().getMappedPort(RANGER_SERVER_PORT)));
-    properties.put(RANGER_AUTH_TYPE, RangerContainer.authType);
-    properties.put(RANGER_USERNAME, RangerContainer.rangerUserName);
-    properties.put(RANGER_PASSWORD, RangerContainer.rangerPassword);
+    Map<String, String> properties =
+        ImmutableMap.of(
+            HiveConstants.METASTORE_URIS,
+            HIVE_METASTORE_URIS,
+            IMPERSONATION_ENABLE,
+            "true",
+            AUTHORIZATION_PROVIDER,
+            "ranger",
+            RANGER_SERVICE_NAME,
+            RangerITEnv.RANGER_HIVE_REPO_NAME,
+            AuthorizationPropertiesMeta.RANGER_ADMIN_URL,
+            RANGER_ADMIN_URL,
+            RANGER_AUTH_TYPE,
+            RangerContainer.authType,
+            RANGER_USERNAME,
+            RangerContainer.rangerUserName,
+            RANGER_PASSWORD,
+            RangerContainer.rangerPassword);
 
     metalake.createCatalog(catalogName, Catalog.Type.RELATIONAL, provider, 
"comment", properties);
     catalog = metalake.loadCatalog(catalogName);
@@ -192,7 +326,7 @@ public class RangerHiveE2EIT extends AbstractIT {
         "location",
         String.format(
             "hdfs://%s:%d/user/hive/warehouse/%s.db",
-            containerSuite.getHiveContainer().getContainerIpAddress(),
+            containerSuite.getHiveRangerContainer().getContainerIpAddress(),
             HiveContainer.HDFS_DEFAULTFS_PORT,
             schemaName.toLowerCase()));
     String comment = "comment";
@@ -201,42 +335,4 @@ public class RangerHiveE2EIT extends AbstractIT {
     Schema loadSchema = catalog.asSchemas().loadSchema(schemaName);
     Assertions.assertEquals(schemaName.toLowerCase(), loadSchema.name());
   }
-
-  public static void createHiveTable() {
-    // Create table from Gravitino API
-    Column[] columns = createColumns();
-    NameIdentifier nameIdentifier = NameIdentifier.of(schemaName, tableName);
-
-    Distribution distribution =
-        Distributions.of(Strategy.EVEN, 10, 
NamedReference.field(HIVE_COL_NAME1));
-
-    final SortOrder[] sortOrders =
-        new SortOrder[] {
-          SortOrders.of(
-              NamedReference.field(HIVE_COL_NAME2),
-              SortDirection.DESCENDING,
-              NullOrdering.NULLS_FIRST)
-        };
-
-    Map<String, String> properties = ImmutableMap.of("key1", "val1", "key2", 
"val2");
-    Table createdTable =
-        catalog
-            .asTableCatalog()
-            .createTable(
-                nameIdentifier,
-                columns,
-                "table_comment",
-                properties,
-                Transforms.EMPTY_TRANSFORM,
-                distribution,
-                sortOrders);
-    LOG.info("Table created: {}", createdTable);
-  }
-
-  private static Column[] createColumns() {
-    Column col1 = Column.of(HIVE_COL_NAME1, Types.ByteType.get(), 
"col_1_comment");
-    Column col2 = Column.of(HIVE_COL_NAME2, Types.DateType.get(), 
"col_2_comment");
-    Column col3 = Column.of(HIVE_COL_NAME3, Types.StringType.get(), 
"col_3_comment");
-    return new Column[] {col1, col2, col3};
-  }
 }
diff --git 
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
 
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
index 7f5579c47..97005e58c 100644
--- 
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
+++ 
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
@@ -19,18 +19,12 @@
 package org.apache.gravitino.authorization.ranger.integration.test;
 
 import static org.apache.gravitino.authorization.SecurableObjects.DOT_SPLITTER;
-import static 
org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.RESOURCE_DATABASE;
 import static 
org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.currentFunName;
 import static 
org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.rangerClient;
 import static 
org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.verifyRoleInRanger;
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Lists;
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
 import java.time.Instant;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -75,12 +69,9 @@ public class RangerHiveIT {
   private static final Logger LOG = 
LoggerFactory.getLogger(RangerHiveIT.class);
 
   private static final ContainerSuite containerSuite = 
ContainerSuite.getInstance();
-  private static Connection adminConnection;
-  private static Connection anonymousConnection;
   private static final String adminUser = "gravitino";
-  private static final String anonymousUser = "anonymous";
   private static RangerAuthorizationPlugin rangerAuthPlugin;
-  private static RangerHelper rangerPolicyHelper;
+  private static RangerHelper rangerHelper;
   private final AuditInfo auditInfo =
       
AuditInfo.builder().withCreator("test").withCreateTime(Instant.now()).build();
 
@@ -121,7 +112,7 @@ public class RangerHiveIT {
                 RangerContainer.rangerPassword,
                 AuthorizationPropertiesMeta.RANGER_SERVICE_NAME,
                 RangerITEnv.RANGER_HIVE_REPO_NAME));
-    rangerPolicyHelper =
+    rangerHelper =
         new RangerHelper(
             rangerClient,
             RangerContainer.rangerUserName,
@@ -129,20 +120,6 @@ public class RangerHiveIT {
             rangerAuthPlugin.privilegesMappingRule(),
             rangerAuthPlugin.ownerMappingRule(),
             rangerAuthPlugin.policyResourceDefinesRule());
-
-    // Create hive connection
-    String url =
-        String.format(
-            "jdbc:hive2://%s:%d/default",
-            containerSuite.getHiveRangerContainer().getContainerIpAddress(),
-            HiveContainer.HIVE_SERVICE_PORT);
-    try {
-      Class.forName("org.apache.hive.jdbc.HiveDriver");
-      adminConnection = DriverManager.getConnection(url, adminUser, "");
-      anonymousConnection = DriverManager.getConnection(url, anonymousUser, 
"");
-    } catch (ClassNotFoundException | SQLException e) {
-      throw new RuntimeException(e);
-    }
   }
 
   /**
@@ -201,7 +178,7 @@ public class RangerHiveIT {
     role.securableObjects().stream()
         .forEach(
             securableObject ->
-                
Assertions.assertNull(rangerPolicyHelper.findManagedPolicy(securableObject)));
+                
Assertions.assertNull(rangerHelper.findManagedPolicy(securableObject)));
   }
 
   @Test
@@ -223,7 +200,7 @@ public class RangerHiveIT {
     role.securableObjects().stream()
         .forEach(
             securableObject ->
-                
Assertions.assertNotNull(rangerPolicyHelper.findManagedPolicy(securableObject)));
+                
Assertions.assertNotNull(rangerHelper.findManagedPolicy(securableObject)));
   }
 
   @Test
@@ -273,14 +250,14 @@ public class RangerHiveIT {
             String.format("catalog.%s3.tab1", dbName),
             MetadataObject.Type.TABLE,
             Lists.newArrayList(Privileges.CreateTable.allow()));
-    
Assertions.assertNull(rangerPolicyHelper.findManagedPolicy(securableObject1));
+    Assertions.assertNull(rangerHelper.findManagedPolicy(securableObject1));
 
     // Add a policy for `db3.tab1`
     createHivePolicy(
         Lists.newArrayList(String.format("%s3", dbName), "tab1"),
         GravitinoITUtils.genRandomName(currentFunName()));
     // findManagedPolicy function use precise search, so return not null
-    
Assertions.assertNotNull(rangerPolicyHelper.findManagedPolicy(securableObject1));
+    Assertions.assertNotNull(rangerHelper.findManagedPolicy(securableObject1));
   }
 
   static void createHivePolicy(List<String> metaObjects, String roleName) {
@@ -479,7 +456,7 @@ public class RangerHiveIT {
     role.securableObjects().stream()
         .forEach(
             securableObject ->
-                
Assertions.assertNotNull(rangerPolicyHelper.findManagedPolicy(securableObject)));
+                
Assertions.assertNotNull(rangerHelper.findManagedPolicy(securableObject)));
     verifyOwnerInRanger(oldMetadataObject, Lists.newArrayList(userName));
   }
 
@@ -1101,15 +1078,15 @@ public class RangerHiveIT {
     role1.securableObjects().stream()
         .forEach(
             securableObject ->
-                
Assertions.assertNotNull(rangerPolicyHelper.findManagedPolicy(securableObject)));
+                
Assertions.assertNotNull(rangerHelper.findManagedPolicy(securableObject)));
     role2.securableObjects().stream()
         .forEach(
             securableObject ->
-                
Assertions.assertNotNull(rangerPolicyHelper.findManagedPolicy(securableObject)));
+                
Assertions.assertNotNull(rangerHelper.findManagedPolicy(securableObject)));
     role3.securableObjects().stream()
         .forEach(
             securableObject ->
-                
Assertions.assertNotNull(rangerPolicyHelper.findManagedPolicy(securableObject)));
+                
Assertions.assertNotNull(rangerHelper.findManagedPolicy(securableObject)));
   }
 
   /** Verify the Gravitino role in Ranger service */
@@ -1208,64 +1185,4 @@ public class RangerHiveIT {
   private void verifyOwnerInRanger(MetadataObject metadataObject, List<String> 
includeUsers) {
     verifyOwnerInRanger(metadataObject, includeUsers, null, null, null);
   }
-
-  @Test
-  public void testCreateDatabase() throws Exception {
-    String dbName = currentFunName().toLowerCase(); // Hive database name is 
case-insensitive
-
-    // Only allow admin user to operation database `db1`
-    // Other users can't see the database `db1`
-    Map<String, RangerPolicy.RangerPolicyResource> policyResourceMap =
-        ImmutableMap.of(RESOURCE_DATABASE, new 
RangerPolicy.RangerPolicyResource(dbName));
-    RangerPolicy.RangerPolicyItem policyItem = new 
RangerPolicy.RangerPolicyItem();
-    policyItem.setUsers(Arrays.asList(adminUser));
-    policyItem.setAccesses(
-        Arrays.asList(
-            new RangerPolicy.RangerPolicyItemAccess(
-                RangerPrivilege.RangerHivePrivilege.ALL.toString())));
-    RangerITEnv.updateOrCreateRangerPolicy(
-        RangerDefines.SERVICE_TYPE_HIVE,
-        RangerITEnv.RANGER_HIVE_REPO_NAME,
-        "testAllowShowDatabase",
-        policyResourceMap,
-        Collections.singletonList(policyItem));
-
-    Statement adminStmt = adminConnection.createStatement();
-    adminStmt.execute(String.format("CREATE DATABASE %s", dbName));
-    String sql = "show databases";
-    ResultSet adminRS = adminStmt.executeQuery(sql);
-    List<String> adminDbs = new ArrayList<>();
-    while (adminRS.next()) {
-      adminDbs.add(adminRS.getString(1));
-    }
-    Assertions.assertTrue(adminDbs.contains(dbName), "adminDbs : " + adminDbs);
-
-    // Anonymous user can't see the database `db1`
-    Statement anonymousStmt = anonymousConnection.createStatement();
-    ResultSet anonymousRS = anonymousStmt.executeQuery(sql);
-    List<String> anonymousDbs = new ArrayList<>();
-    while (anonymousRS.next()) {
-      anonymousDbs.add(anonymousRS.getString(1));
-    }
-    Assertions.assertFalse(anonymousDbs.contains(dbName), "anonymous : " + 
anonymousDbs);
-
-    // Allow anonymous user to see the database `db1`
-    policyItem.setUsers(Arrays.asList(adminUser, anonymousUser));
-    policyItem.setAccesses(
-        Arrays.asList(
-            new RangerPolicy.RangerPolicyItemAccess(
-                RangerPrivilege.RangerHivePrivilege.ALL.toString())));
-    RangerITEnv.updateOrCreateRangerPolicy(
-        RangerDefines.SERVICE_TYPE_HIVE,
-        RangerITEnv.RANGER_HIVE_REPO_NAME,
-        "testAllowShowDatabase",
-        policyResourceMap,
-        Collections.singletonList(policyItem));
-    anonymousRS = anonymousStmt.executeQuery(sql);
-    anonymousDbs.clear();
-    while (anonymousRS.next()) {
-      anonymousDbs.add(anonymousRS.getString(1));
-    }
-    Assertions.assertTrue(anonymousDbs.contains(dbName));
-  }
 }
diff --git 
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
 
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
index 9a9d713f7..563ec7fd1 100644
--- 
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
+++ 
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
@@ -29,13 +29,14 @@ import java.util.Set;
 import java.util.stream.Collectors;
 import org.apache.gravitino.authorization.Role;
 import org.apache.gravitino.authorization.ranger.RangerAuthorizationPlugin;
-import org.apache.gravitino.authorization.ranger.RangerClientExtension;
 import org.apache.gravitino.authorization.ranger.RangerHelper;
 import org.apache.gravitino.authorization.ranger.RangerPrivilege;
 import org.apache.gravitino.authorization.ranger.reference.RangerDefines;
 import org.apache.gravitino.integration.test.container.ContainerSuite;
 import org.apache.gravitino.integration.test.container.HiveContainer;
+import org.apache.gravitino.integration.test.container.RangerContainer;
 import org.apache.gravitino.integration.test.container.TrinoContainer;
+import org.apache.ranger.RangerClient;
 import org.apache.ranger.RangerServiceException;
 import org.apache.ranger.plugin.model.RangerPolicy;
 import org.apache.ranger.plugin.model.RangerRole;
@@ -54,7 +55,8 @@ public class RangerITEnv {
   private static final String RANGER_HIVE_TYPE = "hive";
   protected static final String RANGER_HDFS_REPO_NAME = "hdfsDev";
   private static final String RANGER_HDFS_TYPE = "hdfs";
-  protected static RangerClientExtension rangerClient;
+  protected static RangerClient rangerClient;
+  protected static final String HADOOP_USER_NAME = "gravitino";
   private static volatile boolean initRangerService = false;
   private static final ContainerSuite containerSuite = 
ContainerSuite.getInstance();
 
@@ -106,11 +108,30 @@ public class RangerITEnv {
     }
   }
 
+  static void startHiveRangerContainer() {
+    containerSuite.startHiveRangerContainer(
+        new HashMap<>(
+            ImmutableMap.of(
+                HiveContainer.HIVE_RUNTIME_VERSION,
+                HiveContainer.HIVE3,
+                RangerContainer.DOCKER_ENV_RANGER_SERVER_URL,
+                String.format(
+                    "http://%s:%d";,
+                    
containerSuite.getRangerContainer().getContainerIpAddress(),
+                    RangerContainer.RANGER_SERVER_PORT),
+                RangerContainer.DOCKER_ENV_RANGER_HIVE_REPOSITORY_NAME,
+                RangerITEnv.RANGER_HIVE_REPO_NAME,
+                RangerContainer.DOCKER_ENV_RANGER_HDFS_REPOSITORY_NAME,
+                RangerITEnv.RANGER_HDFS_REPO_NAME,
+                HiveContainer.HADOOP_USER_NAME,
+                HADOOP_USER_NAME)));
+  }
+
   /** Currently we only test Ranger Hive, So wo Allow anyone to visit HDFS */
   static void allowAnyoneAccessHDFS() {
     String policyName = currentFunName();
     try {
-      if (null != rangerClient.getPolicy(RangerDefines.SERVICE_TYPE_HDFS, 
policyName)) {
+      if (null != rangerClient.getPolicy(RANGER_HDFS_REPO_NAME, policyName)) {
         return;
       }
     } catch (RangerServiceException e) {
@@ -131,7 +152,7 @@ public class RangerITEnv {
             new RangerPolicy.RangerPolicyItemAccess(
                 RangerPrivilege.RangerHdfsPrivilege.EXECUTE.toString())));
     updateOrCreateRangerPolicy(
-        RangerDefines.SERVICE_TYPE_HDFS,
+        RANGER_HDFS_TYPE,
         RANGER_HDFS_REPO_NAME,
         policyName,
         policyResourceMap,
@@ -145,7 +166,7 @@ public class RangerITEnv {
   static void allowAnyoneAccessInformationSchema() {
     String policyName = currentFunName();
     try {
-      if (null != rangerClient.getPolicy(RangerDefines.SERVICE_TYPE_HIVE, 
policyName)) {
+      if (null != rangerClient.getPolicy(RANGER_HIVE_REPO_NAME, policyName)) {
         return;
       }
     } catch (RangerServiceException e) {
@@ -168,7 +189,7 @@ public class RangerITEnv {
             new RangerPolicy.RangerPolicyItemAccess(
                 RangerPrivilege.RangerHivePrivilege.SELECT.toString())));
     updateOrCreateRangerPolicy(
-        RangerDefines.SERVICE_TYPE_HIVE,
+        RANGER_HIVE_TYPE,
         RANGER_HIVE_REPO_NAME,
         policyName,
         policyResourceMap,
diff --git 
a/authorizations/authorization-ranger/src/test/resources/log4j2.properties 
b/authorizations/authorization-ranger/src/test/resources/log4j2.properties
new file mode 100644
index 000000000..8bda5f6e8
--- /dev/null
+++ b/authorizations/authorization-ranger/src/test/resources/log4j2.properties
@@ -0,0 +1,73 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# Set to debug or trace if log4j initialization is failing
+status = info
+
+# Name of the configuration
+name = ConsoleLogConfig
+
+# Console appender configuration
+appender.console.type = Console
+appender.console.name = consoleLogger
+appender.console.layout.type = PatternLayout
+appender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} %-5p [%t] %c{1}:%L - 
%m%n
+
+# Log files location
+property.logPath = 
${sys:gravitino.log.path:-build/authorization-ranger-integration-test.log}
+
+# File appender configuration
+appender.file.type = File
+appender.file.name = fileLogger
+appender.file.fileName = ${logPath}
+appender.file.layout.type = PatternLayout
+appender.file.layout.pattern = %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %-5p %c - %m%n
+
+# Root logger level
+rootLogger.level = info
+
+# Root logger referring to console and file appenders
+rootLogger.appenderRef.stdout.ref = consoleLogger
+rootLogger.appenderRef.file.ref = fileLogger
+
+# File appender configuration for testcontainers
+appender.testcontainersFile.type = File
+appender.testcontainersFile.name = testcontainersLogger
+appender.testcontainersFile.fileName = build/testcontainers.log
+appender.testcontainersFile.layout.type = PatternLayout
+appender.testcontainersFile.layout.pattern = %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] 
%-5p %c - %m%n
+
+# Logger for testcontainers
+logger.testcontainers.name = org.testcontainers
+logger.testcontainers.level = debug
+logger.testcontainers.additivity = false
+logger.testcontainers.appenderRef.file.ref = testcontainersLogger
+
+logger.tc.name = tc
+logger.tc.level = debug
+logger.tc.additivity = false
+logger.tc.appenderRef.file.ref = testcontainersLogger
+
+logger.docker.name = com.github.dockerjava
+logger.docker.level = warn
+logger.docker.additivity = false
+logger.docker.appenderRef.file.ref = testcontainersLogger
+
+logger.http.name = 
com.github.dockerjava.zerodep.shaded.org.apache.hc.client5.http.wire
+logger.http.level = off
diff --git 
a/authorizations/authorization-ranger/src/test/resources/ranger-spark-security.xml.template
 
b/authorizations/authorization-ranger/src/test/resources/ranger-spark-security.xml.template
new file mode 100644
index 000000000..eb7f2b5e8
--- /dev/null
+++ 
b/authorizations/authorization-ranger/src/test/resources/ranger-spark-security.xml.template
@@ -0,0 +1,45 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+  -->
+<configuration>
+    <property>
+        <name>ranger.plugin.spark.policy.rest.url</name>
+        <value>__REPLACE__RANGER_ADMIN_URL</value>
+    </property>
+
+    <property>
+        <name>ranger.plugin.spark.service.name</name>
+        <value>__REPLACE__RANGER_HIVE_REPO_NAME</value>
+    </property>
+
+    <property>
+        <name>ranger.plugin.spark.policy.cache.dir</name>
+        <value>/tmp/policycache</value>
+    </property>
+
+    <property>
+        <name>ranger.plugin.spark.policy.pollIntervalMs</name>
+        <value>500</value>
+    </property>
+
+    <property>
+        <name>ranger.plugin.spark.policy.source.impl</name>
+        <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
+    </property>
+
+</configuration>
\ No newline at end of file
diff --git a/integration-test-common/build.gradle.kts 
b/integration-test-common/build.gradle.kts
index 449c38efc..a25ad4cff 100644
--- a/integration-test-common/build.gradle.kts
+++ b/integration-test-common/build.gradle.kts
@@ -32,7 +32,6 @@ dependencies {
   testImplementation(project(":core"))
   testImplementation(project(":server"))
   testImplementation(project(":server-common"))
-  testImplementation(project(":authorizations:authorization-ranger"))
   testImplementation(libs.bundles.jetty)
   testImplementation(libs.bundles.jersey)
   testImplementation(libs.bundles.jwt)
diff --git 
a/integration-test-common/src/test/java/org/apache/gravitino/integration/test/container/RangerContainer.java
 
b/integration-test-common/src/test/java/org/apache/gravitino/integration/test/container/RangerContainer.java
index 1aa91e086..54b2afc0c 100644
--- 
a/integration-test-common/src/test/java/org/apache/gravitino/integration/test/container/RangerContainer.java
+++ 
b/integration-test-common/src/test/java/org/apache/gravitino/integration/test/container/RangerContainer.java
@@ -25,7 +25,7 @@ import com.google.common.collect.ImmutableSet;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
-import org.apache.gravitino.authorization.ranger.RangerClientExtension;
+import org.apache.ranger.RangerClient;
 import org.apache.ranger.RangerServiceException;
 import org.rnorth.ducttape.Preconditions;
 import org.slf4j.Logger;
@@ -38,7 +38,7 @@ public class RangerContainer extends BaseContainer {
   public static final String DEFAULT_IMAGE = 
System.getenv("GRAVITINO_CI_RANGER_DOCKER_IMAGE");
   public static final String HOST_NAME = "gravitino-ci-ranger";
   public static final int RANGER_SERVER_PORT = 6080;
-  public RangerClientExtension rangerClient;
+  public RangerClient rangerClient;
   private String rangerUrl;
 
   /**
@@ -83,7 +83,7 @@ public class RangerContainer extends BaseContainer {
     super.start();
 
     rangerUrl = String.format("http://localhost:%s";, 
this.getMappedPort(RANGER_SERVER_PORT));
-    rangerClient = new RangerClientExtension(rangerUrl, authType, 
rangerUserName, rangerPassword);
+    rangerClient = new RangerClient(rangerUrl, authType, rangerUserName, 
rangerPassword, null);
 
     Preconditions.check("Ranger container startup failed!", 
checkContainerStatus(10));
   }
diff --git 
a/integration-test-common/src/test/java/org/apache/gravitino/integration/test/util/AbstractIT.java
 
b/integration-test-common/src/test/java/org/apache/gravitino/integration/test/util/AbstractIT.java
index 6644e1f64..71d92d6c9 100644
--- 
a/integration-test-common/src/test/java/org/apache/gravitino/integration/test/util/AbstractIT.java
+++ 
b/integration-test-common/src/test/java/org/apache/gravitino/integration/test/util/AbstractIT.java
@@ -340,7 +340,12 @@ public class AbstractIT {
     if (authenticators.contains(AuthenticatorType.OAUTH.name().toLowerCase())) 
{
       client = 
GravitinoAdminClient.builder(serverUri).withOAuth(mockDataProvider).build();
     } else if 
(authenticators.contains(AuthenticatorType.SIMPLE.name().toLowerCase())) {
-      client = 
GravitinoAdminClient.builder(serverUri).withSimpleAuth().build();
+      String userName = customConfigs.get("SimpleAuthUserName");
+      if (userName != null) {
+        client = 
GravitinoAdminClient.builder(serverUri).withSimpleAuth(userName).build();
+      } else {
+        client = 
GravitinoAdminClient.builder(serverUri).withSimpleAuth().build();
+      }
     } else if 
(authenticators.contains(AuthenticatorType.KERBEROS.name().toLowerCase())) {
       serverUri = "http://localhost:"; + jettyServerConfig.getHttpPort();
       client = null;


Reply via email to