Re: [PR] [#5775] feat(auth): Chain authorization plugin framework [gravitino]

Mon, 23 Dec 2024 22:27:07 -0800 


jerqi commented on code in PR #5786:
URL: https://github.com/apache/gravitino/pull/5786#discussion_r1896445948


##########
authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHDFSPlugin.java:
##########
@@ -137,10 +171,52 @@ public List<AuthorizationSecurableObject> 
translatePrivilege(SecurableObject sec
                   .forEach(
                       rangerPrivilege ->
                           rangerPrivileges.add(
-                              new RangerPrivileges.RangerHivePrivilegeImpl(
+                              new RangerPrivileges.RangerHDFSPrivilegeImpl(
                                   rangerPrivilege, 
gravitinoPrivilege.condition())));
-
               switch (gravitinoPrivilege.name()) {
+                case USE_CATALOG:
+                case CREATE_CATALOG:
+                  // When HDFS is used as the Hive storage layer, Hive does 
not support the
+                  // `USE_CATALOG` and `CREATE_CATALOG` privileges. So, we 
ignore these
+                  // in the RangerAuthorizationHDFSPlugin.
+                  break;
+                case USE_SCHEMA:
+                  break;
+                case CREATE_SCHEMA:
+                  switch (securableObject.type()) {
+                    case METALAKE:
+                    case CATALOG:
+                      {
+                        String locationPath = getLocationPath(securableObject);
+                        if (locationPath != null && !locationPath.isEmpty()) {
+                          RangerHDFSMetadataObject rangerHDFSMetadataObject =
+                              new RangerHDFSMetadataObject(
+                                  locationPath, 
RangerHDFSMetadataObject.Type.PATH);
+                          rangerSecurableObjects.add(
+                              generateAuthorizationSecurableObject(
+                                  rangerHDFSMetadataObject.names(),
+                                  RangerHDFSMetadataObject.Type.PATH,
+                                  rangerPrivileges));
+                        }
+                      }
+                      break;
+                    case FILESET:
+                      rangerSecurableObjects.add(
+                          generateAuthorizationSecurableObject(
+                              translateMetadataObject(securableObject).names(),
+                              RangerHDFSMetadataObject.Type.PATH,
+                              rangerPrivileges));
+                      break;
+                    default:
+                      throw new AuthorizationPluginException(
+                          "The privilege %s is not supported for the securable 
object: %s",
+                          gravitinoPrivilege.name(), securableObject.type());
+                  }
+                  break;
+                case SELECT_TABLE:

Review Comment:
   If HDFS Ranger plugin is used for Hive, we should have the SELECT_TABLE 
privilege.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@gravitino.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to