dimas-b commented on code in PR #3928: URL: https://github.com/apache/polaris/pull/3928#discussion_r2915108508
########## extensions/auth/ranger/build.gradle.kts: ########## @@ -0,0 +1,50 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +plugins { + id("polaris-server") + id("org.kordamp.gradle.jandex") +} + +dependencies { + implementation(project(":polaris-core")) + + implementation(libs.ranger.authz.embedded) + implementation(libs.commons.lang3) + implementation(libs.guava) + + // Iceberg dependency for ForbiddenException + implementation(platform(libs.iceberg.bom)) + implementation("org.apache.iceberg:iceberg-api") + + compileOnly(libs.jakarta.annotation.api) + compileOnly(libs.jakarta.enterprise.cdi.api) + compileOnly(libs.jakarta.inject.api) + compileOnly(libs.smallrye.config.core) + compileOnly(project(":polaris-immutables")) + + runtimeOnly(libs.graalvm.graal.sdk) + runtimeOnly(libs.graalvm.inspect.community) + runtimeOnly(libs.graalvm.js.community) + runtimeOnly(libs.graalvm.js.scriptengine) + runtimeOnly(libs.graalvm.nativeimage) Review Comment: How is `nativeimage` used? ########## extensions/auth/ranger/sample-conf/ranger-plugin.properties: ########## Review Comment: (repeating from `dev` email / doc): Why not leverage the usual SmallRye config (backed by Quarkus) for this? ########## extensions/auth/ranger/src/main/java/org/apache/polaris/extension/auth/ranger/RangerPolarisAuthorizer.java: ########## @@ -0,0 +1,432 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.extension.auth.ranger; + +import static org.apache.polaris.core.entity.PolarisEntityConstants.getRootPrincipalName; + +import com.google.common.base.Preconditions; +import jakarta.annotation.Nonnull; +import jakarta.annotation.Nullable; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; +import java.util.Set; +import java.util.stream.Collectors; +import org.apache.iceberg.exceptions.ForbiddenException; +import org.apache.polaris.core.auth.AuthorizationDecision; +import org.apache.polaris.core.auth.AuthorizationRequest; +import org.apache.polaris.core.auth.AuthorizationState; +import org.apache.polaris.core.auth.PolarisAuthorizableOperation; +import org.apache.polaris.core.auth.PolarisAuthorizer; +import org.apache.polaris.core.auth.PolarisPrincipal; +import org.apache.polaris.core.config.FeatureConfiguration; +import org.apache.polaris.core.config.RealmConfig; +import org.apache.polaris.core.entity.PolarisBaseEntity; +import org.apache.polaris.core.entity.PolarisEntityConstants; +import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper; +import org.apache.polaris.extension.auth.ranger.utils.RangerUtils; +import org.apache.ranger.authz.api.RangerAuthzException; +import org.apache.ranger.authz.embedded.RangerEmbeddedAuthorizer; +import org.apache.ranger.authz.model.RangerAccessContext; +import org.apache.ranger.authz.model.RangerAccessInfo; +import org.apache.ranger.authz.model.RangerAuthzResult; +import org.apache.ranger.authz.model.RangerMultiAuthzRequest; +import org.apache.ranger.authz.model.RangerMultiAuthzResult; +import org.apache.ranger.authz.model.RangerUserInfo; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** Authorizes operations based on policies defined in Apache Ranger. */ +public class RangerPolarisAuthorizer implements PolarisAuthorizer { + private static final Logger LOG = LoggerFactory.getLogger(RangerPolarisAuthorizer.class); + + public static final String SERVICE_TYPE = "polaris"; + + private static final String OPERATION_NOT_ALLOWED_FOR_USER_ERROR = + "Principal '%s' is not authorized for op %s due to PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE"; + private static final String ROOT_PRINCIPAL_NEEDED_ERROR = + "Principal '%s' is not authorized for op %s as only root principal can perform this operation"; + private static final String RANGER_AUTH_FAILED_ERROR = + "Principal '%s' is not authorized for op '%s'"; + private static final String RANGER_UNSUPPORTED_OPERATION = + "Operation %s is not supported by Ranger authorizer"; + + private static final Set<PolarisAuthorizableOperation> AUTHORIZED_OPERATIONS = + initAuthorizedOperations(); + + private final RangerEmbeddedAuthorizer authorizer; + private final String serviceName; + private final boolean enforceCredentialRotationRequiredState; + + public RangerPolarisAuthorizer( + RangerEmbeddedAuthorizer authorizer, String serviceName, RealmConfig realmConfig) { + this.authorizer = authorizer; + this.serviceName = serviceName; + this.enforceCredentialRotationRequiredState = + realmConfig.getConfig( + FeatureConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING); + } + + @Override + public void resolveAuthorizationInputs( + @Nonnull AuthorizationState authzState, @Nonnull AuthorizationRequest request) { + throw new UnsupportedOperationException( + "resolveAuthorizationInputs is not implemented yet for RangerPolarisAuthorizer"); + } + + @Override + public @Nonnull AuthorizationDecision authorize( + @Nonnull AuthorizationState authzState, @Nonnull AuthorizationRequest request) { + throw new UnsupportedOperationException( + "authorize is not implemented yet for RangerPolarisAuthorizer"); + } + + @Override + public void authorizeOrThrow( + @Nonnull PolarisPrincipal polarisPrincipal, + @Nonnull Set<PolarisBaseEntity> activatedEntities, + @Nonnull PolarisAuthorizableOperation authzOp, + @Nullable PolarisResolvedPathWrapper target, + @Nullable PolarisResolvedPathWrapper secondary) { + authorizeOrThrow( + polarisPrincipal, + activatedEntities, + authzOp, + target == null ? null : List.of(target), + secondary == null ? null : List.of(secondary)); + } + + @Override + public void authorizeOrThrow( + @Nonnull PolarisPrincipal polarisPrincipal, + @Nonnull Set<PolarisBaseEntity> activatedEntities, + @Nonnull PolarisAuthorizableOperation authzOp, + @Nullable List<PolarisResolvedPathWrapper> targets, + @Nullable List<PolarisResolvedPathWrapper> secondaries) { + try { + if (enforceCredentialRotationRequiredState + && authzOp != PolarisAuthorizableOperation.ROTATE_CREDENTIALS + && polarisPrincipal + .getProperties() + .containsKey(PolarisEntityConstants.PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE)) { + throw new ForbiddenException( + OPERATION_NOT_ALLOWED_FOR_USER_ERROR, polarisPrincipal.getName(), authzOp.name()); + } + + if (authzOp == PolarisAuthorizableOperation.RESET_CREDENTIALS) { + boolean isRootPrincipal = getRootPrincipalName().equals(polarisPrincipal.getName()); + + if (!isRootPrincipal) { + // TODO: enable ranger audit from here to ensure that the request denied captured. + throw new ForbiddenException( + ROOT_PRINCIPAL_NEEDED_ERROR, polarisPrincipal.getName(), authzOp.name()); + } + } else if (!AUTHORIZED_OPERATIONS.contains(authzOp)) { + throw new ForbiddenException(RANGER_UNSUPPORTED_OPERATION, authzOp.name()); + } else if (!isAccessAuthorized( + polarisPrincipal, activatedEntities, authzOp, targets, secondaries)) { + throw new ForbiddenException( + RANGER_AUTH_FAILED_ERROR, polarisPrincipal.getName(), authzOp.name()); + } + } catch (RangerAuthzException excp) { + LOG.error("Failed to authorize principal {} for op {}", polarisPrincipal, authzOp, excp); + throw new IllegalStateException(excp); + } catch (IllegalStateException ise) { + LOG.error("Failed to authorize principal {} for op {}", polarisPrincipal, authzOp, ise); + throw ise; + } + } + + private boolean isAccessAuthorized( + @Nonnull PolarisPrincipal polarisPrincipal, + @Nonnull Set<PolarisBaseEntity> activatedEntities, + @Nonnull PolarisAuthorizableOperation authzOp, + @Nullable List<PolarisResolvedPathWrapper> targets, + @Nullable List<PolarisResolvedPathWrapper> secondaries) + throws RangerAuthzException { + if (LOG.isDebugEnabled()) { + LOG.debug( + "isAuthorized: user={}, properties={}, groups={}", + polarisPrincipal.getName(), + polarisPrincipal.getProperties(), + String.join(",", polarisPrincipal.getRoles())); + + LOG.debug( + "isAuthorized: activatedEntities={}", + activatedEntities.stream() + .map(e -> RangerUtils.toResourceType(e.getType()) + ":" + e.getName()) + .collect(Collectors.joining(","))); + + LOG.debug("isAuthorized: authzOp={}", authzOp.name()); + + LOG.debug( + "isAuthorized: permissions={}", + authzOp.getPrivilegesOnTarget().stream() + .map(RangerUtils::toAccessType) + .collect(Collectors.joining(","))); + + if (targets != null) { + LOG.debug( + "isAuthorized: targets={}", + targets.stream().map(RangerUtils::toResourcePath).collect(Collectors.joining(","))); + } + + if (secondaries != null) { + LOG.debug( + "isAuthorized: secondaries={}", + secondaries.stream().map(RangerUtils::toResourcePath).collect(Collectors.joining(","))); + } + } + + return isAccessAuthorized(polarisPrincipal, authzOp, targets, secondaries); + } + + private boolean isAccessAuthorized( + @Nonnull PolarisPrincipal principal, + @Nonnull PolarisAuthorizableOperation authzOp, + @Nullable List<PolarisResolvedPathWrapper> targets, + @Nullable List<PolarisResolvedPathWrapper> secondaries) + throws RangerAuthzException { + boolean isTargetSpecified = targets != null && !targets.isEmpty(); + boolean isSecondarySpecified = secondaries != null && !secondaries.isEmpty(); + List<RangerAccessInfo> accessInfos = new ArrayList<>(); + + if (!authzOp.getPrivilegesOnTarget().isEmpty()) { + Preconditions.checkState( + isTargetSpecified, + "No target provided to authorize %s for privileges %s", + authzOp, + authzOp.getPrivilegesOnTarget()); + + for (PolarisResolvedPathWrapper target : targets) { + accessInfos.add(RangerUtils.toAccessInfo(target, authzOp, authzOp.getPrivilegesOnTarget())); + } + } else if (isTargetSpecified) { + LOG.warn( + "No privileges specified for target authorization. Ignoring target {}, op: {}, user: {}", + RangerUtils.toResourcePath(targets), + authzOp.name(), + principal.getName()); + } + + if (!authzOp.getPrivilegesOnSecondary().isEmpty()) { + Preconditions.checkState( + isSecondarySpecified, + "No secondaries provided to authorize %s for privileges %s", + authzOp, + authzOp.getPrivilegesOnSecondary()); + + for (PolarisResolvedPathWrapper secondary : secondaries) { + accessInfos.add( + RangerUtils.toAccessInfo(secondary, authzOp, authzOp.getPrivilegesOnSecondary())); + } + } else if (isSecondarySpecified) { + LOG.warn( + "No privileges specified for secondary authorization. Ignoring secondaries {}, op: {}, user: {}", + RangerUtils.toResourcePath(secondaries), + authzOp.name(), + principal.getName()); + } + + RangerUserInfo userInfo = RangerUtils.toUserInfo(principal); + RangerAccessContext context = new RangerAccessContext(SERVICE_TYPE, serviceName); + RangerMultiAuthzRequest authzRequest = + new RangerMultiAuthzRequest(userInfo, accessInfos, context); + RangerMultiAuthzResult authzResult = authorizer.authorize(authzRequest); Review Comment: What kind of I/O is expected at this point? ########## extensions/auth/ranger/README.txt: ########## @@ -0,0 +1,49 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +Prerequisites +================= + +1. Ranger authorizer for Polaris requires Apache Ranger version 2.8.0 or later. + +Setup instructions +================= + +1. Enable Ranger authorizer by setting the following property in + application.properties: +#--------------------------------------------- +polaris.authorization.type=ranger +#--------------------------------------------- + +2. Specify the location of Ranger authorizer configuration file by setting the + following property in application.properties: +#--------------------------------------------- +polaris.authorization.ranger.config-file-name=ranger-plugin.properties +#--------------------------------------------- + + Ranger authorizer searches for the specified configuration file in classpath. + It is recommended to place the configuration file in the same location as + application.properties file. + + Consider copying sample file from sample-conf/ranger-plugin.properties to the + folder where application.properties file is located and update the config + file according your Ranger installation. + +3. Restart Polaris to see that all accesses are authorized by Ranger policies, Review Comment: Restart or just "run" (including for the first time)? ########## build.gradle.kts: ########## @@ -106,6 +106,9 @@ tasks.named<RatTask>("rat").configure { // Polaris service startup banner excludes.add("runtime/service/src/**/banner.txt") + // Polaris service log files - generated by polaris-server + excludes.add("runtime/server/logs/**") Review Comment: Is this something specific to this PR or were those logs present before? In the latter case, it might be best to fix that in a separate PR for the sake of clarity 🤔 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
