[#4698] feat(auth-ranger): Extended Ranger authorization by rules

[xunliu]

What changes were proposed in this pull request?

1. Added interface RangerPrivilegesMappingProvider, we can use it to map Gravitino privileges to the Ranger privileges.
2. Added abstract class RangerAuthorizationPlugin, we can use it to extend another Ranger authorization plugin.

Why are the changes needed?

Fix: #4698

Does this PR introduce any user-facing change?

NA

How was this patch tested?

CI Passed.

[xunliu]

@lw-yang Please help me review this PR, thanks.

[lw-yang]

LGTM.

[xunliu]

@yuqi1129 I fixed all comments. Please help me review again, Thanks!

[yuqi1129]

Should we provide default values as before, it's too complicated to set the mapping for most users and only those users that have special requirement will configure this value.

[xunliu]

Good idea, I improved it, Please help me review this PR, again.

[yuqi1129]

LGTM, @jerqi @jerryshao Would you like to take a look?

[jerryshao]

Sorry for late response, I will take a look at this today.

[jerryshao]

I'm a little confused about the changes here made, can you describe more clearly about the scenarios and how users will use this feature? It's really not easy to understand.

[xunliu]

I'm a little confused about the changes here made, can you describe more clearly about the scenarios and how users will use this feature? It's really not easy to understand.

In Gravitino, we specify that each Gravitino Privilege maps multiple Privileges on the underlying system(Ranger), but there are some users whose environments have different privilege mappings than ours, so we allow users to configure their own to meet their own personalized needs, in addition to using our default Privilege mappings.

[lw-yang]

@jerryshao This feature allows for custom configuration of the mapping relationship between Gravitino Privileges and Ranger Privileges. If the default mapping relationship in Gravitino does not meet our scenario, we can customize it.

For example, by default, Gravitino's MODIFY_TABLE maps to Ranger's RangerHivePrivilege.UPDATE, RangerHivePrivilege.ALTER, RangerHivePrivilege.WRITE. In our scenario, we need to add RangerHivePrivilege.DROP, so we can customize this mapping relationship.

[jerryshao]

Are these generic authorization configs or ranger authorization only configs?

[xunliu]

These are generic authorization configs.

[jerryshao]

If these are generic configs, they should be put into the code module, not Ranger module. Also I'm curious how other plugins like JDBC, IAM can leverage these configurations later on. From my understanding, they're quite Ranger specific.

[jerryshao]

Maybe we can directly put this file into the conf, not so necessary to add another "authorization-defs" folder, WDYT?

[xunliu]

OK, I moved it to distribution/package/authorizations/ranger/conf/authorization-hive.properties.

[jerryshao]

Do we handle the scenarios like having prefix and trailing whitespace in between policies for the conf value? like:

gravitino.authorization.privilege.mapping.CREATE_TABLE = create, aaa, xxx,   aaa

[xunliu]

Yes, I have test case to cover these scenarios.
authorizations/authorization-ranger/src/test/resources/authorization-defs/authorization-hive-nonstandard.properties

[jerryshao]

I think the document here is not enough. You should clearly describe how to configure, what is the meaning, and give an example here.

Also, do we only support 4 privileges for mapping, how do we support more privileges to map easily?

[xunliu]

I think the document here is not enough. You should clearly describe how to configure, what is the meaning, and give an example here.

OK, I added example in the docs.

Also, do we only support 4 privileges for mapping, how do we support more privileges to map easily?

No, We can support all Gravitino privileges to configurations.
Because I use

Privilege.Name gravitinoPrivilege =
                    Privilege.Name.valueOf(key.trim().toUpperCase());

These codes can convert any String to a Gravitino Privilege enum value.

[xunliu]

These are generic authorization configs.

[xunliu]

Yes, I have test case to cover these scenarios.
authorizations/authorization-ranger/src/test/resources/authorization-defs/authorization-hive-nonstandard.properties

[xunliu]

OK, I moved it to distribution/package/authorizations/ranger/conf/authorization-hive.properties.

[xunliu]

hi @jerryshao
These codes can convert any String to a Gravitino Privilege enum value.

[xunliu]

I think the document here is not enough. You should clearly describe how to configure, what is the meaning, and give an example here.

OK, I added example in the docs.

Also, do we only support 4 privileges for mapping, how do we support more privileges to map easily?

No, We can support all Gravitino privileges to configurations.
Because I use

Privilege.Name gravitinoPrivilege =
                    Privilege.Name.valueOf(key.trim().toUpperCase());

These codes can convert any String to a Gravitino Privilege enum value.

[xunliu]

@jerryshao I updated this PR, Please help me review it again, thanks.

[jerqi]

This is just a discussion instead of review suggestion.
In my opinion,

What's the difference between users and developers.
Users can only change the configurations. Developers can use the interface to custom their need.

This feature should be used by developers instead of users. So I prefer extracting an interface PrivilegeMappingProviderPlugin to let other developer extend other mapping relation.

Configuration has less restriction than the interface. The interface can help us define better behaviour.

This is just my cent, not a strong suggestion.

[xunliu]

@jerryshao I removed the use properties file to overwrite the default authorization configuration.
Please help me review it again, thanks!

[jerryshao]

I need to think a bit on this, my initial feeling is that This RangerAuthorizationConfig may not be easy for people to use.

Most of the interfaces like initializePrivilegesMappingConfig() is hard to people to understand from the definition. People doesn't know what should be implemented, what is the input, output and side-effect of this interface. Without knowing this, it is hard for the developers to extend or implement this interface.

[jerryshao]

It's OK for internal use. But if we want to expose to the developers to extend, seems the definition is not self-explanatory. The concept of xxxConfig makes people hard to understand without context.

[xunliu]

Maybe we can change class name fromRangerAuthorizationConfig to PrivilegeMappingRules?
and change the function name from

1. initializePrivilegesMappingConfig() -> setPrivilegesMappingRule()
2. initializeOwnerPrivilegesConfig() -> setOwnerPrivilegesRule()
3. initializePolicyResourceDefinesConfig() -> setPolicyResourceDefinesRule()

What do you think?

[jerryshao]

Typically, it is hard to design an interface for like "initializeXXX" or "setXXX", because it is hard for developers to know how to correctly implement a code about "initializeXXX" or "setXXX". Instead, I would suggest like:

interface RangerPrivilegesMappingProvider {

Map<GravitinoPrivilege, Set<RangerPrivileges>> privilegesMappingRule()
Map<GravitinoPrivilege, Set<RangerPrivileges>> ownerMappingRule()
...
}

Just for your reference, please take a look, thanks.

[xunliu]

OK, I accept your suggestion.

[jerryshao]

the interface name equals is conflicted with Java's built-in equals method name, also for toString, it is better to have another name.

[xunliu]

OK, change equals() to isEquals().

[jerryshao]

It is better to have a different name for this class variable, not similar to the reserved word.

[xunliu]

DONE.

[xunliu]

@jerryshao I accept your suggestion and modify the code, please help me review again, thanks.

[jerryshao]

I still think that you should have the return value for the method you defined here. Otherwise, it is hard for others to implement a such interface.

[xunliu]

Good idea.

[jerryshao]

Seems like all these methods return immutable map or list, if so, I would suggest make them singletons, so that we don't have to create maps or lists for each call.

[xunliu]

Changed to singleton.

[jerryshao]

Can you please make these variables final?

[jerryshao]

Also for other class variables.

[xunliu]

DONE.

[jerryshao]

Also please change the style to this.xxx = xxx for class variable assignment.

[xunliu]

DONE.

[jerryshao]

Also do you still need these methods? I think you can directly call privilegesMappingRule, ownerMappingRule, etc.

[xunliu]

DONE

[jerryshao]

"isEquals" is not correct for grammar, can you please change to equalsTo(xxxx)?

[xunliu]

DONE

[jerryshao]

Can you please change this class name "RangerClientExtend" to "RangerExtendedClient" or "RangerClientExtension", the name "xxxExtend" is a verb not a noun.

[xunliu]

Changed to RangerClientExtension.

[jerryshao]

@xunliu , can you please also update the PR title and description to reflect what you did currently.

[xunliu]

@jerryshao I refactoring the code, Please help me review again.

[xunliu]

DONE.

[xunliu]

DONE.

[xunliu]

DONE

[xunliu]

DONE

[xunliu]

Changed to RangerClientExtension.

[xunliu]

Changed to singleton.