apache · jerryshao · Sep 19, 2024 · Aug 28, 2024 · Aug 29, 2024 · Aug 30, 2024
diff --git a/authorizations/authorization-ranger/build.gradle.kts b/authorizations/authorization-ranger/build.gradle.kts
@@ -96,7 +96,7 @@ tasks {
   }
 
   val copyAuthorizationLibs by registering(Copy::class) {
-    dependsOn("jar", "runtimeJars")
+    dependsOn("jar", runtimeJars)
     from("build/libs") {
       exclude("guava-*.jar")
       exclude("log4j-*.jar")
@@ -108,6 +108,10 @@ tasks {
   register("copyLibAndConfig", Copy::class) {
     dependsOn(copyAuthorizationLibs)
   }
+
+  jar {
+    dependsOn(runtimeJars)
+  }
 }
 
 tasks.test {

diff --git a/...n-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java b/...n-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorization.java
@@ -31,6 +31,11 @@ public String shortName() {
 
   @Override
   protected AuthorizationPlugin newPlugin(String catalogProvider, Map<String, String> config) {
-    return new RangerAuthorizationPlugin(catalogProvider, config);
+    switch (catalogProvider) {
+      case "hive":
+        return RangerAuthorizationHivePlugin.getInstance(config);
+      default:
+        throw new IllegalArgumentException("Unknown catalog provider: " + catalogProvider);
+    }
   }
 }
diff --git a/...rc/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHivePlugin.java b/...rc/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationHivePlugin.java
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.gravitino.authorization.ranger;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import org.apache.gravitino.authorization.Privilege;
+import org.apache.gravitino.authorization.ranger.RangerPrivilege.RangerHivePrivilege;
+import org.apache.gravitino.authorization.ranger.reference.RangerDefines.PolicyResource;
+
+public class RangerAuthorizationHivePlugin extends RangerAuthorizationPlugin {
+  private static volatile RangerAuthorizationHivePlugin instance = null;
+
+  private RangerAuthorizationHivePlugin(Map<String, String> config) {
+    super(config);
+  }
+
+  public static synchronized RangerAuthorizationHivePlugin getInstance(Map<String, String> config) {
+    if (instance == null) {
+      synchronized (RangerAuthorizationHivePlugin.class) {
+        if (instance == null) {
+          instance = new RangerAuthorizationHivePlugin(config);
+        }
+      }
+    }
+    return instance;
+  }
+
+  /** Set the default mapping Gravitino privilege name to the Ranger rule */
+  public Map<Privilege.Name, Set<RangerPrivilege>> privilegesMappingRule() {
+    return ImmutableMap.of(
+        Privilege.Name.CREATE_SCHEMA,
+        ImmutableSet.of(RangerHivePrivilege.CREATE),
+        Privilege.Name.CREATE_TABLE,
+        ImmutableSet.of(RangerHivePrivilege.CREATE),
+        Privilege.Name.MODIFY_TABLE,
+        ImmutableSet.of(
+            RangerHivePrivilege.UPDATE, RangerHivePrivilege.ALTER, RangerHivePrivilege.WRITE),
+        Privilege.Name.SELECT_TABLE,
+        ImmutableSet.of(RangerHivePrivilege.READ, RangerHivePrivilege.SELECT));
+  }
+
+  /** Set the default owner rule. */
+  public Set<RangerPrivilege> ownerMappingRule() {
+    return ImmutableSet.of(RangerHivePrivilege.ALL);
+  }
+
+  /** Set Ranger policy resource rule. */
+  public List<String> policyResourceDefinesRule() {
+    return ImmutableList.of(
+        PolicyResource.DATABASE.getName(),
+        PolicyResource.TABLE.getName(),
+        PolicyResource.COLUMN.getName());
+  }
+}
diff --git a/...er/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java b/...er/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
@@ -20,7 +20,6 @@
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.Lists;
 import java.io.IOException;
 import java.time.Instant;
 import java.util.Collections;
@@ -63,18 +62,16 @@
  * 4. The Ranger policy also supports multiple users and groups, But we only use a user or group to
  * implement Gravitino Owner concept. <br>
  */
-public class RangerAuthorizationPlugin implements AuthorizationPlugin {
+public abstract class RangerAuthorizationPlugin
+    implements AuthorizationPlugin, RangerPrivilegesMappingProvider {
   private static final Logger LOG = LoggerFactory.getLogger(RangerAuthorizationPlugin.class);
 
-  protected String catalogProvider;
-  protected String rangerServiceName;
-  protected RangerClientExtend rangerClient;
-  private RangerHelper rangerHelper;
+  protected final String rangerServiceName;
+  protected final RangerClientExtension rangerClient;
+  private final RangerHelper rangerHelper;
   @VisibleForTesting public final String rangerAdminName;
 
-  public RangerAuthorizationPlugin(String catalogProvider, Map<String, String> config) {
-    super();
-    this.catalogProvider = catalogProvider;
+  protected RangerAuthorizationPlugin(Map<String, String> config) {
     String rangerUrl = config.get(AuthorizationPropertiesMeta.RANGER_ADMIN_URL);
     String authType = config.get(AuthorizationPropertiesMeta.RANGER_AUTH_TYPE);
     rangerAdminName = config.get(AuthorizationPropertiesMeta.RANGER_USERNAME);
@@ -86,23 +83,26 @@ public RangerAuthorizationPlugin(String catalogProvider, Map<String, String> con
     RangerHelper.check(rangerAdminName != null, "Ranger username is required");
     RangerHelper.check(password != null, "Ranger password is required");
     RangerHelper.check(rangerServiceName != null, "Ranger service name is required");
-    rangerClient = new RangerClientExtend(rangerUrl, authType, rangerAdminName, password);
-    rangerHelper = new RangerHelper(this, catalogProvider);
+    rangerClient = new RangerClientExtension(rangerUrl, authType, rangerAdminName, password);
+
+    rangerHelper =
+        new RangerHelper(
+            rangerClient,
+            rangerAdminName,
+            rangerServiceName,
+            privilegesMappingRule(),
+            ownerMappingRule(),
+            policyResourceDefinesRule());
   }
 
   /**
-   * Translate the privilege name to the corresponding privilege name in the underlying permission
+   * Translate the privilege name to the corresponding privilege name in the Ranger
    *
    * @param name The privilege name to translate
-   * @return The corresponding privilege name in the underlying permission system
+   * @return The corresponding Ranger privilege name in the underlying permission system
    */
   public Set<String> translatePrivilege(Privilege.Name name) {
-    return rangerHelper.privilegesMapping.get(name);
-  }
-
-  @VisibleForTesting
-  public List<String> getOwnerPrivileges() {
-    return Lists.newArrayList(rangerHelper.ownerPrivileges);
+    return rangerHelper.translatePrivilege(name);
   }
 
   /**

diff --git a/...horization/ranger/RangerClientExtend.java → ...ization/ranger/RangerClientExtension.java b/...horization/ranger/RangerClientExtend.java → ...ization/ranger/RangerClientExtension.java
@@ -40,8 +40,8 @@
  * The class extends the RangerClient class and provides additional methods to create, search and
  * delete users and groups
  */
-public class RangerClientExtend extends RangerClient {
-  private static final Logger LOG = LoggerFactory.getLogger(RangerClientExtend.class);
+public class RangerClientExtension extends RangerClient {
+  private static final Logger LOG = LoggerFactory.getLogger(RangerClientExtension.class);
   private static final String URI_USER_BASE = "/service/xusers/users";
   private static final String URI_USER_BY_ID = URI_USER_BASE + "/%d";
   private static final String URI_GROUP_BASE = "/service/xusers/groups";
@@ -75,7 +75,7 @@ public class RangerClientExtend extends RangerClient {
   // private void callAPI(API api, Map<String, String> params) throws RangerServiceException
   private Method callAPIMethodNonResponse;
 
-  public RangerClientExtend(String hostName, String authType, String username, String password) {
+  public RangerClientExtension(String hostName, String authType, String username, String password) {
     super(hostName, authType, username, password, null);
 
     // initialize callAPI method