forked from apache/doris
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[feat](Authorization-plugin)Authorization framework modularization (a…
…pache#40750) # AccessControllerFactory Interface ## Overview The `AccessControllerFactory` interface is responsible for creating and managing `CatalogAccessController` instances. The interface includes the following methods: - **`default String factoryIdentifier()`**: Returns the identifier for the factory, defaulting to the simple name of the implementing class. To maintain compatibility with user-defined plugins from older versions, the `factoryIdentifier` method provides a default implementation that returns the simple name of the current implementation class, ensuring that each factory has a unique identifier. - **`CatalogAccessController createAccessController(Map<String, String> prop)`**: Creates a new instance of `CatalogAccessController` and initializes it with the provided properties. ## Factory Identifier Each class implementing `AccessControllerFactory` will automatically use its class name as the factory identifier. This helps in identifying different factory instances during plugin loading and selection. ## Instance Creation The `createAccessController` method allows you to create and initialize `CatalogAccessController` instances. The `prop` parameter provides the configuration properties needed for initialization. ## Compatibility - If you are using the previously built-in `range-dorir` authentication plugin, no configuration changes are required; it will continue to function as before. - For custom plugins, configuration information should be defined in `conf/access.conf`. Then, in `fe.conf`, specify the `access_controller_type` as the identifier for the custom plugin. ## How to Extend - Add the `fe-core` dependency to your Maven `pom.xml` file. ```xml <dependency> <groupId>org.apache.doris</groupId> <artifactId>fe-core</artifactId> <version>1.2-SNAPSHOT</version> <scope>provided</scope> </dependency> ``` Then, implement the AccessControllerFactory interface to create your own plugin factory class as follows: ```java public class SimpleAccessControllerFactory implements AccessControllerFactory { @OverRide public String factoryIdentifier() { return "local-simple"; } @OverRide public CatalogAccessController createAccessController(Map<String, String> map) { return new SimpleAccessController(map); } } package org.example.access; import org.apache.doris.analysis.ResourceTypeEnum; import org.apache.doris.analysis.UserIdentity; import org.apache.doris.common.AuthorizationException; import org.apache.doris.mysql.privilege.CatalogAccessController; import org.apache.doris.mysql.privilege.DataMaskPolicy; import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.mysql.privilege.RowFilterPolicy; import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; public class SimpleAccessController implements CatalogAccessController { private HashMap<String, Boolean> databasePrivs = new HashMap<>(); // just for test public SimpleAccessController(Map<String, String> prop) { prop.forEach((k, v) -> { databasePrivs.put(k, Boolean.parseBoolean(v)); }); } @OverRide public boolean checkGlobalPriv(UserIdentity userIdentity, PrivPredicate privPredicate) { return false; } @OverRide public boolean checkCtlPriv(UserIdentity userIdentity, String s, PrivPredicate privPredicate) { return true; } ... ``` Add a new folder named **META-INF/services** under the resources directory, Create a new file named **org.apache.doris.mysql.privilege.AccessControllerFactory.** with a file containing **org.apache.doris.mysql.privilege.AccessControllerFactory.** ## How to Use - In `fe.conf`, specify the **access_controller_type=local-simple** - Put the jar file containing the custom plugin in the **fe/custom_lib** directory.
- Loading branch information
1 parent
ed2a060
commit dd5605e
Showing
11 changed files
with
257 additions
and
46 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
34 changes: 34 additions & 0 deletions
34
...re/src/main/java/org/apache/doris/mysql/privilege/RangerDorisAccessControllerFactory.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| // Licensed to the Apache Software Foundation (ASF) under one | ||
| // or more contributor license agreements. See the NOTICE file | ||
| // distributed with this work for additional information | ||
| // regarding copyright ownership. The ASF licenses this file | ||
| // to you under the Apache License, Version 2.0 (the | ||
| // "License"); you may not use this file except in compliance | ||
| // with the License. You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, | ||
| // software distributed under the License is distributed on an | ||
| // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| // KIND, either express or implied. See the License for the | ||
| // specific language governing permissions and limitations | ||
| // under the License. | ||
|
|
||
| package org.apache.doris.mysql.privilege; | ||
|
|
||
| import org.apache.doris.catalog.authorizer.ranger.doris.RangerCacheDorisAccessController; | ||
|
|
||
| import java.util.Map; | ||
|
|
||
| public class RangerDorisAccessControllerFactory implements AccessControllerFactory { | ||
| @Override | ||
| public String factoryIdentifier() { | ||
| return "ranger-doris"; | ||
| } | ||
|
|
||
| @Override | ||
| public RangerCacheDorisAccessController createAccessController(Map<String, String> prop) { | ||
| return new RangerCacheDorisAccessController("doris"); | ||
| } | ||
| } |
53 changes: 53 additions & 0 deletions
53
fe/fe-core/src/main/java/org/apache/doris/plugin/PropertiesUtils.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| // Licensed to the Apache Software Foundation (ASF) under one | ||
| // or more contributor license agreements. See the NOTICE file | ||
| // distributed with this work for additional information | ||
| // regarding copyright ownership. The ASF licenses this file | ||
| // to you under the Apache License, Version 2.0 (the | ||
| // "License"); you may not use this file except in compliance | ||
| // with the License. You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, | ||
| // software distributed under the License is distributed on an | ||
| // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| // KIND, either express or implied. See the License for the | ||
| // specific language governing permissions and limitations | ||
| // under the License. | ||
|
|
||
| package org.apache.doris.plugin; | ||
|
|
||
| import org.apache.doris.common.Config; | ||
| import org.apache.doris.common.EnvUtils; | ||
|
|
||
| import java.io.File; | ||
| import java.io.IOException; | ||
| import java.nio.file.Files; | ||
| import java.nio.file.Paths; | ||
| import java.util.HashMap; | ||
| import java.util.Map; | ||
| import java.util.Properties; | ||
|
|
||
| public class PropertiesUtils { | ||
| public static final String ACCESS_PROPERTIES_FILE_DIR = Config.authorization_config_file_path; | ||
|
|
||
| public static Map<String, String> loadAccessControllerPropertiesOrNull() throws IOException { | ||
| String configFilePath = EnvUtils.getDorisHome() + ACCESS_PROPERTIES_FILE_DIR; | ||
| if (new File(configFilePath).exists()) { | ||
| Properties properties = new Properties(); | ||
| properties.load(Files.newInputStream(Paths.get(configFilePath))); | ||
| return propertiesToMap(properties); | ||
| } | ||
| return null; | ||
| } | ||
|
|
||
| public static Map<String, String> propertiesToMap(Properties properties) { | ||
| Map<String, String> map = new HashMap<>(); | ||
| for (Map.Entry<Object, Object> entry : properties.entrySet()) { | ||
| String key = String.valueOf(entry.getKey()); | ||
| String value = String.valueOf(entry.getValue()); | ||
| map.put(key, value); | ||
| } | ||
| return map; | ||
| } | ||
| } |
19 changes: 19 additions & 0 deletions
19
...main/resources/META-INF/services/org.apache.doris.mysql.privilege.AccessControllerFactory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # | ||
| # Licensed to the Apache Software Foundation (ASF) under one or more | ||
| # contributor license agreements. See the NOTICE file distributed with | ||
| # this work for additional information regarding copyright ownership. | ||
| # The ASF licenses this file to You under the Apache License, Version 2.0 | ||
| # (the "License"); you may not use this file except in compliance with | ||
| # the License. You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
| # | ||
| # | ||
| org.apache.doris.mysql.privilege.RangerDorisAccessControllerFactory | ||
| org.apache.doris.catalog.authorizer.ranger.hive.RangerHiveAccessControllerFactory |
35 changes: 35 additions & 0 deletions
35
...core/src/test/java/org/apache/doris/nereids/privileges/CustomAccessControllerFactory.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| // Licensed to the Apache Software Foundation (ASF) under one | ||
| // or more contributor license agreements. See the NOTICE file | ||
| // distributed with this work for additional information | ||
| // regarding copyright ownership. The ASF licenses this file | ||
| // to you under the Apache License, Version 2.0 (the | ||
| // "License"); you may not use this file except in compliance | ||
| // with the License. You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, | ||
| // software distributed under the License is distributed on an | ||
| // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
| // KIND, either express or implied. See the License for the | ||
| // specific language governing permissions and limitations | ||
| // under the License. | ||
|
|
||
| package org.apache.doris.nereids.privileges; | ||
|
|
||
| import org.apache.doris.mysql.privilege.AccessControllerFactory; | ||
| import org.apache.doris.mysql.privilege.CatalogAccessController; | ||
|
|
||
| import java.util.Map; | ||
|
|
||
| public class CustomAccessControllerFactory implements AccessControllerFactory { | ||
| @Override | ||
| public String factoryIdentifier() { | ||
| return "CustomAccess"; | ||
| } | ||
|
|
||
| @Override | ||
| public CatalogAccessController createAccessController(Map<String, String> prop) { | ||
| return new TestCheckPrivileges.SimpleCatalogAccessController(); | ||
| } | ||
| } |
Oops, something went wrong.