diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java index 813226fd9de840..7a2779b43b1c6b 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java @@ -93,6 +93,10 @@ public List evalRowFilterPolicies(UserIdentity curren String tbl) { RangerAccessResourceImpl resource = createResource(ctl, db, tbl); RangerAccessRequestImpl request = createRequest(currentUser); + // If the access type is not set here, it defaults to ANY1 ACCESS. + // The internal logic of the ranger is to traverse all permission items. + // Since the ranger UI will set the access type to 'SELECT', + // we will keep it consistent with the UI here to avoid performance issues request.setAccessType(DorisAccessType.SELECT.name()); request.setResource(resource); diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java deleted file mode 100644 index 4b2aca0628a59a..00000000000000 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java +++ /dev/null @@ -1,91 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package org.apache.doris.catalog.authorizer.ranger.cache; - -import org.apache.doris.analysis.ResourceTypeEnum; -import org.apache.doris.analysis.UserIdentity; -import org.apache.doris.common.AuthorizationException; -import org.apache.doris.mysql.privilege.CatalogAccessController; -import org.apache.doris.mysql.privilege.DataMaskPolicy; -import org.apache.doris.mysql.privilege.PrivPredicate; -import org.apache.doris.mysql.privilege.RowFilterPolicy; - -import java.util.List; -import java.util.Optional; -import java.util.Set; - -public abstract class CatalogCacheAccessController implements CatalogAccessController { - public abstract CatalogAccessController getProxyController(); - - public abstract RangerCache getCache(); - - - @Override - public boolean checkGlobalPriv(UserIdentity currentUser, PrivPredicate wanted) { - return getProxyController().checkGlobalPriv(currentUser, wanted); - } - - @Override - public boolean checkCtlPriv(UserIdentity currentUser, String ctl, PrivPredicate wanted) { - return getProxyController().checkCtlPriv(currentUser, ctl, wanted); - } - - @Override - public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted) { - return getProxyController().checkDbPriv(currentUser, ctl, db, wanted); - } - - @Override - public boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, String tbl, PrivPredicate wanted) { - return getProxyController().checkTblPriv(currentUser, ctl, db, tbl, wanted); - } - - @Override - public boolean checkResourcePriv(UserIdentity currentUser, String resourceName, PrivPredicate wanted) { - return getProxyController().checkResourcePriv(currentUser, resourceName, wanted); - } - - @Override - public boolean checkWorkloadGroupPriv(UserIdentity currentUser, String workloadGroupName, PrivPredicate wanted) { - return getProxyController().checkWorkloadGroupPriv(currentUser, workloadGroupName, wanted); - } - - @Override - public void checkColsPriv(UserIdentity currentUser, String ctl, String db, String tbl, Set cols, - PrivPredicate wanted) throws AuthorizationException { - getProxyController().checkColsPriv(currentUser, ctl, db, tbl, cols, wanted); - } - - @Override - public boolean checkCloudPriv(UserIdentity currentUser, String resourceName, PrivPredicate wanted, - ResourceTypeEnum type) { - return getProxyController().checkCloudPriv(currentUser, resourceName, wanted, type); - } - - @Override - public Optional evalDataMaskPolicy(UserIdentity currentUser, String ctl, String db, String tbl, - String col) { - return getCache().getDataMask(new DatamaskCacheKey(currentUser, ctl, db, tbl, col)); - } - - @Override - public List evalRowFilterPolicies(UserIdentity currentUser, String ctl, String db, - String tbl) { - return getCache().getRowFilters(new RowFilterCacheKey(currentUser, ctl, db, tbl)); - } -} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java deleted file mode 100644 index d2262d094f9cef..00000000000000 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java +++ /dev/null @@ -1,89 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package org.apache.doris.catalog.authorizer.ranger.cache; - -import org.apache.doris.analysis.UserIdentity; - -import com.google.common.base.Objects; - -public class DatamaskCacheKey { - private UserIdentity userIdentity; - private String ctl; - private String db; - private String tbl; - private String col; - - public DatamaskCacheKey(UserIdentity userIdentity, String ctl, String db, String tbl, String col) { - this.userIdentity = userIdentity; - this.ctl = ctl; - this.db = db; - this.tbl = tbl; - this.col = col; - } - - public UserIdentity getUserIdentity() { - return userIdentity; - } - - public String getCtl() { - return ctl; - } - - public String getDb() { - return db; - } - - public String getTbl() { - return tbl; - } - - public String getCol() { - return col; - } - - @Override - public boolean equals(Object o) { - if (this == o) { - return true; - } - if (o == null || getClass() != o.getClass()) { - return false; - } - DatamaskCacheKey that = (DatamaskCacheKey) o; - return Objects.equal(userIdentity, that.userIdentity) - && Objects.equal(ctl, that.ctl) && Objects.equal(db, that.db) - && Objects.equal(tbl, that.tbl) && Objects.equal(col, - that.col); - } - - @Override - public int hashCode() { - return Objects.hashCode(userIdentity, ctl, db, tbl, col); - } - - @Override - public String toString() { - return "DatamaskCacheKey{" - + "userIdentity=" + userIdentity - + ", ctl='" + ctl + '\'' - + ", db='" + db + '\'' - + ", tbl='" + tbl + '\'' - + ", col='" + col + '\'' - + '}'; - } -} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java deleted file mode 100644 index 29c068b1aff991..00000000000000 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java +++ /dev/null @@ -1,107 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package org.apache.doris.catalog.authorizer.ranger.cache; - -import org.apache.doris.common.Config; -import org.apache.doris.datasource.CacheException; -import org.apache.doris.mysql.privilege.CatalogAccessController; -import org.apache.doris.mysql.privilege.DataMaskPolicy; -import org.apache.doris.mysql.privilege.RowFilterPolicy; - -import com.google.common.cache.CacheBuilder; -import com.google.common.cache.CacheLoader; -import com.google.common.cache.LoadingCache; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.util.List; -import java.util.Objects; -import java.util.Optional; -import java.util.concurrent.ExecutionException; - -public class RangerCache { - private static final Logger LOG = LoggerFactory.getLogger(RangerCache.class); - - private CatalogAccessController controller; - private LoadingCache> datamaskCache = CacheBuilder.newBuilder() - .maximumSize(Config.ranger_cache_size) - .build(new CacheLoader>() { - @Override - public Optional load(DatamaskCacheKey key) { - return loadDataMask(key); - } - }); - - private LoadingCache> rowFilterCache = CacheBuilder.newBuilder() - .maximumSize(Config.ranger_cache_size) - .build(new CacheLoader>() { - @Override - public List load(RowFilterCacheKey key) { - return loadRowFilter(key); - } - }); - - public RangerCache() { - } - - public void init(CatalogAccessController controller) { - this.controller = controller; - } - - private Optional loadDataMask(DatamaskCacheKey key) { - Objects.requireNonNull(controller, "controller can not be null"); - if (LOG.isDebugEnabled()) { - LOG.debug("load datamask: {}", key); - } - return controller.evalDataMaskPolicy(key.getUserIdentity(), key.getCtl(), key.getDb(), key.getTbl(), - key.getCol()); - } - - private List loadRowFilter(RowFilterCacheKey key) { - Objects.requireNonNull(controller, "controller can not be null"); - if (LOG.isDebugEnabled()) { - LOG.debug("load row filter: {}", key); - } - return controller.evalRowFilterPolicies(key.getUserIdentity(), key.getCtl(), key.getDb(), key.getTbl()); - } - - public void invalidateDataMaskCache() { - datamaskCache.invalidateAll(); - } - - public void invalidateRowFilterCache() { - rowFilterCache.invalidateAll(); - } - - public Optional getDataMask(DatamaskCacheKey key) { - try { - return datamaskCache.get(key); - } catch (ExecutionException e) { - throw new CacheException("failed to get datamask for:" + key, e); - } - } - - public List getRowFilters(RowFilterCacheKey key) { - try { - return rowFilterCache.get(key); - } catch (ExecutionException e) { - throw new CacheException("failed to get row filter for:" + key, e); - } - } - -} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java deleted file mode 100644 index 4af56a8ff1bacf..00000000000000 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java +++ /dev/null @@ -1,41 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package org.apache.doris.catalog.authorizer.ranger.cache; - -import org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController; - -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; -import org.apache.ranger.plugin.service.RangerAuthContextListener; - -public class RangerCacheInvalidateListener implements RangerAuthContextListener { - private static final Logger LOG = LogManager.getLogger(RangerDorisAccessController.class); - - private RangerCache cache; - - public RangerCacheInvalidateListener(RangerCache cache) { - this.cache = cache; - } - - @Override - public void contextChanged() { - LOG.info("ranger context changed"); - cache.invalidateDataMaskCache(); - cache.invalidateRowFilterCache(); - } -} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java deleted file mode 100644 index 08afcb40fcb59b..00000000000000 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java +++ /dev/null @@ -1,82 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package org.apache.doris.catalog.authorizer.ranger.cache; - -import org.apache.doris.analysis.UserIdentity; - -import com.google.common.base.Objects; - -public class RowFilterCacheKey { - private UserIdentity userIdentity; - private String ctl; - private String db; - private String tbl; - - public RowFilterCacheKey(UserIdentity userIdentity, String ctl, String db, String tbl) { - this.userIdentity = userIdentity; - this.ctl = ctl; - this.db = db; - this.tbl = tbl; - } - - public UserIdentity getUserIdentity() { - return userIdentity; - } - - public String getCtl() { - return ctl; - } - - public String getDb() { - return db; - } - - public String getTbl() { - return tbl; - } - - - @Override - public boolean equals(Object o) { - if (this == o) { - return true; - } - if (o == null || getClass() != o.getClass()) { - return false; - } - RowFilterCacheKey that = (RowFilterCacheKey) o; - return Objects.equal(userIdentity, that.userIdentity) - && Objects.equal(ctl, that.ctl) && Objects.equal(db, that.db) - && Objects.equal(tbl, that.tbl); - } - - @Override - public int hashCode() { - return Objects.hashCode(userIdentity, ctl, db, tbl); - } - - @Override - public String toString() { - return "DatamaskCacheKey{" - + "userIdentity=" + userIdentity - + ", ctl='" + ctl + '\'' - + ", db='" + db + '\'' - + ", tbl='" + tbl + '\'' - + '}'; - } -} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java deleted file mode 100644 index 2cbc8111d52c9c..00000000000000 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java +++ /dev/null @@ -1,44 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package org.apache.doris.catalog.authorizer.ranger.doris; - -import org.apache.doris.catalog.authorizer.ranger.cache.CatalogCacheAccessController; -import org.apache.doris.catalog.authorizer.ranger.cache.RangerCache; -import org.apache.doris.catalog.authorizer.ranger.cache.RangerCacheInvalidateListener; -import org.apache.doris.mysql.privilege.CatalogAccessController; - -public class RangerCacheDorisAccessController extends CatalogCacheAccessController { - private CatalogAccessController proxyController; - private RangerCache cache; - - public RangerCacheDorisAccessController(String serviceName) { - this.cache = new RangerCache(); - this.proxyController = new RangerDorisAccessController(serviceName, new RangerCacheInvalidateListener(cache)); - this.cache.init(proxyController); - } - - @Override - public CatalogAccessController getProxyController() { - return proxyController; - } - - @Override - public RangerCache getCache() { - return cache; - } -} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java deleted file mode 100644 index f4f510a12e641c..00000000000000 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java +++ /dev/null @@ -1,47 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one -// or more contributor license agreements. See the NOTICE file -// distributed with this work for additional information -// regarding copyright ownership. The ASF licenses this file -// to you under the Apache License, Version 2.0 (the -// "License"); you may not use this file except in compliance -// with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package org.apache.doris.catalog.authorizer.ranger.hive; - -import org.apache.doris.catalog.authorizer.ranger.cache.CatalogCacheAccessController; -import org.apache.doris.catalog.authorizer.ranger.cache.RangerCache; -import org.apache.doris.catalog.authorizer.ranger.cache.RangerCacheInvalidateListener; -import org.apache.doris.mysql.privilege.CatalogAccessController; - -import java.util.Map; - -public class RangerCacheHiveAccessController extends CatalogCacheAccessController { - - private CatalogAccessController proxyController; - private RangerCache cache; - - public RangerCacheHiveAccessController(Map properties) { - this.cache = new RangerCache(); - this.proxyController = new RangerHiveAccessController(properties, new RangerCacheInvalidateListener(cache)); - this.cache.init(proxyController); - } - - @Override - public CatalogAccessController getProxyController() { - return proxyController; - } - - @Override - public RangerCache getCache() { - return cache; - } -}