[feat](catalog)Support Pre-Execution Authentication for HMS Type Iceberg Catalog Operations. #43445
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…erg Catalog Operations Support Pre-Execution Authentication for HMS Type Iceberg Catalog Operations Summary This PR introduces a new utility class, PreExecutionAuthenticator, which is designed to ensure pre-execution authentication for HMS (Hive Metastore) type operations on Iceberg catalogs. This is especially useful in environments where secure access is required, such as Kerberos-based Hadoop ecosystems. By integrating PreExecutionAuthenticator, each relevant operation will undergo an authentication step prior to execution, maintaining security compliance. Motivation In environments utilizing an Iceberg catalog with an HMS backend, many operations may require authentication to access secure data or perform privileged tasks. Given that operations on HMS-type catalogs typically run within a Hadoop environment secured by Kerberos, ensuring each operation is executed within an authenticated context is essential. Previously, there was no standardized mechanism to enforce pre-execution authentication, which led to potential security gaps. This PR aims to address this issue by introducing an extensible authentication utility. Key Changes Addition of PreExecutionAuthenticator Utility Class Provides a standard way to perform pre-execution authentication for tasks. Leverages HadoopAuthenticator (when available) to execute tasks within a privileged context using doAs. Supports execution with or without authentication, enabling flexibility for both secure and non-secure environments. Integration with Iceberg Catalog Operations All relevant HMS-type catalog operations will now use PreExecutionAuthenticator to perform pre-execution authentication. Ensures that operations like createDb, dropDb, and other privileged tasks are executed only after authentication. Extensible Design PreExecutionAuthenticator is adaptable to other future authentication methods, if needed, beyond Hadoop and Kerberos. CallableToPrivilegedExceptionActionAdapter class allows any Callable task to be executed within a PrivilegedExceptionAction, making it versatile for various task types.
|
Thank you for your contribution to Apache Doris. Check List (For Author)
Check List (For Reviewer who merge this PR)
|
…erg Catalog Operations Support Pre-Execution Authentication for HMS Type Iceberg Catalog Operations Summary This PR introduces a new utility class, PreExecutionAuthenticator, which is designed to ensure pre-execution authentication for HMS (Hive Metastore) type operations on Iceberg catalogs. This is especially useful in environments where secure access is required, such as Kerberos-based Hadoop ecosystems. By integrating PreExecutionAuthenticator, each relevant operation will undergo an authentication step prior to execution, maintaining security compliance. Motivation In environments utilizing an Iceberg catalog with an HMS backend, many operations may require authentication to access secure data or perform privileged tasks. Given that operations on HMS-type catalogs typically run within a Hadoop environment secured by Kerberos, ensuring each operation is executed within an authenticated context is essential. Previously, there was no standardized mechanism to enforce pre-execution authentication, which led to potential security gaps. This PR aims to address this issue by introducing an extensible authentication utility. Key Changes Addition of PreExecutionAuthenticator Utility Class Provides a standard way to perform pre-execution authentication for tasks. Leverages HadoopAuthenticator (when available) to execute tasks within a privileged context using doAs. Supports execution with or without authentication, enabling flexibility for both secure and non-secure environments. Integration with Iceberg Catalog Operations All relevant HMS-type catalog operations will now use PreExecutionAuthenticator to perform pre-execution authentication. Ensures that operations like createDb, dropDb, and other privileged tasks are executed only after authentication. Extensible Design PreExecutionAuthenticator is adaptable to other future authentication methods, if needed, beyond Hadoop and Kerberos. CallableToPrivilegedExceptionActionAdapter class allows any Callable task to be executed within a PrivilegedExceptionAction, making it versatile for various task types.
…ype Iceberg Catalog Operations" This reverts commit d90b608.
…a Common Interface ### Optimize Column-Level Permission Checks Using Table-Level Permissions: Since having column-level permissions does not imply table-level permissions, but having table-level permissions does imply permissions on all columns within the table, we can streamline column permission checks. When checking column-level permissions, we can first check if the user has table-level permissions. If table-level permissions are granted, column-level checks become unnecessary. Only if table-level permissions are absent do we proceed with specific column-level permission checks. ### Global Permissions Shortcut: Global-level permissions typically grant full access across all operations. Therefore, to optimize permission checks, we can add an early check for global permissions. If the user has global permissions, they are authorized, and further permission checks at the database, table, or column levels are unnecessary, allowing us to return immediately.
|
run buildall |
|
run buildall |
CalvinKirs
changed the title
CalvinKirs
changed the title
morningman
approved these changes
Nov 18, 2024
github-actions
bot
added
the
approved
|
PR approved by at least one committer and no changes requested. |
|
PR approved by anyone and no changes requested. |
JNSimba
approved these changes
Nov 18, 2024
github-actions bot
pushed a commit
that referenced
this pull request
Nov 18, 2024
…erg Catalog Operations. (#43445) ### What problem does this PR solve? Support Pre-Execution Authentication for HMS Type Iceberg Catalog Operations Summary This PR introduces a new utility class, PreExecutionAuthenticator, which is designed to ensure pre-execution authentication for HMS (Hive Metastore) type operations on Iceberg catalogs. This is especially useful in environments where secure access is required, such as Kerberos-based Hadoop ecosystems. By integrating PreExecutionAuthenticator, each relevant operation will undergo an authentication step prior to execution, maintaining security compliance. ### Motivation In environments utilizing an Iceberg catalog with an HMS backend, many operations may require authentication to access secure data or perform privileged tasks. Given that operations on HMS-type catalogs typically run within a Hadoop environment secured by Kerberos, ensuring each operation is executed within an authenticated context is essential. Previously, there was no standardized mechanism to enforce pre-execution authentication, which led to potential security gaps. This PR aims to address this issue by introducing an extensible authentication utility. ### Key Changes Addition of PreExecutionAuthenticator Utility Class Provides a standard way to perform pre-execution authentication for tasks. Leverages HadoopAuthenticator (when available) to execute tasks within a privileged context using doAs. Supports execution with or without authentication, enabling flexibility for both secure and non-secure environments. Integration with Iceberg Catalog Operations All relevant HMS-type catalog operations will now use PreExecutionAuthenticator to perform pre-execution authentication. Ensures that operations like createDb, dropDb, and other privileged tasks are executed only after authentication. Extensible Design PreExecutionAuthenticator is adaptable to other future authentication methods, if needed, beyond Hadoop and Kerberos. CallableToPrivilegedExceptionActionAdapter class allows any Callable task to be executed within a PrivilegedExceptionAction, making it versatile for various task types. ### Check List (For Author) - Test <!-- At least one of them must be included. --> - [x] Manual test (add detailed scripts or steps below) ``` mysql> CREATE TABLE ha -> ( -> vendor_id BIGINT, -> trip_id BIGINT, -> trip_distance FLOAT, -> fare_amount DOUBLE, -> store_and_fwd_flag STRING, -> ts DATETIME -> ); Query OK, 0 rows affected (2.08 sec) mysql> show create table ha; +-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Table | Create Table | +-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | ha | CREATE TABLE `ha` ( `vendor_id` bigint NULL, `trip_id` bigint NULL, `trip_distance` float NULL, `fare_amount` double NULL, `store_and_fwd_flag` text NULL, `ts` datetimev2(6) NULL ) ENGINE=ICEBERG_EXTERNAL_TABLE LOCATION 'xxxxx' PROPERTIES ( "doris.version" = "doris-2.1.6-rc04-67ee7f53e6", "write.parquet.compression-codec" = "zstd" ); mysql> INSERT INTO iceberg.ck_iceberg.ha -> VALUES -> (1, 1000371, 1.8, 15.32, 'N', '2024-01-01 9:15:23'), -> (2, 1000372, 2.5, 22.15, 'N', '2024-01-02 12:10:11'), -> (2, 1000373, 0.9, 9.01, 'N', '2024-01-01 3:25:15'), -> (1, 1000374, 8.4, 42.13, 'Y', '2024-01-03 7:12:33'); Query OK, 4 rows affected (5.10 sec) {'status':'COMMITTED', 'txnId':'35030'} mysql> select * from ha; +-----------+---------+---------------+-------------+--------------------+----------------------------+ | vendor_id | trip_id | trip_distance | fare_amount | store_and_fwd_flag | ts | +-----------+---------+---------------+-------------+--------------------+----------------------------+ | 1 | 1000371 | 1.8 | 15.32 | N | 2024-01-01 09:15:23.000000 | | 2 | 1000372 | 2.5 | 22.15 | N | 2024-01-02 12:10:11.000000 | | 2 | 1000373 | 0.9 | 9.01 | N | 2024-01-01 03:25:15.000000 | | 1 | 1000374 | 8.4 | 42.13 | Y | 2024-01-03 07:12:33.000000 | +-----------+---------+---------------+-------------+--------------------+----------------------------+ 4 rows in set (1.20 sec) ```
github-actions bot
pushed a commit
that referenced
this pull request
Nov 18, 2024
…erg Catalog Operations. (#43445) ### What problem does this PR solve? Support Pre-Execution Authentication for HMS Type Iceberg Catalog Operations Summary This PR introduces a new utility class, PreExecutionAuthenticator, which is designed to ensure pre-execution authentication for HMS (Hive Metastore) type operations on Iceberg catalogs. This is especially useful in environments where secure access is required, such as Kerberos-based Hadoop ecosystems. By integrating PreExecutionAuthenticator, each relevant operation will undergo an authentication step prior to execution, maintaining security compliance. ### Motivation In environments utilizing an Iceberg catalog with an HMS backend, many operations may require authentication to access secure data or perform privileged tasks. Given that operations on HMS-type catalogs typically run within a Hadoop environment secured by Kerberos, ensuring each operation is executed within an authenticated context is essential. Previously, there was no standardized mechanism to enforce pre-execution authentication, which led to potential security gaps. This PR aims to address this issue by introducing an extensible authentication utility. ### Key Changes Addition of PreExecutionAuthenticator Utility Class Provides a standard way to perform pre-execution authentication for tasks. Leverages HadoopAuthenticator (when available) to execute tasks within a privileged context using doAs. Supports execution with or without authentication, enabling flexibility for both secure and non-secure environments. Integration with Iceberg Catalog Operations All relevant HMS-type catalog operations will now use PreExecutionAuthenticator to perform pre-execution authentication. Ensures that operations like createDb, dropDb, and other privileged tasks are executed only after authentication. Extensible Design PreExecutionAuthenticator is adaptable to other future authentication methods, if needed, beyond Hadoop and Kerberos. CallableToPrivilegedExceptionActionAdapter class allows any Callable task to be executed within a PrivilegedExceptionAction, making it versatile for various task types. ### Check List (For Author) - Test <!-- At least one of them must be included. --> - [x] Manual test (add detailed scripts or steps below) ``` mysql> CREATE TABLE ha -> ( -> vendor_id BIGINT, -> trip_id BIGINT, -> trip_distance FLOAT, -> fare_amount DOUBLE, -> store_and_fwd_flag STRING, -> ts DATETIME -> ); Query OK, 0 rows affected (2.08 sec) mysql> show create table ha; +-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Table | Create Table | +-------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | ha | CREATE TABLE `ha` ( `vendor_id` bigint NULL, `trip_id` bigint NULL, `trip_distance` float NULL, `fare_amount` double NULL, `store_and_fwd_flag` text NULL, `ts` datetimev2(6) NULL ) ENGINE=ICEBERG_EXTERNAL_TABLE LOCATION 'xxxxx' PROPERTIES ( "doris.version" = "doris-2.1.6-rc04-67ee7f53e6", "write.parquet.compression-codec" = "zstd" ); mysql> INSERT INTO iceberg.ck_iceberg.ha -> VALUES -> (1, 1000371, 1.8, 15.32, 'N', '2024-01-01 9:15:23'), -> (2, 1000372, 2.5, 22.15, 'N', '2024-01-02 12:10:11'), -> (2, 1000373, 0.9, 9.01, 'N', '2024-01-01 3:25:15'), -> (1, 1000374, 8.4, 42.13, 'Y', '2024-01-03 7:12:33'); Query OK, 4 rows affected (5.10 sec) {'status':'COMMITTED', 'txnId':'35030'} mysql> select * from ha; +-----------+---------+---------------+-------------+--------------------+----------------------------+ | vendor_id | trip_id | trip_distance | fare_amount | store_and_fwd_flag | ts | +-----------+---------+---------------+-------------+--------------------+----------------------------+ | 1 | 1000371 | 1.8 | 15.32 | N | 2024-01-01 09:15:23.000000 | | 2 | 1000372 | 2.5 | 22.15 | N | 2024-01-02 12:10:11.000000 | | 2 | 1000373 | 0.9 | 9.01 | N | 2024-01-01 03:25:15.000000 | | 1 | 1000374 | 8.4 | 42.13 | Y | 2024-01-03 07:12:33.000000 | +-----------+---------+---------------+-------------+--------------------+----------------------------+ 4 rows in set (1.20 sec) ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What problem does this PR solve?
Support Pre-Execution Authentication for HMS Type Iceberg Catalog Operations Summary
This PR introduces a new utility class, PreExecutionAuthenticator, which is designed to ensure pre-execution authentication for HMS (Hive Metastore) type operations on Iceberg catalogs. This is especially useful in environments where secure access is required, such as Kerberos-based Hadoop ecosystems. By integrating PreExecutionAuthenticator, each relevant operation will undergo an authentication step prior to execution, maintaining security compliance.
Motivation
In environments utilizing an Iceberg catalog with an HMS backend, many operations may require authentication to access secure data or perform privileged tasks. Given that operations on HMS-type catalogs typically run within a Hadoop environment secured by Kerberos, ensuring each operation is executed within an authenticated context is essential. Previously, there was no standardized mechanism to enforce pre-execution authentication, which led to potential security gaps. This PR aims to address this issue by introducing an extensible authentication utility.
Key Changes
Addition of PreExecutionAuthenticator Utility Class
Provides a standard way to perform pre-execution authentication for tasks. Leverages HadoopAuthenticator (when available) to execute tasks within a privileged context using doAs. Supports execution with or without authentication, enabling flexibility for both secure and non-secure environments. Integration with Iceberg Catalog Operations
All relevant HMS-type catalog operations will now use PreExecutionAuthenticator to perform pre-execution authentication. Ensures that operations like createDb, dropDb, and other privileged tasks are executed only after authentication. Extensible Design
PreExecutionAuthenticator is adaptable to other future authentication methods, if needed, beyond Hadoop and Kerberos. CallableToPrivilegedExceptionActionAdapter class allows any Callable task to be executed within a PrivilegedExceptionAction, making it versatile for various task types.
Check List (For Author)
Test
Behavior changed:
Does this need documentation?
Release note
None
Check List (For Reviewer who merge this PR)