Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#5336] feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and compatible for existing ranger policy #5629

Merged
merged 15 commits into from
Nov 27, 2024
Merged

[#5336] feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and compatible for existing ranger policy #5629

merged 15 commits into from
Nov 27, 2024
+305 −166

Conversation

theoryxu
Copy link
Contributor

@theoryxu theoryxu commented Nov 20, 2024
edited
Loading

What changes were proposed in this pull request?

Many clients and users have used Ranger for a while. Gravitino should be compatible with these cases.

There are some principles Gravitino needs to follow when it pushes down policies:

  1. Gravitino can't modify existing policy names because users may have their own name rules.
  2. Gravitino and users could share the same policy and not disturb each other for the same resource.

For the target, this PR includes the following changes:

  1. wildcardSearchPolies removes the MANAGED_BY_GRAVITINO filter.
  2. Gravitino managed role name add the prefix GRAVITINO_.
  3. Using Gravitino Managed role to identify and operate policy items.

Despite doing these, users should be cautious about directly managing the ranger policy. There are some restricts:

  1. Don't directly rename Gravitino-managed policies.
  2. Don't directly modify policy resources in the policy that have Gravitino Managed roles.
  3. Don't directly modify policy items that have Gravitino Managed roles.

Why are the changes needed?

Fix: #5336

Does this PR introduce any user-facing change?

N/A

How was this patch tested?

Added ITs

@xunliu
Copy link
Member

xunliu commented Nov 20, 2024
edited
Loading

hi @theoryxu Thank you for your attention to this problem

The problem now is that Gravitino will only maintain a Ranger Policy with the MANAGED_BY_GRAVITINO label, but if a user already has a Ranger service, that can lead to conflicts.

  1. Gravitino's Policy has its own set of management rules. May conflict with the user randomly set;
  2. Therefore, only a Ranger Policy with the MANAGED_BY_GRAVITINO label is maintained.

But that's a pretty big limitation.

  1. There is only one Ranger policy for each resource (db1.tab1).
  2. If a user's old ranger service already has the db1.tab1 policy, but this policy may not conform to Gravitino's authority specification, and there may be problems if Gravitino is asked to directly update this Policy.
    3, so now the Gravitino through RangerHelper.WildcardSearchPolies() function will only find the policy with MANAGED_BY_GRAVITINO label.
  3. If the old ranger already has this policy, but Gravitino cannot operate it, there will be problems.

@xunliu xunliu changed the title [#5336]feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and compatible for existing ranger policy [#5336] feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and compatible for existing ranger policy Nov 20, 2024
@xunliu xunliu self-requested a review November 20, 2024 10:42
theoryxu and others added 7 commits November 25, 2024 10:04
[apache#5336]feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and…
81a5533 
… compatible for existing ranger policy
[apache#5336]feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and…
b8063aa 
… compatible for existing ranger policy
[apache#5336]feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and…
fbd9fc4 
… compatible for existing ranger policy
[apache#5336]feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and…
552f08e 
… compatible for existing ranger policy
@theoryxu
Merge branch 'main' into issues_5336
190fb26
[apache#5336]feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and…
c773e5b 
… compatible for existing ranger policy
[apache#5336]feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and…
03e2c39 
… compatible for existing ranger policy
xunliu
xunliu reviewed Nov 26, 2024
View reviewed changes
...thorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java Outdated Show resolved Hide resolved
...thorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java Outdated Show resolved Hide resolved
...thorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java Outdated Show resolved Hide resolved
...thorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java Outdated Show resolved Hide resolved
...thorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java Outdated Show resolved Hide resolved
...r/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java Outdated Show resolved Hide resolved
...r/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java Outdated Show resolved Hide resolved
...r/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java Outdated Show resolved Hide resolved
...r/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java Outdated Show resolved Hide resolved
...r/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java Outdated Show resolved Hide resolved
@theoryxu
Copy link
Contributor Author

@xunliu all flaws have been fixed. Please review it again. Thanks

xunliu
xunliu approved these changes Nov 27, 2024
View reviewed changes
Copy link
Member

@xunliu xunliu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@xunliu xunliu merged commit 9af57e8 into apache:main Nov 27, 2024
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tengqm tengqm tengqm left review comments

@xunliu xunliu xunliu approved these changes

Assignees

@theoryxu theoryxu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Subtask] Remove MANAGED_BY_GRAVITINO limit
3 participants
@theoryxu @xunliu @tengqm