diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 0000000000..9d24fa875d --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,18 @@ +name: Security +on: + pull_request: {} + push: + branches: ['ranger-2.1-rzp'] + schedule: + - cron: '30 20 * * *' +jobs: + security-sast: + uses: razorpay/security-action/.github/workflows/semgrep.yml@master + secrets: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + security-statuscheck: + needs: [security-sast] + if: always() + uses: razorpay/security-action/.github/workflows/status_check.yml@ranger-2.1-rzp + with: + WORKFLOW_RESULT: ${{ needs.security-sast.result == 'success' && needs.security-sast.result != 'cancelled' || 'false' }} diff --git a/README.txt b/README.txt index fce972ab1b..6e044217f6 100644 --- a/README.txt +++ b/README.txt @@ -22,6 +22,40 @@ Apache Ranger is currently NOT setup to use pull requests to take in the changes Please use the apache review board to submit your code changes for review and commit. https://reviews.apache.org Also create a jira to go along with the review and mention it in the review board review. https://issues.apache.org/jira/browse/RANGER + + +#### For compiling ranger +mvn compile package assembly:assembly -DskipJSTests -DskipTests -Drat.skip=true -Dmaven.artifact.threads=20 --batch-mode -Pranger-hive-plugin +mvn compile package assembly:assembly -DskipJSTests -DskipTests -Drat.skip=true -Dmaven.artifact.threads=20 --batch-mode -Pranger-presto-plugin +mvn compile package assembly:assembly -DskipJSTests -DskipTests -Drat.skip=true -Dmaven.artifact.threads=20 --batch-mode -Pranger-trino-plugin +-- for ranger admin compile +mvn compile package assembly:assembly -DskipJSTests -DskipTests -Drat.skip=true -Dmaven.artifact.threads=20 --batch-mode -Pall + +----NOTE: for version >=2.1.x , assembly:assembly phase is part of package and will error out if explicitly run with package + +--- Note: Check `distro` module, it is responsible for creating plugin `tar.gz` it needs to run at the end of all modules. It can be configured to selectively build certain plugins. + +Updated Build Process +==================== +Note: + +As this repo was changed from original fork to build 'ranger--trino-plugin.tar.gz' which depends on JDK11. You might encounter error in the build process for 'hive-agent' module. Ranger uses hive version 3.1.2 which still requires JDK8 while building so to avoid this error please use this instruction. You can use original build process on JDK8 to seperately build the 'ranger-hive-plugin.tar.gz'. + +Additionally please refer this JIRA ticket +https://issues.apache.org/jira/browse/RANGER-3182 + +1. Check out the code from GIT repository + +2. On the root folder, please execute the following Maven command: + + $ mvn clean compile package assembly:assembly install -pl '!hive-agent' + +3. After the above build command execution, you should see the following TAR files in the target folder: + + + ranger--trino-plugin.tar.gz +along with other plugins. + Build Process ============= @@ -102,4 +136,3 @@ Installation Process If the install.sh file does not exists, Execute ./enable--plugin.sh - diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh index ad021feee5..935780298d 100755 --- a/agents-common/scripts/enable-agent.sh +++ b/agents-common/scripts/enable-agent.sh @@ -212,7 +212,7 @@ elif [ "${HCOMPONENT_NAME}" = "kylin" ]; then HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/tomcat/webapps/kylin/WEB-INF/lib elif [ "${HCOMPONENT_NAME}" = "elasticsearch" ]; then HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/plugins -elif [ "${HCOMPONENT_NAME}" = "presto" ]; then +elif [ "${HCOMPONENT_NAME}" = "trino" ]; then HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/plugin/ranger if [ ! -d "${HCOMPONENT_LIB_DIR}" ]; then echo "INFO: Creating ${HCOMPONENT_LIB_DIR}" @@ -246,7 +246,7 @@ elif [ "${HCOMPONENT_NAME}" = "elasticsearch" ]; then echo "INFO: Changing ownership of $HCOMPONENT_CONF_DIR to $CFG_OWNER_INF" chown $CFG_OWNER_INF $HCOMPONENT_CONF_DIR fi -elif [ "${HCOMPONENT_NAME}" = "presto" ]; then +elif [ "${HCOMPONENT_NAME}" = "trino" ]; then HCOMPONENT_CONF_DIR=${HCOMPONENT_INSTALL_DIR}/etc fi @@ -781,7 +781,7 @@ then fi fi -if [ "${HCOMPONENT_NAME}" = "presto" ] +if [ "${HCOMPONENT_NAME}" = "trino" ] then if [ "${action}" = "enable" ] then @@ -804,7 +804,7 @@ then echo "Add or Update properties file: [${fn}] ... " addOrUpdatePropertyToFile access-control.name $controlName ${fn} echo "Linking config files" - cd ${HCOMPONENT_LIB_DIR}/ranger-presto-plugin-impl/ + cd ${HCOMPONENT_LIB_DIR}/ranger-trino-plugin-impl/ ln -sf ${HCOMPONENT_CONF_DIR} conf fi diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java index 7775b08718..d06790e606 100755 --- a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java @@ -49,7 +49,7 @@ public class EmbeddedServiceDefsUtil { // following servicedef list should be reviewed/updated whenever a new embedded service-def is added - public static final String DEFAULT_BOOTSTRAP_SERVICEDEF_LIST = "tag,hdfs,hbase,hive,kms,knox,storm,yarn,kafka,solr,atlas,nifi,nifi-registry,sqoop,kylin,elasticsearch,presto,ozone,kudu,schema-registry"; + public static final String DEFAULT_BOOTSTRAP_SERVICEDEF_LIST = "tag,hdfs,hbase,hive,kms,knox,storm,yarn,kafka,solr,atlas,nifi,nifi-registry,sqoop,kylin,elasticsearch,trino,ozone,kudu,schema-registry"; private static final String PROPERTY_SUPPORTED_SERVICE_DEFS = "ranger.supportedcomponents"; private Set supportedServiceDefs; public static final String EMBEDDED_SERVICEDEF_TAG_NAME = "tag"; @@ -71,7 +71,7 @@ public class EmbeddedServiceDefsUtil { public static final String EMBEDDED_SERVICEDEF_KYLIN_NAME = "kylin"; public static final String EMBEDDED_SERVICEDEF_ABFS_NAME = "abfs"; public static final String EMBEDDED_SERVICEDEF_ELASTICSEARCH_NAME = "elasticsearch"; - public static final String EMBEDDED_SERVICEDEF_PRESTO_NAME = "presto"; + public static final String EMBEDDED_SERVICEDEF_TRINO_NAME = "trino"; public static final String EMBEDDED_SERVICEDEF_OZONE_NAME = "ozone"; public static final String EMBEDDED_SERVICEDEF_KUDU_NAME = "kudu"; @@ -89,7 +89,7 @@ public class EmbeddedServiceDefsUtil { public static final String SCHEMA_REGISTRY_IMPL_CLASS_NAME = "org.apache.ranger.services.schemaregistry.RangerServiceSchemaRegistry"; public static final String NIFI_IMPL_CLASS_NAME = "org.apache.ranger.services.nifi.RangerServiceNiFi"; public static final String ATLAS_IMPL_CLASS_NAME = "org.apache.ranger.services.atlas.RangerServiceAtlas"; - public static final String PRESTO_IMPL_CLASS_NAME = "org.apache.ranger.services.presto.RangerServicePresto"; + public static final String TRINO_IMPL_CLASS_NAME = "org.apache.ranger.services.trino.RangerServiceTrino"; public static final String OZONE_IMPL_CLASS_NAME = "org.apache.ranger.services.ozone.RangerServiceOzone"; public static final String KUDU_IMPL_CLASS_NAME = "org.apache.ranger.services.kudu.RangerServiceKudu"; @@ -114,7 +114,7 @@ public class EmbeddedServiceDefsUtil { private RangerServiceDef kylinServiceDef; private RangerServiceDef abfsServiceDef; private RangerServiceDef elasticsearchServiceDef; - private RangerServiceDef prestoServiceDef; + private RangerServiceDef trinoServiceDef; private RangerServiceDef ozoneServiceDef; private RangerServiceDef kuduServiceDef; @@ -164,7 +164,7 @@ public void init(ServiceStore store) { kylinServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_KYLIN_NAME); abfsServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_ABFS_NAME); elasticsearchServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_ELASTICSEARCH_NAME); - prestoServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_PRESTO_NAME); + trinoServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_TRINO_NAME); ozoneServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_OZONE_NAME); kuduServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_KUDU_NAME); @@ -246,7 +246,7 @@ public long getElasticsearchServiceDefId() { public long getAbfsServiceDefId() { return getId(abfsServiceDef); } - public long getPrestoServiceDefId() { return getId(prestoServiceDef); } + public long getTrinoServiceDefId() { return getId(trinoServiceDef); } public long getOzoneServiceDefId() { return getId(ozoneServiceDef); } diff --git a/agents-common/src/main/resources/log4j.properties b/agents-common/src/main/resources/log4j.properties new file mode 100644 index 0000000000..48e377fe2d --- /dev/null +++ b/agents-common/src/main/resources/log4j.properties @@ -0,0 +1,26 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# Root logger option +log4j.rootLogger=INFO, stdout + +# Direct log messages to stdout +log4j.appender.stdout=org.apache.log4j.ConsoleAppender +log4j.appender.stdout.Target=System.out +log4j.appender.stdout.layout=org.apache.log4j.PatternLayout +log4j.appender.stdout.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %-5p %c{10}:%L - %m \ No newline at end of file diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-trino.json similarity index 93% rename from agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json rename to agents-common/src/main/resources/service-defs/ranger-servicedef-trino.json index b16b02a7be..9621061271 100644 --- a/agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json +++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-trino.json @@ -1,10 +1,10 @@ { "id": 17, - "name": "presto", - "displayName": "presto", - "implClass": "org.apache.ranger.services.presto.RangerServicePresto", - "label": "Presto", - "description": "Presto", + "name": "trino", + "displayName": "trino", + "implClass": "org.apache.ranger.services.trino.RangerServiceTrino", + "label": "Trino", + "description": "Trino", "guid": "379a9fe5-1b6e-4091-a584-4890e245e6c1", "resources": [ { @@ -26,8 +26,8 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "label": "Presto Catalog", - "description": "Presto Catalog" + "label": "Trino Catalog", + "description": "Trino Catalog" }, { "itemId": 2, @@ -48,8 +48,8 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "label": "Presto Schema", - "description": "Presto Schema" + "label": "Trino Schema", + "description": "Trino Schema" }, { "itemId": 3, @@ -70,8 +70,8 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "label": "Presto Table", - "description": "Presto Table" + "label": "Trino Table", + "description": "Trino Table" }, { "itemId": 4, @@ -91,12 +91,12 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "label": "Presto Column", - "description": "Presto Column" + "label": "Trino Column", + "description": "Trino Column" }, { "itemId": 5, - "name": "prestouser", + "name": "trinouser", "type": "string", "level": 10, "parent": "", @@ -112,8 +112,8 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "label": "Presto User", - "description": "Presto User", + "label": "Trino User", + "description": "Trino User", "accessTypeRestrictions": ["impersonate"] }, { @@ -135,7 +135,7 @@ "validationMessage": "", "uiHint": "", "label": "System Property", - "description": "Presto System Property", + "description": "Trino System Property", "accessTypeRestrictions": ["alter"] }, { @@ -157,7 +157,7 @@ "validationMessage": "", "uiHint": "", "label": "Catalog Session Property", - "description": "Presto Catalog Session Property", + "description": "Trino Catalog Session Property", "accessTypeRestrictions": ["alter"] }, { @@ -178,8 +178,8 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "label": "Presto Function", - "description": "Presto Function", + "label": "Trino Function", + "description": "Trino Function", "accessTypeRestrictions": ["execute", "grant"] }, { @@ -315,7 +315,7 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "defaultValue": "io.prestosql.jdbc.PrestoDriver" + "defaultValue": "io.trino.jdbc.TrinoDriver" }, { "itemId": 4, diff --git a/distro/pom.xml b/distro/pom.xml index 1b3c4a5b71..5e6e2b2732 100644 --- a/distro/pom.xml +++ b/distro/pom.xml @@ -52,15 +52,7 @@ false - src/main/assembly/hdfs-agent.xml src/main/assembly/hive-agent.xml - src/main/assembly/hbase-agent.xml - src/main/assembly/knox-agent.xml - src/main/assembly/storm-agent.xml - src/main/assembly/plugin-kafka.xml - src/main/assembly/plugin-yarn.xml - src/main/assembly/plugin-ozone.xml - src/main/assembly/plugin-solr.xml src/main/assembly/admin-web.xml src/main/assembly/solr_audit_conf.xml src/main/assembly/usersync.xml @@ -69,12 +61,7 @@ src/main/assembly/kms.xml src/main/assembly/ranger-tools.xml src/main/assembly/ranger-src.xml - src/main/assembly/plugin-atlas.xml - src/main/assembly/plugin-sqoop.xml - src/main/assembly/plugin-kylin.xml - src/main/assembly/plugin-elasticsearch.xml - src/main/assembly/plugin-schema-registry.xml - src/main/assembly/plugin-presto.xml + src/main/assembly/plugin-trino.xml @@ -525,7 +512,7 @@ - ranger-presto-plugin + ranger-trino-plugin @@ -544,7 +531,7 @@ false - src/main/assembly/plugin-presto.xml + src/main/assembly/plugin-trino.xml @@ -607,15 +594,7 @@ false - src/main/assembly/hdfs-agent.xml src/main/assembly/hive-agent.xml - src/main/assembly/hbase-agent.xml - src/main/assembly/knox-agent.xml - src/main/assembly/storm-agent.xml - src/main/assembly/plugin-kafka.xml - src/main/assembly/plugin-yarn.xml - src/main/assembly/plugin-ozone.xml - src/main/assembly/plugin-solr.xml src/main/assembly/admin-web.xml src/main/assembly/solr_audit_conf.xml src/main/assembly/usersync.xml @@ -624,12 +603,7 @@ src/main/assembly/kms.xml src/main/assembly/ranger-tools.xml src/main/assembly/ranger-src.xml - src/main/assembly/plugin-atlas.xml - src/main/assembly/plugin-sqoop.xml - src/main/assembly/plugin-kylin.xml - src/main/assembly/plugin-elasticsearch.xml - src/main/assembly/plugin-schema-registry.xml - src/main/assembly/plugin-presto.xml + src/main/assembly/plugin-trino.xml @@ -641,11 +615,4 @@ - - - org.apache.ranger - ranger-elasticsearch-plugin-shim - ${project.version} - - diff --git a/distro/src/main/assembly/admin-web.xml b/distro/src/main/assembly/admin-web.xml index 37765633d1..97fb9c078b 100644 --- a/distro/src/main/assembly/admin-web.xml +++ b/distro/src/main/assembly/admin-web.xml @@ -462,18 +462,18 @@ true - org.apache.ranger:ranger-presto-plugin + org.apache.ranger:ranger-trino-plugin - ews/webapp/WEB-INF/classes/ranger-plugins/presto + ews/webapp/WEB-INF/classes/ranger-plugins/trino true false 755 644 - org.apache.ranger:ranger-presto-plugin - io.prestosql:presto-spi:jar:${presto.version} - io.prestosql:presto-jdbc:jar:${presto.version} + org.apache.ranger:ranger-trino-plugin + io.trino:trino-spi:jar:${trino.version} + io.trino:trino-jdbc:jar:${trino.version} diff --git a/distro/src/main/assembly/plugin-presto.xml b/distro/src/main/assembly/plugin-trino.xml similarity index 85% rename from distro/src/main/assembly/plugin-presto.xml rename to distro/src/main/assembly/plugin-trino.xml index 09de1ad4ec..3c9bb9bce5 100644 --- a/distro/src/main/assembly/plugin-presto.xml +++ b/distro/src/main/assembly/plugin-trino.xml @@ -16,17 +16,17 @@ limitations under the License. --> - presto-plugin + trino-plugin tar.gz - ${project.parent.name}-${project.version}-presto-plugin + ${project.parent.name}-${project.version}-trino-plugin true true - org.apache.ranger:ranger-presto-plugin-shim + org.apache.ranger:ranger-trino-plugin-shim org.apache.ranger:ranger-plugin-classloader @@ -36,17 +36,19 @@ 755 644 - com.google.inject:guice:jar:${presto.guice.version} - com.google.guava:guava:jar:${presto.guava.version} - io.airlift:bootstrap:jar:${presto.airlift.version} - io.airlift:log:jar:${presto.airlift.version} - io.airlift:log-manager:jar:${presto.airlift.version} - io.airlift:configuration:jar:${presto.airlift.version} - javax.validation:validation-api:jar:${presto.validation-api.version} + com.google.inject:guice:jar:${trino.guice.version} + com.google.guava:guava:jar:${trino.guava.version} + io.airlift:bootstrap:jar:${trino.airlift.version} + io.airlift:log:jar:${trino.airlift.version} + io.airlift:log-manager:jar:${trino.airlift.version} + io.airlift:configuration:jar:${trino.airlift.version} + javax.validation:validation-api:jar:${trino.validation-api.version} javax.inject:javax.inject:jar:${javax-inject.version} - org.apache.bval:bval-jsr:jar:${presto.bval-jsr.version} + org.apache.bval:bval-jsr:jar:${trino.bval-jsr.version} org.slf4j:slf4j-api:jar:${slf4j-api.version} + log4j:log4j:jar:${log4j.version} javax.annotation:javax.annotation-api:jar:${javax.annotation-api} + com.fasterxml.jackson.core:jackson-core:jar:${fasterxml.jackson.version} @@ -57,10 +59,10 @@ org.apache.ranger:ranger-plugins-audit org.apache.ranger:ranger-plugins-cred org.apache.ranger:ranger-plugins-common - org.apache.ranger:ranger-presto-plugin + org.apache.ranger:ranger-trino-plugin - lib/ranger-presto-plugin-impl + lib/ranger-trino-plugin-impl true false 755 @@ -85,7 +87,7 @@ commons-logging:commons-logging:jar:${commons.logging.version} com.google.guava:guava:jar:${google.guava.version} com.google.protobuf:protobuf-java:jar:${protobuf-java.version} - com.google.re2j:re2j:jar:${presto.re2j.version} + com.google.re2j:re2j:jar:${trino.re2j.version} org.apache.commons:commons-configuration2:jar:${commons.configuration.version} org.apache.hadoop:hadoop-common:jar:${hadoop.version} org.apache.hadoop:hadoop-common-plus:jar:${hadoop.version} @@ -135,7 +137,7 @@ commons-cli:commons-cli commons-collections:commons-collections - com.google.guava:guava:jar:${presto.guava.version} + com.google.guava:guava:jar:${trino.guava.version} org.apache.commons:commons-configuration2:jar:${commons.configuration.version} commons-io:commons-io:jar:${commons.io.version} commons-lang:commons-lang @@ -156,7 +158,7 @@ install/conf.templates/enable - ../plugin-presto/conf + ../plugin-trino/conf *.sh @@ -164,12 +166,12 @@ install/conf.templates/disable - ../plugin-presto/disable-conf + ../plugin-trino/disable-conf 700 install/conf.templates/default - ../plugin-presto/template + ../plugin-trino/template 700 @@ -188,17 +190,17 @@ ${project.parent.basedir}/agents-common/scripts/enable-agent.sh - enable-presto-plugin.sh + enable-trino-plugin.sh 755 ${project.parent.basedir}/agents-common/scripts/enable-agent.sh - disable-presto-plugin.sh + disable-trino-plugin.sh 755 - ${project.parent.basedir}/plugin-presto/scripts/install.properties + ${project.parent.basedir}/plugin-trino/scripts/install.properties install.properties 755 diff --git a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java index 371e367c18..8a9919da05 100644 --- a/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java +++ b/kms/src/main/java/org/apache/hadoop/crypto/key/RangerSafenetKeySecure.java @@ -69,7 +69,9 @@ public RangerSafenetKeySecure(Configuration conf) throws Exception { int javaVersion = getJavaVersion(); /*Minimum java requirement for Ranger KMS is Java 8 and Maximum java supported by Ranger KMS is Java 11*/ if(javaVersion == 8){ - provider = new sun.security.pkcs11.SunPKCS11(pkcs11CfgFilePath); + provider = (Provider) Class.forName("sun.security.pkcs11.SunPKCS11") + .getConstructor(String.class) + .newInstance(pkcs11CfgFilePath); }else if(javaVersion == 9 || javaVersion == 10 || javaVersion == 11){ Class cls = Provider.class; Method configureMethod = null; diff --git a/plugin-presto/conf/ranger-presto-security-changes.cfg b/plugin-presto/conf/ranger-presto-security-changes.cfg deleted file mode 100644 index 15fc7fd9f6..0000000000 --- a/plugin-presto/conf/ranger-presto-security-changes.cfg +++ /dev/null @@ -1,28 +0,0 @@ -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Change the original policy parameter to work with policy manager based. -# -# -ranger.plugin.presto.service.name %REPOSITORY_NAME% mod create-if-not-exists - -ranger.plugin.presto.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists - -ranger.plugin.presto.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists -ranger.plugin.presto.policy.rest.ssl.config.file /etc/hadoop/conf/ranger-policymgr-ssl.xml mod create-if-not-exists -ranger.plugin.presto.policy.pollIntervalMs 30000 mod create-if-not-exists -ranger.plugin.presto.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists -ranger.plugin.presto.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists -ranger.plugin.presto.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists \ No newline at end of file diff --git a/plugin-presto/.gitignore b/plugin-trino/.gitignore similarity index 100% rename from plugin-presto/.gitignore rename to plugin-trino/.gitignore diff --git a/plugin-presto/conf/ranger-policymgr-ssl-changes.cfg b/plugin-trino/conf/ranger-policymgr-ssl-changes.cfg similarity index 100% rename from plugin-presto/conf/ranger-policymgr-ssl-changes.cfg rename to plugin-trino/conf/ranger-policymgr-ssl-changes.cfg diff --git a/plugin-presto/conf/ranger-policymgr-ssl.xml b/plugin-trino/conf/ranger-policymgr-ssl.xml similarity index 90% rename from plugin-presto/conf/ranger-policymgr-ssl.xml rename to plugin-trino/conf/ranger-policymgr-ssl.xml index 5ac7cf14c7..21cea432af 100644 --- a/plugin-presto/conf/ranger-policymgr-ssl.xml +++ b/plugin-trino/conf/ranger-policymgr-ssl.xml @@ -20,7 +20,7 @@ xasecure.policymgr.clientssl.keystore - prestoservice-clientcert.jks + trinoservice-clientcert.jks Java Keystore files @@ -34,14 +34,14 @@ xasecure.policymgr.clientssl.keystore.credential.file - jceks://file/tmp/keystore-prestoservice-ssl.jceks + jceks://file/tmp/keystore-trinoservice-ssl.jceks java keystore credential file xasecure.policymgr.clientssl.truststore.credential.file - jceks://file/tmp/truststore-prestoservice-ssl.jceks + jceks://file/tmp/truststore-trinoservice-ssl.jceks java truststore credential file diff --git a/plugin-presto/conf/ranger-presto-audit-changes.cfg b/plugin-trino/conf/ranger-trino-audit-changes.cfg similarity index 100% rename from plugin-presto/conf/ranger-presto-audit-changes.cfg rename to plugin-trino/conf/ranger-trino-audit-changes.cfg diff --git a/plugin-presto/conf/ranger-presto-audit.xml b/plugin-trino/conf/ranger-trino-audit.xml similarity index 93% rename from plugin-presto/conf/ranger-presto-audit.xml rename to plugin-trino/conf/ranger-trino-audit.xml index c72771e995..a422d0f874 100644 --- a/plugin-presto/conf/ranger-presto-audit.xml +++ b/plugin-trino/conf/ranger-trino-audit.xml @@ -72,7 +72,7 @@ xasecure.audit.credential.provider.file - jceks://file/etc/ranger/prestodev/auditcred.jceks + jceks://file/etc/ranger/trinodev/auditcred.jceks @@ -130,7 +130,7 @@ xasecure.audit.hdfs.config.local.buffer.directory - /var/log/presto/audit + /var/log/trino/audit @@ -155,7 +155,7 @@ xasecure.audit.hdfs.config.local.archive.directory - /var/log/presto/audit/archive + /var/log/trino/audit/archive @@ -222,29 +222,29 @@ - + - xasecure.audit.presto.is.enabled + xasecure.audit.trino.is.enabled false - xasecure.audit.presto.async.max.queue.size + xasecure.audit.trino.async.max.queue.size 1 - xasecure.audit.presto.async.max.flush.interval.ms + xasecure.audit.trino.async.max.flush.interval.ms 1000 - xasecure.audit.presto.broker_list + xasecure.audit.trino.broker_list localhost:9092 - xasecure.audit.presto.topic_name + xasecure.audit.trino.topic_name ranger_audits diff --git a/plugin-trino/conf/ranger-trino-security-changes.cfg b/plugin-trino/conf/ranger-trino-security-changes.cfg new file mode 100644 index 0000000000..bbb47cf141 --- /dev/null +++ b/plugin-trino/conf/ranger-trino-security-changes.cfg @@ -0,0 +1,28 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Change the original policy parameter to work with policy manager based. +# +# +ranger.plugin.trino.service.name %REPOSITORY_NAME% mod create-if-not-exists + +ranger.plugin.trino.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists + +ranger.plugin.trino.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists +ranger.plugin.trino.policy.rest.ssl.config.file /etc/hadoop/conf/ranger-policymgr-ssl.xml mod create-if-not-exists +ranger.plugin.trino.policy.pollIntervalMs 30000 mod create-if-not-exists +ranger.plugin.trino.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists +ranger.plugin.trino.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists +ranger.plugin.trino.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists \ No newline at end of file diff --git a/plugin-presto/conf/ranger-presto-security.xml b/plugin-trino/conf/ranger-trino-security.xml similarity index 77% rename from plugin-presto/conf/ranger-presto-security.xml rename to plugin-trino/conf/ranger-trino-security.xml index 9feae81a61..1b2995a99c 100644 --- a/plugin-presto/conf/ranger-presto-security.xml +++ b/plugin-trino/conf/ranger-trino-security.xml @@ -17,15 +17,15 @@ --> - ranger.plugin.presto.service.name - prestoservice + ranger.plugin.trino.service.name + trinoservice - Name of the Ranger service containing policies for this Presto instance + Name of the Ranger service containing policies for this Trino instance - ranger.plugin.presto.policy.source.impl + ranger.plugin.trino.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient Class to retrieve policies from the source @@ -33,7 +33,7 @@ - ranger.plugin.presto.policy.rest.url + ranger.plugin.trino.policy.rest.url http://localhost:6080 URL to Ranger Admin @@ -41,7 +41,7 @@ - ranger.plugin.presto.policy.rest.ssl.config.file + ranger.plugin.trino.policy.rest.ssl.config.file /etc/hadoop/conf/ranger-policymgr-ssl.xml Path to the file containing SSL details to contact Ranger Admin @@ -49,7 +49,7 @@ - ranger.plugin.presto.policy.pollIntervalMs + ranger.plugin.trino.policy.pollIntervalMs 30000 How often to poll for changes in policies? @@ -57,7 +57,7 @@ - ranger.plugin.presto.policy.rest.client.connection.timeoutMs + ranger.plugin.trino.policy.rest.client.connection.timeoutMs 30000 S3 Plugin RangerRestClient Connection Timeout in Milli Seconds @@ -65,7 +65,7 @@ - ranger.plugin.presto.policy.rest.client.read.timeoutMs + ranger.plugin.trino.policy.rest.client.read.timeoutMs 30000 S3 Plugin RangerRestClient read Timeout in Milli Seconds diff --git a/plugin-presto/pom.xml b/plugin-trino/pom.xml similarity index 82% rename from plugin-presto/pom.xml rename to plugin-trino/pom.xml index 70ba82350c..f85296335e 100644 --- a/plugin-presto/pom.xml +++ b/plugin-trino/pom.xml @@ -18,9 +18,9 @@ 4.0.0 - ranger-presto-plugin - Presto Security Plugin - Presto Security Plugin + ranger-trino-plugin + Trino Security Plugin + Trino Security Plugin jar UTF-8 @@ -33,14 +33,19 @@ - io.prestosql - presto-spi - ${presto.version} + io.trino + trino-spi + ${trino.version} - io.prestosql - presto-jdbc - ${presto.version} + io.airlift + log + ${trino.airlift.version} + + + io.trino + trino-jdbc + ${trino.version} org.apache.httpcomponents diff --git a/plugin-presto/scripts/install.properties b/plugin-trino/scripts/install.properties similarity index 87% rename from plugin-presto/scripts/install.properties rename to plugin-trino/scripts/install.properties index 9565335719..dc649e6183 100644 --- a/plugin-presto/scripts/install.properties +++ b/plugin-trino/scripts/install.properties @@ -25,7 +25,7 @@ POLICY_MGR_URL= # This is the repository name created within policy manager # # Example: -# REPOSITORY_NAME=prestodev +# REPOSITORY_NAME=trinodev # REPOSITORY_NAME= @@ -34,21 +34,21 @@ REPOSITORY_NAME= # This location should be relative to the parent of the directory containing # the plugin installation files. # -COMPONENT_INSTALL_DIR_NAME=../presto +COMPONENT_INSTALL_DIR_NAME=../trino # Enable audit logs to Solr #Example #XAAUDIT.SOLR.ENABLE=true #XAAUDIT.SOLR.URL=http://localhost:6083/solr/ranger_audits #XAAUDIT.SOLR.ZOOKEEPER= -#XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/presto/audit/solr/spool +#XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/trino/audit/solr/spool XAAUDIT.SOLR.ENABLE=false XAAUDIT.SOLR.URL=NONE XAAUDIT.SOLR.USER=NONE XAAUDIT.SOLR.PASSWORD=NONE XAAUDIT.SOLR.ZOOKEEPER=NONE -XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/presto/audit/solr/spool +XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/trino/audit/solr/spool # Enable audit logs to ElasticSearch #Example @@ -71,11 +71,11 @@ XAAUDIT.ELASTICSEARCH.PROTOCOL=NONE # If using Azure Blob Storage #XAAUDIT.HDFS.HDFS_DIR=wasb[s]://@.blob.core.windows.net/ #XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit -#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/presto/audit/hdfs/spool +#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/trino/audit/hdfs/spool XAAUDIT.HDFS.ENABLE=false XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit -XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/presto/audit/hdfs/spool +XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/trino/audit/hdfs/spool # Following additional propertis are needed When auditing to Azure Blob Storage via HDFS # Get these values from your /etc/hadoop/conf/core-site.xml @@ -103,19 +103,19 @@ XAAUDIT.LOG4J.DESTINATION.LOG4J.LOGGER=xaaudit # that start with __REPLACE__ with appropriate values # XAAUDIT.HDFS.IS_ENABLED=true # XAAUDIT.HDFS.DESTINATION_DIRECTORY=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd% -# XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=__REPLACE__LOG_DIR/presto/audit -# XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=__REPLACE__LOG_DIR/presto/audit/archive +# XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=__REPLACE__LOG_DIR/trino/audit +# XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=__REPLACE__LOG_DIR/trino/audit/archive # # Example: # XAAUDIT.HDFS.IS_ENABLED=true # XAAUDIT.HDFS.DESTINATION_DIRECTORY=hdfs://namenode.example.com:8020/ranger/audit/%app-type%/%time:yyyyMMdd% -# XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=/var/log/presto/audit -# XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=/var/log/presto/audit/archive +# XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=/var/log/trino/audit +# XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=/var/log/trino/audit/archive # XAAUDIT.HDFS.IS_ENABLED=false XAAUDIT.HDFS.DESTINATION_DIRECTORY=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd% -XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=__REPLACE__LOG_DIR/presto/audit -XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=__REPLACE__LOG_DIR/presto/audit/archive +XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=__REPLACE__LOG_DIR/trino/audit +XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=__REPLACE__LOG_DIR/trino/audit/archive XAAUDIT.HDFS.DESTINTATION_FILE=%hostname%-audit.log XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS=900 @@ -154,7 +154,7 @@ SSL_TRUSTSTORE_PASSWORD=changeit # Custom component user # CUSTOM_COMPONENT_USER= # keep blank if component user is default -CUSTOM_USER=presto +CUSTOM_USER=trino # diff --git a/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java similarity index 53% rename from plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java rename to plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java index f4fc89dc1a..d1f05ba170 100644 --- a/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java +++ b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java @@ -16,20 +16,23 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.ranger.authorization.presto.authorizer; - -import io.prestosql.spi.connector.CatalogSchemaName; -import io.prestosql.spi.connector.CatalogSchemaRoutineName; -import io.prestosql.spi.connector.CatalogSchemaTableName; -import io.prestosql.spi.connector.ColumnMetadata; -import io.prestosql.spi.connector.SchemaTableName; -import io.prestosql.spi.security.AccessDeniedException; -import io.prestosql.spi.security.PrestoPrincipal; -import io.prestosql.spi.security.Privilege; -import io.prestosql.spi.security.SystemAccessControl; -import io.prestosql.spi.security.SystemSecurityContext; -import io.prestosql.spi.security.ViewExpression; -import io.prestosql.spi.type.Type; +package org.apache.ranger.authorization.trino.authorizer; + +import io.trino.spi.connector.CatalogSchemaName; +import io.trino.spi.connector.CatalogSchemaRoutineName; +import io.trino.spi.connector.CatalogSchemaTableName; +import io.trino.spi.connector.EntityKindAndName; +import io.trino.spi.connector.EntityPrivilege; +import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.QueryId; +import io.trino.spi.security.AccessDeniedException; +import io.trino.spi.security.Identity; +import io.trino.spi.security.TrinoPrincipal; +import io.trino.spi.security.Privilege; +import io.trino.spi.security.SystemAccessControl; +import io.trino.spi.security.SystemSecurityContext; +import io.trino.spi.security.ViewExpression; +import io.trino.spi.type.Type; import org.apache.commons.lang.StringUtils; import org.apache.hadoop.conf.Configuration; import org.apache.hadoop.security.UserGroupInformation; @@ -40,14 +43,15 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.service.RangerBasePlugin; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import io.airlift.log.Logger; import java.io.IOException; import java.net.URL; import java.security.Principal; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collections; +import java.util.Collection; import java.util.Date; import java.util.HashSet; import java.util.List; @@ -59,15 +63,15 @@ public class RangerSystemAccessControl implements SystemAccessControl { - private static Logger LOG = LoggerFactory.getLogger(RangerSystemAccessControl.class); + private static final Logger LOG = Logger.get(RangerSystemAccessControl.class); final public static String RANGER_CONFIG_KEYTAB = "ranger.keytab"; final public static String RANGER_CONFIG_PRINCIPAL = "ranger.principal"; final public static String RANGER_CONFIG_USE_UGI = "ranger.use_ugi"; final public static String RANGER_CONFIG_HADOOP_CONFIG = "ranger.hadoop_config"; - final public static String RANGER_PRESTO_DEFAULT_HADOOP_CONF = "presto-ranger-site.xml"; - final public static String RANGER_PRESTO_SERVICETYPE = "presto"; - final public static String RANGER_PRESTO_APPID = "presto"; + final public static String RANGER_TRINO_DEFAULT_HADOOP_CONF = "trino-ranger-site.xml"; + final public static String RANGER_TRINO_SERVICETYPE = "trino"; + final public static String RANGER_TRINO_APPID = "trino"; final private RangerBasePlugin rangerPlugin; @@ -85,7 +89,7 @@ public RangerSystemAccessControl(Map config) { hadoopConf.addResource(url); } } else { - URL url = hadoopConf.getResource(RANGER_PRESTO_DEFAULT_HADOOP_CONF); + URL url = hadoopConf.getResource(RANGER_TRINO_DEFAULT_HADOOP_CONF); if (LOG.isDebugEnabled()) { LOG.debug("Trying to load Hadoop config from " + url + " (can be null)"); } @@ -113,7 +117,7 @@ public RangerSystemAccessControl(Map config) { useUgi = true; } - rangerPlugin = new RangerBasePlugin(RANGER_PRESTO_SERVICETYPE, RANGER_PRESTO_APPID); + rangerPlugin = new RangerBasePlugin(RANGER_TRINO_SERVICETYPE, RANGER_TRINO_APPID); rangerPlugin.init(); rangerPlugin.setResultProcessor(new RangerDefaultAuditHandler()); } @@ -121,7 +125,7 @@ public RangerSystemAccessControl(Map config) { /** FILTERING AND DATA MASKING **/ - private RangerAccessResult getDataMaskResult(RangerPrestoAccessRequest request) { + private RangerAccessResult getDataMaskResult(RangerTrinoAccessRequest request) { if (LOG.isDebugEnabled()) { LOG.debug("==> getDataMaskResult(request=" + request + ")"); } @@ -135,7 +139,7 @@ private RangerAccessResult getDataMaskResult(RangerPrestoAccessRequest request) return ret; } - private RangerAccessResult getRowFilterResult(RangerPrestoAccessRequest request) { + private RangerAccessResult getRowFilterResult(RangerTrinoAccessRequest request) { if(LOG.isDebugEnabled()) { LOG.debug("==> getRowFilterResult(request=" + request + ")"); } @@ -157,30 +161,39 @@ private boolean isRowFilterEnabled(RangerAccessResult result) { return result != null && result.isRowFilterEnabled(); } - @Override - public Optional getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) { - RangerPrestoAccessRequest request = createAccessRequest(createResource(tableName), context, PrestoAccessType.SELECT); + private Optional getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) { + RangerTrinoAccessRequest request = createAccessRequest(createResource(tableName), context, TrinoAccessType.SELECT); RangerAccessResult result = getRowFilterResult(request); ViewExpression viewExpression = null; if (isRowFilterEnabled(result)) { String filter = result.getFilterExpr(); - viewExpression = new ViewExpression( - context.getIdentity().getUser(), - Optional.of(tableName.getCatalogName()), - Optional.of(tableName.getSchemaTableName().getSchemaName()), - filter - ); + viewExpression = ViewExpression.builder() + .identity(context.getIdentity().getUser()) + .catalog(Optional.of(tableName.getCatalogName()).get()) + .schema(Optional.of(tableName.getSchemaTableName().getSchemaName()).get()) + .expression(filter) + .build(); } return Optional.ofNullable(viewExpression); } + @Override + public List getRowFilters(SystemSecurityContext context, CatalogSchemaTableName tableName) + { + // TODO{utk}: add implementation for multiple row filters + return getRowFilter(context, tableName) + .map(Collections::singletonList) + .orElse(Collections.emptyList()); + } + + @Deprecated @Override public Optional getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) { - RangerPrestoAccessRequest request = createAccessRequest( + RangerTrinoAccessRequest request = createAccessRequest( createResource(tableName.getCatalogName(), tableName.getSchemaTableName().getSchemaName(), tableName.getSchemaTableName().getTableName(), Optional.of(columnName)), - context, PrestoAccessType.SELECT); + context, TrinoAccessType.SELECT); RangerAccessResult result = getDataMaskResult(request); ViewExpression viewExpression = null; @@ -209,12 +222,12 @@ public Optional getColumnMask(SystemSecurityContext context, Cat transformer = transformer.replace("{col}", columnName).replace("{type}", type.getDisplayName()); } - viewExpression = new ViewExpression( - context.getIdentity().getUser(), - Optional.of(tableName.getCatalogName()), - Optional.of(tableName.getSchemaTableName().getSchemaName()), - transformer - ); + viewExpression = ViewExpression.builder() + .identity(context.getIdentity().getUser()) + .catalog(Optional.of(tableName.getCatalogName()).get()) + .schema(Optional.of(tableName.getSchemaTableName().getSchemaName()).get()) + .expression(transformer) + .build(); if (LOG.isDebugEnabled()) { LOG.debug("getColumnMask: user: %s, catalog: %s, schema: %s, transformer: %s"); } @@ -224,12 +237,32 @@ public Optional getColumnMask(SystemSecurityContext context, Cat return Optional.ofNullable(viewExpression); } +// @Override +// public Map getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, List columns) { +// } + + @Override + public void checkCanCreateCatalog(SystemSecurityContext context, String catalog) + { + // TODO{utk} implementation + LOG.debug("RangerSystemAccessControl.checkCanCreateCatalog(" + catalog + ") denied"); + AccessDeniedException.denyCreateCatalog(catalog); + } + + @Override + public void checkCanDropCatalog(SystemSecurityContext context, String catalog) + { + // TODO{utk} implementation + LOG.debug("RangerSystemAccessControl.checkCanDropCatalog(" + catalog + ") denied"); + AccessDeniedException.denyDropCatalog(catalog); + } + @Override public Set filterCatalogs(SystemSecurityContext context, Set catalogs) { LOG.debug("==> RangerSystemAccessControl.filterCatalogs("+ catalogs + ")"); Set filteredCatalogs = new HashSet<>(catalogs.size()); for (String catalog: catalogs) { - if (hasPermission(createResource(catalog), context, PrestoAccessType.SELECT)) { + if (hasPermission(createResource(catalog), context, TrinoAccessType.SELECT)) { filteredCatalogs.add(catalog); } } @@ -241,7 +274,7 @@ public Set filterSchemas(SystemSecurityContext context, String catalogNa LOG.debug("==> RangerSystemAccessControl.filterSchemas(" + catalogName + ")"); Set filteredSchemaNames = new HashSet<>(schemaNames.size()); for (String schemaName: schemaNames) { - if (hasPermission(createResource(catalogName, schemaName), context, PrestoAccessType.SELECT)) { + if (hasPermission(createResource(catalogName, schemaName), context, TrinoAccessType.SELECT)) { filteredSchemaNames.add(schemaName); } } @@ -253,8 +286,8 @@ public Set filterTables(SystemSecurityContext context, String c LOG.debug("==> RangerSystemAccessControl.filterTables(" + catalogName + ")"); Set filteredTableNames = new HashSet<>(tableNames.size()); for (SchemaTableName tableName : tableNames) { - RangerPrestoResource res = createResource(catalogName, tableName.getSchemaName(), tableName.getTableName()); - if (hasPermission(res, context, PrestoAccessType.SELECT)) { + RangerTrinoResource res = createResource(catalogName, tableName.getSchemaName(), tableName.getTableName()); + if (hasPermission(res, context, TrinoAccessType.SELECT)) { filteredTableNames.add(tableName); } } @@ -266,18 +299,27 @@ public Set filterTables(SystemSecurityContext context, String c /** SYSTEM **/ @Override - public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) { - if (!hasPermission(createSystemPropertyResource(propertyName), context, PrestoAccessType.ALTER)) { + public void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName) { + if (!hasPermission(createSystemPropertyResource(propertyName), identity, TrinoAccessType.ALTER)) { + LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty denied"); + AccessDeniedException.denySetSystemSessionProperty(propertyName); + } + } + + @Deprecated + @Override + public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) { + if (!hasPermission(createSystemPropertyResource(propertyName), identity, TrinoAccessType.ALTER)) { LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty denied"); AccessDeniedException.denySetSystemSessionProperty(propertyName); } } @Override - public void checkCanImpersonateUser(SystemSecurityContext context, String userName) { - if (!hasPermission(createUserResource(userName), context, PrestoAccessType.IMPERSONATE)) { + public void checkCanImpersonateUser(Identity identity, String userName) { + if (!hasPermission(createUserResource(userName), identity, TrinoAccessType.IMPERSONATE)) { LOG.debug("RangerSystemAccessControl.checkCanImpersonateUser(" + userName + ") denied"); - AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), userName); + AccessDeniedException.denyImpersonateUser(identity.getUser(), userName); } } @@ -289,32 +331,24 @@ public void checkCanSetUser(Optional principal, String userName) { /** CATALOG **/ @Override public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, String catalogName, String propertyName) { - if (!hasPermission(createCatalogSessionResource(catalogName, propertyName), context, PrestoAccessType.ALTER)) { + if (!hasPermission(createCatalogSessionResource(catalogName, propertyName), context, TrinoAccessType.ALTER)) { LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty(" + catalogName + ") denied"); AccessDeniedException.denySetCatalogSessionProperty(catalogName, propertyName); } } @Override - public void checkCanShowRoles(SystemSecurityContext context, String catalogName) { - if (!hasPermission(createResource(catalogName), context, PrestoAccessType.SHOW)) { - LOG.debug("RangerSystemAccessControl.checkCanShowRoles(" + catalogName + ") denied"); - AccessDeniedException.denyShowRoles(catalogName); - } - } - - - @Override - public void checkCanAccessCatalog(SystemSecurityContext context, String catalogName) { - if (!hasPermission(createResource(catalogName), context, PrestoAccessType.USE)) { - LOG.debug("RangerSystemAccessControl.checkCanAccessCatalog(" + catalogName + ") denied"); - AccessDeniedException.denyCatalogAccess(catalogName); + public boolean canAccessCatalog(SystemSecurityContext context, String catalogName) { + if (!hasPermission(createResource(catalogName), context, TrinoAccessType.USE)) { + LOG.debug("RangerSystemAccessControl.canAccessCatalog(" + catalogName + ") denied"); + return false; } + return true; } @Override public void checkCanShowSchemas(SystemSecurityContext context, String catalogName) { - if (!hasPermission(createResource(catalogName), context, PrestoAccessType.SHOW)) { + if (!hasPermission(createResource(catalogName), context, TrinoAccessType.SHOW)) { LOG.debug("RangerSystemAccessControl.checkCanShowSchemas(" + catalogName + ") denied"); AccessDeniedException.denyShowSchemas(catalogName); } @@ -323,8 +357,8 @@ public void checkCanShowSchemas(SystemSecurityContext context, String catalogNam /** SCHEMA **/ @Override - public void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, PrestoPrincipal principal) { - if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, PrestoAccessType.GRANT)) { + public void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, TrinoPrincipal principal) { + if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, TrinoAccessType.GRANT)) { LOG.debug("RangerSystemAccessControl.checkCanSetSchemaAuthorization(" + schema.getSchemaName() + ") denied"); AccessDeniedException.denySetSchemaAuthorization(schema.getSchemaName(), principal); } @@ -332,7 +366,7 @@ public void checkCanSetSchemaAuthorization(SystemSecurityContext context, Catalo @Override public void checkCanShowCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) { - if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, PrestoAccessType.SHOW)) { + if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, TrinoAccessType.SHOW)) { LOG.debug("RangerSystemAccessControl.checkCanShowCreateSchema(" + schema.getSchemaName() + ") denied"); AccessDeniedException.denyShowCreateSchema(schema.getSchemaName()); } @@ -343,8 +377,8 @@ public void checkCanShowCreateSchema(SystemSecurityContext context, CatalogSchem * to create a schema when you have create rights on the catalog level */ @Override - public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) { - if (!hasPermission(createResource(schema.getCatalogName()), context, PrestoAccessType.CREATE)) { + public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema, Map properties) { + if (!hasPermission(createResource(schema.getCatalogName()), context, TrinoAccessType.CREATE)) { LOG.debug("RangerSystemAccessControl.checkCanCreateSchema(" + schema.getSchemaName() + ") denied"); AccessDeniedException.denyCreateSchema(schema.getSchemaName()); } @@ -355,7 +389,7 @@ public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaNam */ @Override public void checkCanDropSchema(SystemSecurityContext context, CatalogSchemaName schema) { - if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, PrestoAccessType.DROP)) { + if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, TrinoAccessType.DROP)) { LOG.debug("RangerSystemAccessControl.checkCanDropSchema(" + schema.getSchemaName() + ") denied"); AccessDeniedException.denyDropSchema(schema.getSchemaName()); } @@ -366,8 +400,8 @@ public void checkCanDropSchema(SystemSecurityContext context, CatalogSchemaName */ @Override public void checkCanRenameSchema(SystemSecurityContext context, CatalogSchemaName schema, String newSchemaName) { - RangerPrestoResource res = createResource(schema.getCatalogName(), schema.getSchemaName()); - if (!hasPermission(res, context, PrestoAccessType.ALTER)) { + RangerTrinoResource res = createResource(schema.getCatalogName(), schema.getSchemaName()); + if (!hasPermission(res, context, TrinoAccessType.ALTER)) { LOG.debug("RangerSystemAccessControl.checkCanRenameSchema(" + schema.getSchemaName() + ") denied"); AccessDeniedException.denyRenameSchema(schema.getSchemaName(), newSchemaName); } @@ -377,7 +411,7 @@ public void checkCanRenameSchema(SystemSecurityContext context, CatalogSchemaNam @Override public void checkCanShowTables(SystemSecurityContext context, CatalogSchemaName schema) { - if (!hasPermission(createResource(schema), context, PrestoAccessType.SHOW)) { + if (!hasPermission(createResource(schema), context, TrinoAccessType.SHOW)) { LOG.debug("RangerSystemAccessControl.checkCanShowTables(" + schema.toString() + ") denied"); AccessDeniedException.denyShowTables(schema.toString()); } @@ -386,18 +420,20 @@ public void checkCanShowTables(SystemSecurityContext context, CatalogSchemaName @Override public void checkCanShowCreateTable(SystemSecurityContext context, CatalogSchemaTableName table) { - if (!hasPermission(createResource(table), context, PrestoAccessType.SHOW)) { + if (!hasPermission(createResource(table), context, TrinoAccessType.SHOW)) { LOG.debug("RangerSystemAccessControl.checkCanShowTables(" + table.toString() + ") denied"); AccessDeniedException.denyShowCreateTable(table.toString()); } } /** - * Create table is verified on schema level + * Check if identity is allowed to create the specified table with properties in a catalog. + * */ + @Override - public void checkCanCreateTable(SystemSecurityContext context, CatalogSchemaTableName table) { - if (!hasPermission(createResource(table.getCatalogName(), table.getSchemaTableName().getSchemaName()), context, PrestoAccessType.CREATE)) { + public void checkCanCreateTable(SystemSecurityContext context, CatalogSchemaTableName table, Map properties) { + if (!hasPermission(createResource(table.getCatalogName(), table.getSchemaTableName().getSchemaName()), context, TrinoAccessType.CREATE)) { LOG.debug("RangerSystemAccessControl.checkCanCreateTable(" + table.getSchemaTableName().getTableName() + ") denied"); AccessDeniedException.denyCreateTable(table.getSchemaTableName().getTableName()); } @@ -408,7 +444,7 @@ public void checkCanCreateTable(SystemSecurityContext context, CatalogSchemaTabl */ @Override public void checkCanDropTable(SystemSecurityContext context, CatalogSchemaTableName table) { - if (!hasPermission(createResource(table), context, PrestoAccessType.DROP)) { + if (!hasPermission(createResource(table), context, TrinoAccessType.DROP)) { LOG.debug("RangerSystemAccessControl.checkCanDropTable(" + table.getSchemaTableName().getTableName() + ") denied"); AccessDeniedException.denyDropTable(table.getSchemaTableName().getTableName()); } @@ -419,17 +455,39 @@ public void checkCanDropTable(SystemSecurityContext context, CatalogSchemaTableN */ @Override public void checkCanRenameTable(SystemSecurityContext context, CatalogSchemaTableName table, CatalogSchemaTableName newTable) { - RangerPrestoResource res = createResource(table); - if (!hasPermission(res, context, PrestoAccessType.ALTER)) { + RangerTrinoResource res = createResource(table); + if (!hasPermission(res, context, TrinoAccessType.ALTER)) { LOG.debug("RangerSystemAccessControl.checkCanRenameTable(" + table.getSchemaTableName().getTableName() + ") denied"); AccessDeniedException.denyRenameTable(table.getSchemaTableName().getTableName(), newTable.getSchemaTableName().getTableName()); } } + @Override + public void checkCanSetTableProperties( + SystemSecurityContext context, CatalogSchemaTableName table, Map> properties + ) { + RangerTrinoResource res = createResource(table); + if ( + !hasPermission(res, context, TrinoAccessType.ALTER) + // && !hasPermission(createProcedureResource(procedure), context, TrinoAccessType.EXECUTE) + ) { + LOG.debug("RangerSystemAccessControl.checkCanSetTableProperties(" + table.getSchemaTableName().getTableName() + ") denied"); + AccessDeniedException.denySetTableProperties(table.getSchemaTableName().getTableName()); + } + } + + @Override + public void checkCanSetViewComment(SystemSecurityContext context, CatalogSchemaTableName view){ + if (!hasPermission(createResource(view), context, TrinoAccessType.ALTER)) { + LOG.debug("RangerSystemAccessControl.checkCanSetViewComment(" + view.getSchemaTableName().getTableName() + ") denied"); + AccessDeniedException.denyCommentView(view.getSchemaTableName().getTableName()); + } + } + @Override public void checkCanInsertIntoTable(SystemSecurityContext context, CatalogSchemaTableName table) { - RangerPrestoResource res = createResource(table); - if (!hasPermission(res, context, PrestoAccessType.INSERT)) { + RangerTrinoResource res = createResource(table); + if (!hasPermission(res, context, TrinoAccessType.INSERT)) { LOG.debug("RangerSystemAccessControl.checkCanInsertIntoTable(" + table.getSchemaTableName().getTableName() + ") denied"); AccessDeniedException.denyInsertTable(table.getSchemaTableName().getTableName()); } @@ -437,31 +495,57 @@ public void checkCanInsertIntoTable(SystemSecurityContext context, CatalogSchema @Override public void checkCanDeleteFromTable(SystemSecurityContext context, CatalogSchemaTableName table) { - if (!hasPermission(createResource(table), context, PrestoAccessType.DELETE)) { + if (!hasPermission(createResource(table), context, TrinoAccessType.DELETE)) { LOG.debug("RangerSystemAccessControl.checkCanDeleteFromTable(" + table.getSchemaTableName().getTableName() + ") denied"); AccessDeniedException.denyDeleteTable(table.getSchemaTableName().getTableName()); } } @Override - public void checkCanGrantTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal grantee, boolean withGrantOption) { - if (!hasPermission(createResource(table), context, PrestoAccessType.GRANT)) { + public void checkCanTruncateTable(SystemSecurityContext context, CatalogSchemaTableName table) { + if (!hasPermission(createResource(table), context, TrinoAccessType.DELETE)) { + LOG.debug("RangerSystemAccessControl.checkCanTruncateTable(" + table.getSchemaTableName().getTableName() + ") denied"); + AccessDeniedException.denyTruncateTable(table.getSchemaTableName().getTableName()); + } + } + + @Override + public void checkCanGrantTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, TrinoPrincipal grantee, boolean withGrantOption) { + if (!hasPermission(createResource(table), context, TrinoAccessType.GRANT)) { LOG.debug("RangerSystemAccessControl.checkCanGrantTablePrivilege(" + table + ") denied"); AccessDeniedException.denyGrantTablePrivilege(privilege.toString(), table.toString()); } } @Override - public void checkCanRevokeTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal revokee, boolean grantOptionFor) { - if (!hasPermission(createResource(table), context, PrestoAccessType.REVOKE)) { + public void checkCanRevokeTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, TrinoPrincipal revokee, boolean grantOptionFor) { + if (!hasPermission(createResource(table), context, TrinoAccessType.REVOKE)) { LOG.debug("RangerSystemAccessControl.checkCanRevokeTablePrivilege(" + table + ") denied"); AccessDeniedException.denyRevokeTablePrivilege(privilege.toString(), table.toString()); } } + @Override + public void checkCanGrantEntityPrivilege(SystemSecurityContext context, EntityPrivilege privilege, EntityKindAndName entity, TrinoPrincipal grantee, boolean grantOption) + { + AccessDeniedException.denyGrantEntityPrivilege(privilege.toString(), entity); + } + + @Override + public void checkCanDenyEntityPrivilege(SystemSecurityContext context, EntityPrivilege privilege, EntityKindAndName entity, TrinoPrincipal grantee) + { + AccessDeniedException.denyDenyEntityPrivilege(privilege.toString(), entity); + } + + @Override + public void checkCanRevokeEntityPrivilege(SystemSecurityContext context, EntityPrivilege privilege, EntityKindAndName entity, TrinoPrincipal revokee, boolean grantOption) + { + AccessDeniedException.denyRevokeEntityPrivilege(privilege.toString(), entity); + } + @Override public void checkCanSetTableComment(SystemSecurityContext context, CatalogSchemaTableName table) { - if (!hasPermission(createResource(table), context, PrestoAccessType.ALTER)) { + if (!hasPermission(createResource(table), context, TrinoAccessType.ALTER)) { LOG.debug("RangerSystemAccessControl.checkCanSetTableComment(" + table.toString() + ") denied"); AccessDeniedException.denyCommentTable(table.toString()); } @@ -472,7 +556,7 @@ public void checkCanSetTableComment(SystemSecurityContext context, CatalogSchema */ @Override public void checkCanCreateView(SystemSecurityContext context, CatalogSchemaTableName view) { - if (!hasPermission(createResource(view.getCatalogName(), view.getSchemaTableName().getSchemaName()), context, PrestoAccessType.CREATE)) { + if (!hasPermission(createResource(view.getCatalogName(), view.getSchemaTableName().getSchemaName()), context, TrinoAccessType.CREATE)) { LOG.debug("RangerSystemAccessControl.checkCanCreateView(" + view.getSchemaTableName().getTableName() + ") denied"); AccessDeniedException.denyCreateView(view.getSchemaTableName().getTableName()); } @@ -483,7 +567,7 @@ public void checkCanCreateView(SystemSecurityContext context, CatalogSchemaTable */ @Override public void checkCanDropView(SystemSecurityContext context, CatalogSchemaTableName view) { - if (!hasPermission(createResource(view), context, PrestoAccessType.DROP)) { + if (!hasPermission(createResource(view), context, TrinoAccessType.DROP)) { LOG.debug("RangerSystemAccessControl.checkCanDropView(" + view.getSchemaTableName().getTableName() + ") denied"); AccessDeniedException.denyCreateView(view.getSchemaTableName().getTableName()); } @@ -507,7 +591,7 @@ public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext contex */ @Override public void checkCanRenameView(SystemSecurityContext context, CatalogSchemaTableName view, CatalogSchemaTableName newView) { - if (!hasPermission(createResource(view), context, PrestoAccessType.ALTER)) { + if (!hasPermission(createResource(view), context, TrinoAccessType.ALTER)) { LOG.debug("RangerSystemAccessControl.checkCanRenameView(" + view.toString() + ") denied"); AccessDeniedException.denyRenameView(view.toString(), newView.toString()); } @@ -520,8 +604,8 @@ public void checkCanRenameView(SystemSecurityContext context, CatalogSchemaTable */ @Override public void checkCanAddColumn(SystemSecurityContext context, CatalogSchemaTableName table) { - RangerPrestoResource res = createResource(table); - if (!hasPermission(res, context, PrestoAccessType.ALTER)) { + RangerTrinoResource res = createResource(table); + if (!hasPermission(res, context, TrinoAccessType.ALTER)) { AccessDeniedException.denyAddColumn(table.getSchemaTableName().getTableName()); } } @@ -531,8 +615,8 @@ public void checkCanAddColumn(SystemSecurityContext context, CatalogSchemaTableN */ @Override public void checkCanDropColumn(SystemSecurityContext context, CatalogSchemaTableName table) { - RangerPrestoResource res = createResource(table); - if (!hasPermission(res, context, PrestoAccessType.DROP)) { + RangerTrinoResource res = createResource(table); + if (!hasPermission(res, context, TrinoAccessType.DROP)) { LOG.debug("RangerSystemAccessControl.checkCanDropColumn(" + table.getSchemaTableName().getTableName() + ") denied"); AccessDeniedException.denyDropColumn(table.getSchemaTableName().getTableName()); } @@ -543,19 +627,46 @@ public void checkCanDropColumn(SystemSecurityContext context, CatalogSchemaTable */ @Override public void checkCanRenameColumn(SystemSecurityContext context, CatalogSchemaTableName table) { - RangerPrestoResource res = createResource(table); - if (!hasPermission(res, context, PrestoAccessType.ALTER)) { + RangerTrinoResource res = createResource(table); + if (!hasPermission(res, context, TrinoAccessType.ALTER)) { LOG.debug("RangerSystemAccessControl.checkCanRenameColumn(" + table.getSchemaTableName().getTableName() + ") denied"); AccessDeniedException.denyRenameColumn(table.getSchemaTableName().getTableName()); } } + @Override + public void checkCanAlterColumn(SystemSecurityContext context, CatalogSchemaTableName table) { + RangerTrinoResource res = createResource(table); + if (!hasPermission(res, context, TrinoAccessType.ALTER)) { + LOG.debug("RangerSystemAccessControl.checkCanAlterColumn(" + table.getSchemaTableName().getTableName() + ") denied"); + AccessDeniedException.denyAlterColumn(table.getSchemaTableName().getTableName()); + } + } + + @Override + public void checkCanSetColumnComment(SystemSecurityContext context, CatalogSchemaTableName table) { + RangerTrinoResource res = createResource(table); + if (!hasPermission(res, context, TrinoAccessType.ALTER)) { + LOG.debug("RangerSystemAccessControl.checkCanSetColumnComment(" + table.getSchemaTableName().getTableName() + ") denied"); + AccessDeniedException.denyCommentColumn(table.getSchemaTableName().getTableName()); + } + } + + @Override + public void checkCanUpdateTableColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set updatedColumnNames) { + RangerTrinoResource res = createResource(table); + if (!hasPermission(res, context, TrinoAccessType.ALTER)) { + LOG.debug("RangerSystemAccessControl.checkCanUpdateTableColumns(" + table.getSchemaTableName().getTableName() + ") denied"); + AccessDeniedException.denyUpdateTableColumns(table.getSchemaTableName().getTableName(), updatedColumnNames); + } + } + /** * This is evaluated on table level */ @Override public void checkCanShowColumns(SystemSecurityContext context, CatalogSchemaTableName table) { - if (!hasPermission(createResource(table), context, PrestoAccessType.SHOW)) { + if (!hasPermission(createResource(table), context, TrinoAccessType.SHOW)) { LOG.debug("RangerSystemAccessControl.checkCanShowTables(" + table.toString() + ") denied"); AccessDeniedException.denyShowColumns(table.toString()); } @@ -563,8 +674,8 @@ public void checkCanShowColumns(SystemSecurityContext context, CatalogSchemaTabl @Override public void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set columns) { - for (RangerPrestoResource res : createResource(table, columns)) { - if (!hasPermission(res, context, PrestoAccessType.SELECT)) { + for (RangerTrinoResource res : createResource(table, columns)) { + if (!hasPermission(res, context, TrinoAccessType.SELECT)) { LOG.debug("RangerSystemAccessControl.checkCanSelectFromColumns(" + table.getSchemaTableName().getTableName() + ") denied"); AccessDeniedException.denySelectColumns(table.getSchemaTableName().getTableName(), columns); } @@ -575,7 +686,7 @@ public void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSche * This is a NOOP, no filtering is applied */ @Override - public List filterColumns(SystemSecurityContext context, CatalogSchemaTableName table, List columns) { + public Set filterColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set columns) { return columns; } @@ -583,17 +694,24 @@ public List filterColumns(SystemSecurityContext context, Catalog /** * This is a NOOP. Everyone can execute a query - * @param context + * @param identity */ @Override - public void checkCanExecuteQuery(SystemSecurityContext context) { + public void checkCanExecuteQuery(Identity identity, QueryId queryId) { + LOG.debug("RangerSystemAccessControl.checkCanExecuteQuery(" + identity + ") invoked"); + } + + @Deprecated + @Override + public void checkCanExecuteQuery(Identity identity) { + LOG.debug("RangerSystemAccessControl.checkCanExecuteQuery(" + identity + ") invoked"); } @Override - public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) { - if (!hasPermission(createUserResource(queryOwner), context, PrestoAccessType.IMPERSONATE)) { + public void checkCanViewQueryOwnedBy(Identity identity, Identity queryOwner) { + if (!hasPermission(createUserResource(queryOwner.getUser()), identity, TrinoAccessType.IMPERSONATE)) { LOG.debug("RangerSystemAccessControl.checkCanViewQueryOwnedBy(" + queryOwner + ") denied"); - AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner); + AccessDeniedException.denyImpersonateUser(identity.getUser(), queryOwner.getUser()); } } @@ -601,51 +719,101 @@ public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String query * This is a NOOP, no filtering is applied */ @Override - public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set queryOwners) { + public Collection filterViewQueryOwnedBy(Identity identity, Collection queryOwners) { return queryOwners; } @Override - public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner) { - if (!hasPermission(createUserResource(queryOwner), context, PrestoAccessType.IMPERSONATE)) { + public void checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner) { + if (!hasPermission(createUserResource(queryOwner.getUser()), identity, TrinoAccessType.IMPERSONATE)) { LOG.debug("RangerSystemAccessControl.checkCanKillQueryOwnedBy(" + queryOwner + ") denied"); - AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner); + AccessDeniedException.denyImpersonateUser(identity.getUser(), queryOwner.getUser()); + } + } + + @Override + public void checkCanReadSystemInformation(Identity identity) { + if (!hasPermission(createUserResource(identity.getUser()), identity, TrinoAccessType.IMPERSONATE)) { + LOG.debug("RangerSystemAccessControl.checkCanReadSystemInformation(" + identity.getUser() + ") denied"); + AccessDeniedException.denyImpersonateUser(identity.getUser(), "trino"); } } - /** FUNCTIONS **/ @Override - public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String function, PrestoPrincipal grantee, boolean grantOption) { - if (!hasPermission(createFunctionResource(function), context, PrestoAccessType.GRANT)) { - LOG.debug("RangerSystemAccessControl.checkCanGrantExecuteFunctionPrivilege(" + function + ") denied"); - AccessDeniedException.denyGrantExecuteFunctionPrivilege(function, context.getIdentity(), grantee.getName()); + public void checkCanWriteSystemInformation(Identity identity) { + if (!hasPermission(createUserResource(identity.getUser()), identity, TrinoAccessType.IMPERSONATE)) { + LOG.debug("RangerSystemAccessControl.checkCanWriteSystemInformation(" + identity.getUser() + ") denied"); + AccessDeniedException.denyImpersonateUser(identity.getUser(), "trino"); } } + /** FUNCTIONS **/ + @Override - public void checkCanExecuteFunction(SystemSecurityContext context, String function) { - if (!hasPermission(createFunctionResource(function), context, PrestoAccessType.EXECUTE)) { - LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + function + ") denied"); - AccessDeniedException.denyExecuteFunction(function); + public boolean canExecuteFunction(SystemSecurityContext context, CatalogSchemaRoutineName functionName) { + if (!hasPermission(createFunctionResource(functionName.getRoutineName()), context, TrinoAccessType.EXECUTE)) { + LOG.debug("RangerSystemAccessControl.canExecuteFunction(" + functionName.getRoutineName() + ") denied"); + return false; } + return true; } /** PROCEDURES **/ @Override public void checkCanExecuteProcedure(SystemSecurityContext context, CatalogSchemaRoutineName procedure) { - if (!hasPermission(createProcedureResource(procedure), context, PrestoAccessType.EXECUTE)) { - LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + procedure.getSchemaRoutineName().getRoutineName() + ") denied"); + if (!hasPermission(createProcedureResource(procedure), context, TrinoAccessType.EXECUTE)) { + LOG.debug("RangerSystemAccessControl.checkCanExecuteProcedure(" + procedure.getSchemaRoutineName().getRoutineName() + ") denied"); AccessDeniedException.denyExecuteProcedure(procedure.getSchemaRoutineName().getRoutineName()); } } + /** + * Check if identity is allowed to execute the specified table procedure on specified table + * + */ + @Override + public void checkCanExecuteTableProcedure( + SystemSecurityContext context, CatalogSchemaTableName table, String procedure + ) { + RangerTrinoResource res = createResource(table); + if ( + !hasPermission(res, context, TrinoAccessType.ALTER) + // && !hasPermission(createProcedureResource(procedure), context, TrinoAccessType.EXECUTE) + ) { + LOG.debug("RangerSystemAccessControl.checkCanExecuteTableProcedure(" + table.getSchemaTableName().getTableName() + ") denied"); + AccessDeniedException.denyExecuteTableProcedure(table.getSchemaTableName().getTableName(), procedure); + } + } + + @Override + public void checkCanShowFunctions(SystemSecurityContext context, CatalogSchemaName schema) + { + if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, TrinoAccessType.SHOW)) { + LOG.debug("RangerSystemAccessControl.checkCanShowFunctions(" + schema.getSchemaName() + ") denied"); + AccessDeniedException.denyShowFunctions(schema.toString()); + } + } + + @Override + public void checkCanShowCreateFunction(SystemSecurityContext context, CatalogSchemaRoutineName functionName) + { + if (!hasPermission(createResource(functionName.getCatalogName(), functionName.getSchemaName()), context, TrinoAccessType.SHOW)) { + LOG.debug("RangerSystemAccessControl.checkCanShowFunctions(" + functionName.getSchemaName() + ") denied"); + AccessDeniedException.denyShowCreateFunction(functionName.toString()); + } + } + /** HELPER FUNCTIONS **/ - private RangerPrestoAccessRequest createAccessRequest(RangerPrestoResource resource, SystemSecurityContext context, PrestoAccessType accessType) { + private RangerTrinoAccessRequest createAccessRequest(RangerTrinoResource resource, SystemSecurityContext context, TrinoAccessType accessType) { + return createAccessRequest(resource, context.getIdentity(), accessType); + } + + private RangerTrinoAccessRequest createAccessRequest(RangerTrinoResource resource, Identity identity, TrinoAccessType accessType) { Set userGroups = null; if (useUgi) { - UserGroupInformation ugi = UserGroupInformation.createRemoteUser(context.getIdentity().getUser()); + UserGroupInformation ugi = UserGroupInformation.createRemoteUser(identity.getUser()); String[] groups = ugi != null ? ugi.getGroupNames() : null; @@ -653,23 +821,23 @@ private RangerPrestoAccessRequest createAccessRequest(RangerPrestoResource resou userGroups = new HashSet<>(Arrays.asList(groups)); } } else { - userGroups = context.getIdentity().getGroups(); + userGroups = identity.getGroups(); } - RangerPrestoAccessRequest request = new RangerPrestoAccessRequest( - resource, - context.getIdentity().getUser(), - userGroups, - accessType + RangerTrinoAccessRequest request = new RangerTrinoAccessRequest( + resource, + identity.getUser(), + userGroups, + accessType ); return request; } - private boolean hasPermission(RangerPrestoResource resource, SystemSecurityContext context, PrestoAccessType accessType) { + private boolean hasPermission(RangerTrinoResource resource, SystemSecurityContext context, TrinoAccessType accessType) { boolean ret = false; - RangerPrestoAccessRequest request = createAccessRequest(resource, context, accessType); + RangerTrinoAccessRequest request = createAccessRequest(resource, context, accessType); RangerAccessResult result = rangerPlugin.isAccessAllowed(request); if (result != null && result.getIsAllowed()) { @@ -679,79 +847,92 @@ private boolean hasPermission(RangerPrestoResource resource, SystemSecurityConte return ret; } - private static RangerPrestoResource createUserResource(String userName) { - RangerPrestoResource res = new RangerPrestoResource(); - res.setValue(RangerPrestoResource.KEY_USER, userName); + private boolean hasPermission(RangerTrinoResource resource, Identity identity, TrinoAccessType accessType) { + boolean ret = false; + + RangerTrinoAccessRequest request = createAccessRequest(resource, identity, accessType); + + RangerAccessResult result = rangerPlugin.isAccessAllowed(request); + if (result != null && result.getIsAllowed()) { + ret = true; + } + + return ret; + } + + private static RangerTrinoResource createUserResource(String userName) { + RangerTrinoResource res = new RangerTrinoResource(); + res.setValue(RangerTrinoResource.KEY_USER, userName); return res; } - private static RangerPrestoResource createFunctionResource(String function) { - RangerPrestoResource res = new RangerPrestoResource(); - res.setValue(RangerPrestoResource.KEY_FUNCTION, function); + private static RangerTrinoResource createFunctionResource(String function) { + RangerTrinoResource res = new RangerTrinoResource(); + res.setValue(RangerTrinoResource.KEY_FUNCTION, function); return res; } - private static RangerPrestoResource createProcedureResource(CatalogSchemaRoutineName procedure) { - RangerPrestoResource res = new RangerPrestoResource(); - res.setValue(RangerPrestoResource.KEY_CATALOG, procedure.getCatalogName()); - res.setValue(RangerPrestoResource.KEY_SCHEMA, procedure.getSchemaRoutineName().getSchemaName()); - res.setValue(RangerPrestoResource.KEY_PROCEDURE, procedure.getSchemaRoutineName().getRoutineName()); + private static RangerTrinoResource createProcedureResource(CatalogSchemaRoutineName procedure) { + RangerTrinoResource res = new RangerTrinoResource(); + res.setValue(RangerTrinoResource.KEY_CATALOG, procedure.getCatalogName()); + res.setValue(RangerTrinoResource.KEY_SCHEMA, procedure.getSchemaRoutineName().getSchemaName()); + res.setValue(RangerTrinoResource.KEY_PROCEDURE, procedure.getSchemaRoutineName().getRoutineName()); return res; } - private static RangerPrestoResource createCatalogSessionResource(String catalogName, String propertyName) { - RangerPrestoResource res = new RangerPrestoResource(); - res.setValue(RangerPrestoResource.KEY_CATALOG, catalogName); - res.setValue(RangerPrestoResource.KEY_SESSION_PROPERTY, propertyName); + private static RangerTrinoResource createCatalogSessionResource(String catalogName, String propertyName) { + RangerTrinoResource res = new RangerTrinoResource(); + res.setValue(RangerTrinoResource.KEY_CATALOG, catalogName); + res.setValue(RangerTrinoResource.KEY_SESSION_PROPERTY, propertyName); return res; } - private static RangerPrestoResource createSystemPropertyResource(String property) { - RangerPrestoResource res = new RangerPrestoResource(); - res.setValue(RangerPrestoResource.KEY_SYSTEM_PROPERTY, property); + private static RangerTrinoResource createSystemPropertyResource(String property) { + RangerTrinoResource res = new RangerTrinoResource(); + res.setValue(RangerTrinoResource.KEY_SYSTEM_PROPERTY, property); return res; } - private static RangerPrestoResource createResource(CatalogSchemaName catalogSchemaName) { + private static RangerTrinoResource createResource(CatalogSchemaName catalogSchemaName) { return createResource(catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName()); } - private static RangerPrestoResource createResource(CatalogSchemaTableName catalogSchemaTableName) { + private static RangerTrinoResource createResource(CatalogSchemaTableName catalogSchemaTableName) { return createResource(catalogSchemaTableName.getCatalogName(), catalogSchemaTableName.getSchemaTableName().getSchemaName(), catalogSchemaTableName.getSchemaTableName().getTableName()); } - private static RangerPrestoResource createResource(String catalogName) { - return new RangerPrestoResource(catalogName, Optional.empty(), Optional.empty()); + private static RangerTrinoResource createResource(String catalogName) { + return new RangerTrinoResource(catalogName, Optional.empty(), Optional.empty()); } - private static RangerPrestoResource createResource(String catalogName, String schemaName) { - return new RangerPrestoResource(catalogName, Optional.of(schemaName), Optional.empty()); + private static RangerTrinoResource createResource(String catalogName, String schemaName) { + return new RangerTrinoResource(catalogName, Optional.of(schemaName), Optional.empty()); } - private static RangerPrestoResource createResource(String catalogName, String schemaName, final String tableName) { - return new RangerPrestoResource(catalogName, Optional.of(schemaName), Optional.of(tableName)); + private static RangerTrinoResource createResource(String catalogName, String schemaName, final String tableName) { + return new RangerTrinoResource(catalogName, Optional.of(schemaName), Optional.of(tableName)); } - private static RangerPrestoResource createResource(String catalogName, String schemaName, final String tableName, final Optional column) { - return new RangerPrestoResource(catalogName, Optional.of(schemaName), Optional.of(tableName), column); + private static RangerTrinoResource createResource(String catalogName, String schemaName, final String tableName, final Optional column) { + return new RangerTrinoResource(catalogName, Optional.of(schemaName), Optional.of(tableName), column); } - private static List createResource(CatalogSchemaTableName table, Set columns) { - List colRequests = new ArrayList<>(); + private static List createResource(CatalogSchemaTableName table, Set columns) { + List colRequests = new ArrayList<>(); if (columns.size() > 0) { for (String column : columns) { - RangerPrestoResource rangerPrestoResource = createResource(table.getCatalogName(), + RangerTrinoResource rangerTrinoResource = createResource(table.getCatalogName(), table.getSchemaTableName().getSchemaName(), table.getSchemaTableName().getTableName(), Optional.of(column)); - colRequests.add(rangerPrestoResource); + colRequests.add(rangerTrinoResource); } } else { colRequests.add(createResource(table.getCatalogName(), @@ -762,7 +943,7 @@ private static List createResource(CatalogSchemaTableName } } -class RangerPrestoResource +class RangerTrinoResource extends RangerAccessResourceImpl { @@ -770,16 +951,16 @@ class RangerPrestoResource public static final String KEY_SCHEMA = "schema"; public static final String KEY_TABLE = "table"; public static final String KEY_COLUMN = "column"; - public static final String KEY_USER = "prestouser"; + public static final String KEY_USER = "trinouser"; public static final String KEY_FUNCTION = "function"; public static final String KEY_PROCEDURE = "procedure"; public static final String KEY_SYSTEM_PROPERTY = "systemproperty"; public static final String KEY_SESSION_PROPERTY = "sessionproperty"; - public RangerPrestoResource() { + public RangerTrinoResource() { } - public RangerPrestoResource(String catalogName, Optional schema, Optional table) { + public RangerTrinoResource(String catalogName, Optional schema, Optional table) { setValue(KEY_CATALOG, catalogName); if (schema.isPresent()) { setValue(KEY_SCHEMA, schema.get()); @@ -789,7 +970,7 @@ public RangerPrestoResource(String catalogName, Optional schema, Optiona } } - public RangerPrestoResource(String catalogName, Optional schema, Optional table, Optional column) { + public RangerTrinoResource(String catalogName, Optional schema, Optional table, Optional column) { setValue(KEY_CATALOG, catalogName); if (schema.isPresent()) { setValue(KEY_SCHEMA, schema.get()); @@ -827,17 +1008,17 @@ public Optional getSchemaTable() { } } -class RangerPrestoAccessRequest +class RangerTrinoAccessRequest extends RangerAccessRequestImpl { - public RangerPrestoAccessRequest(RangerPrestoResource resource, + public RangerTrinoAccessRequest(RangerTrinoResource resource, String user, Set userGroups, - PrestoAccessType prestoAccessType) { - super(resource, prestoAccessType.name().toLowerCase(ENGLISH), user, userGroups, null); + TrinoAccessType trinoAccessType) { + super(resource, trinoAccessType.name().toLowerCase(ENGLISH), user, userGroups, null); setAccessTime(new Date()); } } -enum PrestoAccessType { +enum TrinoAccessType { CREATE, DROP, SELECT, INSERT, DELETE, USE, ALTER, ALL, GRANT, REVOKE, SHOW, IMPERSONATE, EXECUTE; -} \ No newline at end of file +} diff --git a/plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java b/plugin-trino/src/main/java/org/apache/ranger/services/trino/RangerServiceTrino.java similarity index 78% rename from plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java rename to plugin-trino/src/main/java/org/apache/ranger/services/trino/RangerServiceTrino.java index 810fc3f932..a54a064824 100644 --- a/plugin-presto/src/main/java/org/apache/ranger/services/presto/RangerServicePresto.java +++ b/plugin-trino/src/main/java/org/apache/ranger/services/trino/RangerServiceTrino.java @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.ranger.services.presto; +package org.apache.ranger.services.trino; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -24,15 +24,15 @@ import org.apache.ranger.plugin.client.HadoopException; import org.apache.ranger.plugin.service.RangerBaseService; import org.apache.ranger.plugin.service.ResourceLookupContext; -import org.apache.ranger.services.presto.client.PrestoResourceManager; +import org.apache.ranger.services.trino.client.TrinoResourceManager; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; -public class RangerServicePresto extends RangerBaseService { - private static final Log LOG = LogFactory.getLog(RangerServicePresto.class); +public class RangerServiceTrino extends RangerBaseService { + private static final Log LOG = LogFactory.getLog(RangerServiceTrino.class); @Override public Map validateConfig() throws Exception { @@ -40,7 +40,7 @@ public Map validateConfig() throws Exception { String serviceName = getServiceName(); if (LOG.isDebugEnabled()) { - LOG.debug("RangerServicePresto.validateConfig(): Service: " + + LOG.debug("RangerServiceTrino.validateConfig(): Service: " + serviceName); } @@ -49,15 +49,15 @@ public Map validateConfig() throws Exception { if (!configs.containsKey(HadoopConfigHolder.RANGER_LOGIN_PASSWORD)) { configs.put(HadoopConfigHolder.RANGER_LOGIN_PASSWORD, null); } - ret = PrestoResourceManager.connectionTest(serviceName, configs); + ret = TrinoResourceManager.connectionTest(serviceName, configs); } catch (HadoopException he) { - LOG.error("<== RangerServicePresto.validateConfig Error:" + he); + LOG.error("<== RangerServiceTrino.validateConfig Error:" + he); throw he; } } if (LOG.isDebugEnabled()) { - LOG.debug("RangerServicePresto.validateConfig(): Response: " + + LOG.debug("RangerServiceTrino.validateConfig(): Response: " + ret); } return ret; @@ -78,14 +78,14 @@ public List lookupResource(ResourceLookupContext context) throws Excepti if (!configs.containsKey(HadoopConfigHolder.RANGER_LOGIN_PASSWORD)) { configs.put(HadoopConfigHolder.RANGER_LOGIN_PASSWORD, null); } - ret = PrestoResourceManager.getPrestoResources(serviceName, serviceType, configs,context); + ret = TrinoResourceManager.getTrinoResources(serviceName, serviceType, configs,context); } catch (Exception e) { - LOG.error( "<==RangerServicePresto.lookupResource Error : " + e); + LOG.error( "<==RangerServiceTrino.lookupResource Error : " + e); throw e; } } if(LOG.isDebugEnabled()) { - LOG.debug("<== RangerServicePresto.lookupResource Response: (" + ret + ")"); + LOG.debug("<== RangerServiceTrino.lookupResource Response: (" + ret + ")"); } return ret; } diff --git a/plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java b/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoClient.java similarity index 87% rename from plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java rename to plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoClient.java index 7b55b77bd7..83361436b2 100644 --- a/plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java +++ b/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoClient.java @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.ranger.services.presto.client; +package org.apache.ranger.services.trino.client; import org.apache.commons.io.FilenameUtils; import org.apache.commons.lang.StringEscapeUtils; @@ -25,6 +25,7 @@ import org.apache.ranger.plugin.client.BaseClient; import org.apache.ranger.plugin.client.HadoopConfigHolder; import org.apache.ranger.plugin.client.HadoopException; +import org.apache.ranger.plugin.util.PasswordUtils; import javax.security.auth.Subject; import java.io.Closeable; @@ -42,11 +43,11 @@ import java.util.Map; import java.util.Properties; -public class PrestoClient extends BaseClient implements Closeable { - public static final String PRESTO_USER_NAME_PROP = "user"; - public static final String PRESTO_PASSWORD_PROP = "password"; +public class TrinoClient extends BaseClient implements Closeable { + public static final String TRINO_USER_NAME_PROP = "user"; + public static final String TRINO_PASSWORD_PROP = "password"; - private static final Log LOG = LogFactory.getLog(PrestoClient.class); + private static final Log LOG = LogFactory.getLog(TrinoClient.class); private static final String ERR_MSG = "You can still save the repository and start creating " + "policies, but you would not be able to use autocomplete for " @@ -54,12 +55,12 @@ public class PrestoClient extends BaseClient implements Closeable { private Connection con; - public PrestoClient(String serviceName) throws Exception { + public TrinoClient(String serviceName) throws Exception { super(serviceName, null); init(); } - public PrestoClient(String serviceName, Map properties) throws Exception { + public TrinoClient(String serviceName, Map properties) throws Exception { super(serviceName, properties); init(); } @@ -78,10 +79,21 @@ private void initConnection() { String driverClassName = prop.getProperty("jdbc.driverClassName"); String url = prop.getProperty("jdbc.url"); - Properties prestoProperties = new Properties(); - prestoProperties.put(PRESTO_USER_NAME_PROP, prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_USER_NAME_PROP)); + Properties trinoProperties = new Properties(); + String decryptedPwd = null; + try { + decryptedPwd=PasswordUtils.decryptPassword(getConfigHolder().getPassword()); + } catch (Exception ex) { + LOG.info("Password decryption failed"); + decryptedPwd = null; + } finally { + if (decryptedPwd == null) { + decryptedPwd = prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_PASSWORD); + } + } + trinoProperties.put(TRINO_USER_NAME_PROP, prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_USER_NAME_PROP)); if (prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_PASSWORD) != null) { - prestoProperties.put(PRESTO_PASSWORD_PROP, prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_PASSWORD)); + trinoProperties.put(TRINO_PASSWORD_PROP,decryptedPwd); } if (driverClassName != null) { @@ -90,7 +102,7 @@ private void initConnection() { DriverManager.registerDriver(driver); } catch (SQLException e) { String msgDesc = "initConnection: Caught SQLException while registering" - + " the Presto driver."; + + " the Trino driver."; HadoopException hdpException = new HadoopException(msgDesc, e); hdpException.generateResponseDataMap(false, getMessage(e), msgDesc + ERR_MSG, null, null); @@ -117,7 +129,7 @@ private void initConnection() { msgDesc + ERR_MSG, null, null); throw hdpException; } catch (SecurityException se) { - String msgDesc = "initConnection: unable to initiate connection to Presto instance," + String msgDesc = "initConnection: unable to initiate connection to Trino instance," + " The caller's class loader is not the same as or an ancestor " + "of the class loader for the current class and invocation of " + "s.checkPackageAccess() denies access to the package of this class."; @@ -126,7 +138,7 @@ private void initConnection() { msgDesc + ERR_MSG, null, null); throw hdpException; } catch (Throwable t) { - String msgDesc = "initConnection: Unable to connect to Presto instance, " + String msgDesc = "initConnection: Unable to connect to Trino instance, " + "please provide valid value of field : {jdbc.driverClassName}."; HadoopException hdpException = new HadoopException(msgDesc, t); hdpException.generateResponseDataMap(false, getMessage(t), @@ -136,21 +148,21 @@ private void initConnection() { } try { - con = DriverManager.getConnection(url, prestoProperties); + con = DriverManager.getConnection(url, trinoProperties); } catch (SQLException e) { - String msgDesc = "Unable to connect to Presto instance."; + String msgDesc = "Unable to connect to Trino instance."; HadoopException hdpException = new HadoopException(msgDesc, e); hdpException.generateResponseDataMap(false, getMessage(e), msgDesc + ERR_MSG, null, null); throw hdpException; } catch (SecurityException se) { - String msgDesc = "Unable to connect to Presto instance."; + String msgDesc = "Unable to connect to Trino instance."; HadoopException hdpException = new HadoopException(msgDesc, se); hdpException.generateResponseDataMap(false, getMessage(se), msgDesc + ERR_MSG, null, null); throw hdpException; } catch (Throwable t) { - String msgDesc = "initConnection: Unable to connect to Presto instance, "; + String msgDesc = "initConnection: Unable to connect to Trino instance, "; HadoopException hdpException = new HadoopException(msgDesc, t); hdpException.generateResponseDataMap(false, getMessage(t), msgDesc + ERR_MSG, null, null); @@ -168,7 +180,7 @@ private List getCatalogs(String needle, List catalogs) throws Ha try { if (needle != null && !needle.isEmpty() && !needle.equals("*")) { - // Cannot use a prepared statement for this as presto does not support that + // Cannot use a prepared statement for this as trino does not support that sql += " LIKE '" + StringEscapeUtils.escapeSql(needle) + "%'"; } stat = con.createStatement(); @@ -212,7 +224,7 @@ public List run() { try { ret = getCatalogs(ndl, catList); } catch (HadoopException he) { - LOG.error("<== PrestoClient getCatalogList() :Unable to get the Database List", he); + LOG.error("<== TrinoClient getCatalogList() :Unable to get the Database List", he); throw he; } return ret; @@ -263,7 +275,7 @@ private List getSchemas(String needle, List catalogs, List getSchemas(String needle, List catalogs, List run() { try { ret = getSchemas(ndl, cats, shms); } catch (HadoopException he) { - LOG.error("<== PrestoClient getSchemaList() :Unable to get the Schema List", he); + LOG.error("<== TrinoClient getSchemaList() :Unable to get the Schema List", he); } return ret; } @@ -345,7 +357,7 @@ private List getTables(String needle, List catalogs, List getTables(String needle, List catalogs, List run() { try { ret = getTables(ndl, cats, shms, tbls); } catch (HadoopException he) { - LOG.error("<== PrestoClient getTableList() :Unable to get the Column List", he); + LOG.error("<== TrinoClient getTableList() :Unable to get the Column List", he); throw he; } return ret; @@ -441,7 +453,7 @@ private List getColumns(String needle, List catalogs, List getColumns(String needle, List catalogs, List run() { try { ret = getColumns(ndl, cats, shms, tbls, cols); } catch (HadoopException he) { - LOG.error("<== PrestoClient getColumnList() :Unable to get the Column List", he); + LOG.error("<== TrinoClient getColumnList() :Unable to get the Column List", he); throw he; } return ret; @@ -486,7 +498,7 @@ public List run() { public static Map connectionTest(String serviceName, Map connectionProperties) throws Exception { - PrestoClient client = null; + TrinoClient client = null; Map resp = new HashMap(); boolean status = false; @@ -494,7 +506,7 @@ public static Map connectionTest(String serviceName, List testResult = null; try { - client = new PrestoClient(serviceName, connectionProperties); + client = new TrinoClient(serviceName, connectionProperties); if (client != null) { testResult = client.getCatalogList("*", null); if (testResult != null && testResult.size() != 0) { @@ -532,7 +544,7 @@ private void close(Connection con) { con.close(); } } catch (SQLException e) { - LOG.error("Unable to close Presto SQL connection", e); + LOG.error("Unable to close Trino SQL connection", e); } } diff --git a/plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoConnectionManager.java b/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoConnectionManager.java similarity index 55% rename from plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoConnectionManager.java rename to plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoConnectionManager.java index 4a642ea51a..8c49acada6 100644 --- a/plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoConnectionManager.java +++ b/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoConnectionManager.java @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.ranger.services.presto.client; +package org.apache.ranger.services.trino.client; import org.apache.log4j.Logger; import org.apache.ranger.plugin.util.TimedEventUtil; @@ -27,49 +27,49 @@ import java.util.concurrent.ConcurrentMap; import java.util.concurrent.TimeUnit; -public class PrestoConnectionManager { - private static final Logger LOG = Logger.getLogger(PrestoConnectionManager.class); +public class TrinoConnectionManager { + private static final Logger LOG = Logger.getLogger(TrinoConnectionManager.class); - protected ConcurrentMap prestoConnectionCache; + protected ConcurrentMap trinoConnectionCache; protected ConcurrentMap repoConnectStatusMap; - public PrestoConnectionManager() { - prestoConnectionCache = new ConcurrentHashMap<>(); + public TrinoConnectionManager() { + trinoConnectionCache = new ConcurrentHashMap<>(); repoConnectStatusMap = new ConcurrentHashMap<>(); } - public PrestoClient getPrestoConnection(final String serviceName, final String serviceType, final Map configs) { - PrestoClient prestoClient = null; + public TrinoClient getTrinoConnection(final String serviceName, final String serviceType, final Map configs) { + TrinoClient trinoClient = null; if (serviceType != null) { - prestoClient = prestoConnectionCache.get(serviceName); - if (prestoClient == null) { + trinoClient = trinoConnectionCache.get(serviceName); + if (trinoClient == null) { if (configs != null) { - final Callable connectPresto = new Callable() { + final Callable connectTrino = new Callable() { @Override - public PrestoClient call() throws Exception { - return new PrestoClient(serviceName, configs); + public TrinoClient call() throws Exception { + return new TrinoClient(serviceName, configs); } }; try { - prestoClient = TimedEventUtil.timedTask(connectPresto, 5, TimeUnit.SECONDS); + trinoClient = TimedEventUtil.timedTask(connectTrino, 5, TimeUnit.SECONDS); } catch (Exception e) { - LOG.error("Error connecting to Presto repository: " + + LOG.error("Error connecting to Trino repository: " + serviceName + " using config: " + configs, e); } - PrestoClient oldClient = null; - if (prestoClient != null) { - oldClient = prestoConnectionCache.putIfAbsent(serviceName, prestoClient); + TrinoClient oldClient = null; + if (trinoClient != null) { + oldClient = trinoConnectionCache.putIfAbsent(serviceName, trinoClient); } else { - oldClient = prestoConnectionCache.get(serviceName); + oldClient = trinoConnectionCache.get(serviceName); } if (oldClient != null) { - if (prestoClient != null) { - prestoClient.close(); + if (trinoClient != null) { + trinoClient.close(); } - prestoClient = oldClient; + trinoClient = oldClient; } repoConnectStatusMap.put(serviceName, true); } else { @@ -78,16 +78,16 @@ public PrestoClient call() throws Exception { } } else { try { - prestoClient.getCatalogList("*", null); + trinoClient.getCatalogList("*", null); } catch (Exception e) { - prestoConnectionCache.remove(serviceName); - prestoClient.close(); - prestoClient = getPrestoConnection(serviceName, serviceType, configs); + trinoConnectionCache.remove(serviceName); + trinoClient.close(); + trinoClient = getTrinoConnection(serviceName, serviceType, configs); } } } else { LOG.error("Asset not found with name " + serviceName, new Throwable()); } - return prestoClient; + return trinoClient; } } diff --git a/plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoResourceManager.java b/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoResourceManager.java similarity index 73% rename from plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoResourceManager.java rename to plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoResourceManager.java index 008bf0fa6b..1b73c13223 100644 --- a/plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoResourceManager.java +++ b/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoResourceManager.java @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.ranger.services.presto.client; +package org.apache.ranger.services.trino.client; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -28,8 +28,8 @@ import java.util.concurrent.Callable; import java.util.concurrent.TimeUnit; -public class PrestoResourceManager { - private static final Log LOG = LogFactory.getLog(PrestoResourceManager.class); +public class TrinoResourceManager { + private static final Log LOG = LogFactory.getLog(TrinoResourceManager.class); private static final String CATALOG = "catalog"; private static final String SCHEMA = "schema"; @@ -41,24 +41,24 @@ public static Map connectionTest(String serviceName, Map ret = null; if (LOG.isDebugEnabled()) { - LOG.debug("==> PrestoResourceMgr.connectionTest ServiceName: " + serviceName + "Configs" + configs); + LOG.debug("==> TrinoResourceMgr.connectionTest ServiceName: " + serviceName + "Configs" + configs); } try { - ret = PrestoClient.connectionTest(serviceName, configs); + ret = TrinoClient.connectionTest(serviceName, configs); } catch (Exception e) { - LOG.error("<== PrestoResourceManager.connectionTest Error: " + e); + LOG.error("<== TrinoResourceManager.connectionTest Error: " + e); throw e; } if (LOG.isDebugEnabled()) { - LOG.debug("<== PrestoResourceManager.connectionTest Result : " + ret); + LOG.debug("<== TrinoResourceManager.connectionTest Result : " + ret); } return ret; } - public static List getPrestoResources(String serviceName, String serviceType, Map configs, ResourceLookupContext context) throws Exception { + public static List getTrinoResources(String serviceName, String serviceType, Map configs, ResourceLookupContext context) throws Exception { String userInput = context.getUserInput(); String resource = context.getResourceName(); @@ -75,7 +75,7 @@ public static List getPrestoResources(String serviceName, String service if (LOG.isDebugEnabled()) { - LOG.debug("<== PrestoResourceMgr.getPrestoResources() UserInput: \"" + userInput + "\" resource : " + resource + " resourceMap: " + resourceMap); + LOG.debug("<== TrinoResourceMgr.getTrinoResources() UserInput: \"" + userInput + "\" resource : " + resource + " resourceMap: " + resourceMap); } if (userInput != null && resource != null) { @@ -106,11 +106,11 @@ public static List getPrestoResources(String serviceName, String service try { if (LOG.isDebugEnabled()) { - LOG.debug("==> PrestoResourceMgr.getPrestoResources() UserInput: " + userInput + " configs: " + configs + " catalogList: " + catalogList + " tableList: " + LOG.debug("==> TrinoResourceMgr.getTrinoResources() UserInput: " + userInput + " configs: " + configs + " catalogList: " + catalogList + " tableList: " + tableList + " columnList: " + columnList); } - final PrestoClient prestoClient = new PrestoConnectionManager().getPrestoConnection(serviceName, serviceType, configs); + final TrinoClient trinoClient = new TrinoConnectionManager().getTrinoConnection(serviceName, serviceType, configs); Callable> callableObj = null; @@ -124,13 +124,13 @@ public static List getPrestoResources(String serviceName, String service final List finalTableList = tableList; final List finalColumnList = columnList; - if (prestoClient != null) { + if (trinoClient != null) { if (catalogName != null && !catalogName.isEmpty()) { finalCatalogName = catalogName; callableObj = new Callable>() { @Override public List call() throws Exception { - return prestoClient.getCatalogList(finalCatalogName, finalCatalogList); + return trinoClient.getCatalogList(finalCatalogName, finalCatalogList); } }; } else if (schemaName != null && !schemaName.isEmpty()) { @@ -138,7 +138,7 @@ public List call() throws Exception { callableObj = new Callable>() { @Override public List call() throws Exception { - return prestoClient.getSchemaList(finalSchemaName, finalCatalogList, finalSchemaList); + return trinoClient.getSchemaList(finalSchemaName, finalCatalogList, finalSchemaList); } }; } else if (tableName != null && !tableName.isEmpty()) { @@ -146,7 +146,7 @@ public List call() throws Exception { callableObj = new Callable>() { @Override public List call() throws Exception { - return prestoClient.getTableList(finalTableName, finalCatalogList, finalSchemaList, finalTableList); + return trinoClient.getTableList(finalTableName, finalCatalogList, finalSchemaList, finalTableList); } }; } else if (columnName != null && !columnName.isEmpty()) { @@ -156,20 +156,20 @@ public List call() throws Exception { callableObj = new Callable>() { @Override public List call() throws Exception { - return prestoClient.getColumnList(finalColumnName, finalCatalogList, finalSchemaList, finalTableList, finalColumnList); + return trinoClient.getColumnList(finalColumnName, finalCatalogList, finalSchemaList, finalTableList, finalColumnList); } }; } if (callableObj != null) { - synchronized (prestoClient) { + synchronized (trinoClient) { resultList = TimedEventUtil.timedTask(callableObj, 5, TimeUnit.SECONDS); } } else { - LOG.error("Could not initiate a PrestoClient timedTask"); + LOG.error("Could not initiate a TrinoClient timedTask"); } } } catch (Exception e) { - LOG.error("Unable to get Presto resource", e); + LOG.error("Unable to get Trino resource", e); throw e; } } diff --git a/plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerAdminClientImpl.java b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerAdminClientImpl.java similarity index 92% rename from plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerAdminClientImpl.java rename to plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerAdminClientImpl.java index bcfaef05ed..af74fc6424 100644 --- a/plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerAdminClientImpl.java +++ b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerAdminClientImpl.java @@ -15,7 +15,7 @@ * limitations under the License. */ -package org.apache.ranger.authorization.presto.authorizer; +package org.apache.ranger.authorization.trino.authorizer; import org.apache.ranger.admin.client.AbstractRangerAdminClient; import org.apache.ranger.plugin.util.ServicePolicies; @@ -25,7 +25,7 @@ import java.nio.file.Files; public class RangerAdminClientImpl extends AbstractRangerAdminClient { - private final static String cacheFilename = "presto-policies.json"; + private final static String cacheFilename = "trino-policies.json"; public ServicePolicies getServicePoliciesIfUpdated(long lastKnownVersion, long lastActivationTimeInMillis) throws Exception { diff --git a/plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlTest.java b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java similarity index 79% rename from plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlTest.java rename to plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java index ed8c837d55..c7e2070131 100644 --- a/plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlTest.java +++ b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java @@ -15,29 +15,31 @@ * limitations under the License. */ -package org.apache.ranger.authorization.presto.authorizer; +package org.apache.ranger.authorization.trino.authorizer; +import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableSet; -import io.prestosql.spi.connector.CatalogSchemaName; -import io.prestosql.spi.connector.CatalogSchemaRoutineName; -import io.prestosql.spi.connector.CatalogSchemaTableName; -import io.prestosql.spi.connector.SchemaTableName; -import io.prestosql.spi.security.AccessDeniedException; -import io.prestosql.spi.security.Identity; -import io.prestosql.spi.security.PrestoPrincipal; -import io.prestosql.spi.security.SystemSecurityContext; - -import static io.prestosql.spi.security.PrincipalType.USER; -import static io.prestosql.spi.security.Privilege.SELECT; +import io.trino.spi.QueryId; +import io.trino.spi.connector.*; +import io.trino.spi.security.AccessDeniedException; +import io.trino.spi.security.Identity; +import io.trino.spi.security.TrinoPrincipal; +import io.trino.spi.security.SystemSecurityContext; + +import static com.google.common.collect.ImmutableSet.toImmutableSet; +import static io.trino.spi.security.PrincipalType.USER; +import static io.trino.spi.security.Privilege.SELECT; import static org.junit.Assert.*; -import io.prestosql.spi.security.ViewExpression; -import io.prestosql.spi.type.VarcharType; +import io.trino.spi.security.ViewExpression; +import io.trino.spi.type.VarcharType; import org.junit.BeforeClass; import org.junit.Test; import javax.security.auth.kerberos.KerberosPrincipal; +import java.time.Instant; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; @@ -74,16 +76,16 @@ public static void setUpBeforeClass() throws Exception { @SuppressWarnings("PMD") public void testCanSetUserOperations() { try { - accessControlManager.checkCanImpersonateUser(context(alice), bob.getUser()); + accessControlManager.checkCanImpersonateUser(alice, bob.getUser()); throw new AssertionError("expected AccessDeniedExeption"); } catch (AccessDeniedException expected) { } - accessControlManager.checkCanImpersonateUser(context(admin), bob.getUser()); + accessControlManager.checkCanImpersonateUser(admin, bob.getUser()); try { - accessControlManager.checkCanImpersonateUser(context(kerberosInvalidAlice), bob.getUser()); + accessControlManager.checkCanImpersonateUser(kerberosInvalidAlice, bob.getUser()); throw new AssertionError("expected AccessDeniedExeption"); } catch (AccessDeniedException expected) { @@ -110,17 +112,17 @@ public void testSchemaOperations() assertEquals(accessControlManager.filterSchemas(context(alice), aliceCatalog, aliceSchemas), aliceSchemas); assertEquals(accessControlManager.filterSchemas(context(bob), "alice-catalog", aliceSchemas), ImmutableSet.of()); - accessControlManager.checkCanCreateSchema(context(alice), aliceSchema); + accessControlManager.checkCanCreateSchema(context(alice), aliceSchema, new HashMap()); accessControlManager.checkCanDropSchema(context(alice), aliceSchema); accessControlManager.checkCanRenameSchema(context(alice), aliceSchema, "new-schema"); accessControlManager.checkCanShowSchemas(context(alice), aliceCatalog); try { - accessControlManager.checkCanCreateSchema(context(bob), aliceSchema); + accessControlManager.checkCanCreateSchema(context(bob), aliceSchema, new HashMap()); } catch (AccessDeniedException expected) { } - accessControlManager.checkCanSetSchemaAuthorization(context(alice), aliceSchema, new PrestoPrincipal(USER, "principal")); + accessControlManager.checkCanSetSchemaAuthorization(context(alice), aliceSchema, new TrinoPrincipal(USER, "principal")); accessControlManager.checkCanShowCreateSchema(context(alice), aliceSchema); } @@ -132,7 +134,7 @@ public void testTableOperations() assertEquals(accessControlManager.filterTables(context(alice), aliceCatalog, aliceTables), aliceTables); assertEquals(accessControlManager.filterTables(context(bob), "alice-catalog", aliceTables), ImmutableSet.of()); - accessControlManager.checkCanCreateTable(context(alice), aliceTable); + accessControlManager.checkCanCreateTable(context(alice), aliceTable, ImmutableMap.of()); accessControlManager.checkCanDropTable(context(alice), aliceTable); accessControlManager.checkCanSelectFromColumns(context(alice), aliceTable, ImmutableSet.of()); accessControlManager.checkCanInsertIntoTable(context(alice), aliceTable); @@ -141,7 +143,7 @@ public void testTableOperations() try { - accessControlManager.checkCanCreateTable(context(bob), aliceTable); + accessControlManager.checkCanCreateTable(context(bob), aliceTable, ImmutableMap.of()); } catch (AccessDeniedException expected) { } } @@ -156,8 +158,8 @@ public void testViewOperations() accessControlManager.checkCanCreateViewWithSelectFromColumns(context(alice), aliceTable, ImmutableSet.of()); accessControlManager.checkCanCreateViewWithSelectFromColumns(context(alice), aliceView, ImmutableSet.of()); accessControlManager.checkCanSetCatalogSessionProperty(context(alice), aliceCatalog, "property"); - accessControlManager.checkCanGrantTablePrivilege(context(alice), SELECT, aliceTable, new PrestoPrincipal(USER, "grantee"), true); - accessControlManager.checkCanRevokeTablePrivilege(context(alice), SELECT, aliceTable, new PrestoPrincipal(USER, "revokee"), true); + accessControlManager.checkCanGrantTablePrivilege(context(alice), SELECT, aliceTable, new TrinoPrincipal(USER, "grantee"), true); + accessControlManager.checkCanRevokeTablePrivilege(context(alice), SELECT, aliceTable, new TrinoPrincipal(USER, "revokee"), true); try { accessControlManager.checkCanCreateView(context(bob), aliceView); @@ -169,27 +171,33 @@ public void testViewOperations() @SuppressWarnings("PMD") public void testMisc() { - assertEquals(accessControlManager.filterViewQueryOwnedBy(context(alice), queryOwners), queryOwners); + assertEquals( + accessControlManager.filterViewQueryOwnedBy( + alice, + queryOwners.stream().map(Identity::ofUser).collect(toImmutableSet())), + queryOwners.stream().map(Identity::ofUser).collect(toImmutableSet()) + ); // check {type} / {col} replacement final VarcharType varcharType = VarcharType.createVarcharType(20); Optional ret = accessControlManager.getColumnMask(context(alice), aliceTable, "cast_me", varcharType); - assertNotNull(ret.get()); + assertTrue(ret.isPresent()); assertEquals(ret.get().getExpression(), "cast cast_me as varchar(20)"); ret = accessControlManager.getColumnMask(context(alice), aliceTable,"do-not-cast-me", varcharType); assertFalse(ret.isPresent()); - ret = accessControlManager.getRowFilter(context(alice), aliceTable); - assertFalse(ret.isPresent()); + List ret2 = accessControlManager.getRowFilters(context(alice), aliceTable); + assertTrue(ret2.isEmpty()); - accessControlManager.checkCanExecuteFunction(context(alice), functionName); - accessControlManager.checkCanGrantExecuteFunctionPrivilege(context(alice), functionName, new PrestoPrincipal(USER, "grantee"), true); + accessControlManager.canExecuteFunction(context(alice), aliceProcedure); +// accessControlManager.checkCanGrantExecuteFunctionPrivilege(context(alice), functionName, new TrinoPrincipal(USER, "grantee"), true); accessControlManager.checkCanExecuteProcedure(context(alice), aliceProcedure); } + // TODO: Fix it private SystemSecurityContext context(Identity id) { - return new SystemSecurityContext(id, Optional.empty()); + return new SystemSecurityContext(id, QueryId.valueOf("dummy"), Instant.now()); } -} \ No newline at end of file +} diff --git a/plugin-presto/src/test/resources/log4j.properties b/plugin-trino/src/test/resources/log4j.properties similarity index 100% rename from plugin-presto/src/test/resources/log4j.properties rename to plugin-trino/src/test/resources/log4j.properties diff --git a/plugin-presto/src/test/resources/ranger-presto-security.xml b/plugin-trino/src/test/resources/ranger-trino-security.xml similarity index 81% rename from plugin-presto/src/test/resources/ranger-presto-security.xml rename to plugin-trino/src/test/resources/ranger-trino-security.xml index 8a1923d4d2..ecc467b32b 100644 --- a/plugin-presto/src/test/resources/ranger-presto-security.xml +++ b/plugin-trino/src/test/resources/ranger-trino-security.xml @@ -18,23 +18,23 @@ - ranger.plugin.presto.service.name - cl1_presto + ranger.plugin.trino.service.name + cl1_trino Name of the Ranger service containing policies for this SampleApp instance - ranger.plugin.presto.policy.source.impl - org.apache.ranger.authorization.presto.authorizer.RangerAdminClientImpl + ranger.plugin.trino.policy.source.impl + org.apache.ranger.authorization.trino.authorizer.RangerAdminClientImpl Policy source. - ranger.plugin.presto.policy.pollIntervalMs + ranger.plugin.trino.policy.pollIntervalMs 30000 How often to poll for changes in policies? @@ -42,7 +42,7 @@ - ranger.plugin.presto.policy.cache.dir + ranger.plugin.trino.policy.cache.dir ${project.build.directory} Directory where Ranger policies are cached after successful retrieval from the source diff --git a/plugin-presto/src/test/resources/presto-policies.json b/plugin-trino/src/test/resources/trino-policies.json similarity index 94% rename from plugin-presto/src/test/resources/presto-policies.json rename to plugin-trino/src/test/resources/trino-policies.json index 6dbaabb1ca..3e42c2ab7c 100644 --- a/plugin-presto/src/test/resources/presto-policies.json +++ b/plugin-trino/src/test/resources/trino-policies.json @@ -1,17 +1,17 @@ { - "serviceName": "cl1_presto", + "serviceName": "cl1_trino", "serviceId": 16, "policyUpdateTime": "20180304-09:49:38.000-+0000", "policies": [ { - "service": "cl1_presto", + "service": "cl1_trino", "name": "checkCanImpersonateUser", "policyType": 0, "policyPriority": 0, "description": "", "isAuditEnabled": true, "resources": { - "prestouser": { + "trinouser": { "values": [ "bob" ], @@ -41,7 +41,7 @@ "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], - "serviceType": "presto", + "serviceType": "trino", "options": {}, "validitySchedules": [], "policyLabels": [], @@ -53,7 +53,7 @@ "version": 1 }, { - "service": "cl1_presto", + "service": "cl1_trino", "name": "checkFunction", "policyType": 0, "policyPriority": 0, @@ -94,7 +94,7 @@ "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], - "serviceType": "presto", + "serviceType": "trino", "options": {}, "validitySchedules": [], "policyLabels": [], @@ -106,7 +106,7 @@ "version": 1 }, { - "service": "cl1_presto", + "service": "cl1_trino", "name": "alice-schema", "policyType": 0, "policyPriority": 0, @@ -174,7 +174,7 @@ "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], - "serviceType": "presto", + "serviceType": "trino", "options": {}, "validitySchedules": [], "policyLabels": [], @@ -186,7 +186,7 @@ "version": 1 }, { - "service": "cl1_presto", + "service": "cl1_trino", "name": "alice-catalog", "policyType": 0, "policyPriority": 0, @@ -247,7 +247,7 @@ "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], - "serviceType": "presto", + "serviceType": "trino", "options": {}, "validitySchedules": [], "policyLabels": [], @@ -259,7 +259,7 @@ "version": 2 }, { - "service": "cl1_presto", + "service": "cl1_trino", "name": "alice-table", "policyType": 0, "policyPriority": 0, @@ -335,7 +335,7 @@ "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], - "serviceType": "presto", + "serviceType": "trino", "options": {}, "validitySchedules": [], "policyLabels": [], @@ -347,7 +347,7 @@ "version": 2 }, { - "service": "cl1_presto", + "service": "cl1_trino", "name": "alice-procedure", "policyType": 0, "policyPriority": 0, @@ -398,7 +398,7 @@ "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], - "serviceType": "presto", + "serviceType": "trino", "options": {}, "validitySchedules": [], "policyLabels": [], @@ -410,7 +410,7 @@ "version": 2 }, { - "service": "cl1_presto", + "service": "cl1_trino", "name": "alice-view", "policyType": 0, "policyPriority": 0, @@ -465,7 +465,7 @@ "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], - "serviceType": "presto", + "serviceType": "trino", "options": {}, "validitySchedules": [], "policyLabels": [], @@ -477,7 +477,7 @@ "version": 1 }, { - "service": "cl1_presto", + "service": "cl1_trino", "name": "alice-session-property", "policyType": 0, "policyPriority": 0, @@ -525,7 +525,7 @@ "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], - "serviceType": "presto", + "serviceType": "trino", "options": {}, "validitySchedules": [], "policyLabels": [], @@ -537,7 +537,7 @@ "version": 1 }, { - "service": "cl1_presto", + "service": "cl1_trino", "name": "open-to-all", "policyType": 0, "policyPriority": 0, @@ -575,7 +575,7 @@ "denyExceptions": [], "dataMaskPolicyItems": [], "rowFilterPolicyItems": [], - "serviceType": "presto", + "serviceType": "trino", "options": {}, "validitySchedules": [], "policyLabels": [], @@ -587,7 +587,7 @@ "version": 1 }, { - "service": "cl1_presto", + "service": "cl1_trino", "name": "test-mask", "policyType": 1, "policyPriority": 0, @@ -648,7 +648,7 @@ } ], "rowFilterPolicyItems": [], - "serviceType": "presto", + "serviceType": "trino", "options": {}, "validitySchedules": [], "policyLabels": [], @@ -660,7 +660,7 @@ "version": 1 }, { - "service": "cl1_presto", + "service": "cl1_trino", "name": "test-mask-cast", "policyType": 1, "policyPriority": 0, @@ -722,7 +722,7 @@ } ], "rowFilterPolicyItems": [], - "serviceType": "presto", + "serviceType": "trino", "options": {}, "validitySchedules": [], "policyLabels": [], @@ -741,11 +741,11 @@ "queryTimeMS": 1585212824007, "serviceDef": { "id": 17, - "name": "presto", - "displayName": "presto", - "implClass": "org.apache.ranger.services.presto.RangerServicePresto", - "label": "Presto", - "description": "Presto", + "name": "trino", + "displayName": "trino", + "implClass": "org.apache.ranger.services.trino.RangerServiceTrino", + "label": "Trino", + "description": "Trino", "guid": "379a9fe5-1b6e-4091-a584-4890e245e6c1", "resources": [ { @@ -767,8 +767,8 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "label": "Presto Catalog", - "description": "Presto Catalog" + "label": "Trino Catalog", + "description": "Trino Catalog" }, { "itemId": 2, @@ -789,8 +789,8 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "label": "Presto Schema", - "description": "Presto Schema" + "label": "Trino Schema", + "description": "Trino Schema" }, { "itemId": 3, @@ -811,8 +811,8 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "label": "Presto Table", - "description": "Presto Table" + "label": "Trino Table", + "description": "Trino Table" }, { "itemId": 4, @@ -832,12 +832,12 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "label": "Presto Column", - "description": "Presto Column" + "label": "Trino Column", + "description": "Trino Column" }, { "itemId": 5, - "name": "prestouser", + "name": "trinouser", "type": "string", "level": 10, "parent": "", @@ -853,8 +853,8 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "label": "Presto User", - "description": "Presto User", + "label": "Trino User", + "description": "Trino User", "accessTypeRestrictions": ["impersonate"] }, { @@ -876,7 +876,7 @@ "validationMessage": "", "uiHint": "", "label": "System Property", - "description": "Presto System Property", + "description": "Trino System Property", "accessTypeRestrictions": ["alter"] }, { @@ -898,7 +898,7 @@ "validationMessage": "", "uiHint": "", "label": "Catalog Session Property", - "description": "Presto Catalog Session Property", + "description": "Trino Catalog Session Property", "accessTypeRestrictions": ["alter"] }, { @@ -919,8 +919,8 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "label": "Presto Function", - "description": "Presto Function", + "label": "Trino Function", + "description": "Trino Function", "accessTypeRestrictions": ["execute", "grant"] }, { @@ -1056,7 +1056,7 @@ "validationRegEx": "", "validationMessage": "", "uiHint": "", - "defaultValue": "io.prestosql.jdbc.PrestoDriver" + "defaultValue": "io.trino.jdbc.TrinoDriver" }, { "itemId": 4, diff --git a/pom.xml b/pom.xml index cba952bc78..987e1435b5 100644 --- a/pom.xml +++ b/pom.xml @@ -154,7 +154,7 @@ 2.4.0 1.0.0 1.2.0 - 2.6.4 + 2.6.6 1.10 ${project.basedir}/../lib/local 1.2.17 @@ -169,7 +169,7 @@ 0.8 r239 2.3 - 333 + 455 4.1.2 UTF-8 2.5.0 @@ -178,8 +178,8 @@ 1.0.4 hadoop-security/plugins 2.5 - 1.7.25 - 7.7.1 + 1.7.32 + 8.8.2 2.3.3.RELEASE 4.2.17.RELEASE 4.3.27.RELEASE @@ -193,11 +193,11 @@ 3.4.14 3.1.4 5.0.3 - 2.10.3 - 2.10.3 - 0.0.2 - 5.2.0 - 5.2.0 + 2.14.0 + 2.14.0 + 1.0.0 + 5.7.0 + 5.7.0 0.192 2.0.0 @@ -206,6 +206,14 @@ 2.0.1.Final 1.1 + + 208 + 2.0.0 + 4.2.2 + 26.0-jre + 2.0.1.Final + 1.1 + 1.22.0 1.2.1 @@ -220,7 +228,7 @@ 8.4.0 0.8.0 2.10.6 - 2.11.1 + 2.17.1 @@ -238,20 +246,9 @@ credentialbuilder embeddedwebserver kms - hbase-agent - hdfs-agent hive-agent - knox-agent - storm-agent - plugin-yarn - plugin-ozone security-admin - plugin-kafka - plugin-solr - plugin-nifi - plugin-nifi-registry - plugin-presto - plugin-kudu + plugin-trino ugsync ugsync/ldapconfigchecktool/ldapconfigcheck unixauthclient @@ -259,29 +256,12 @@ ranger-util plugin-kms tagsync - ranger-hdfs-plugin-shim ranger-plugin-classloader ranger-hive-plugin-shim - ranger-hbase-plugin-shim - ranger-knox-plugin-shim - ranger-yarn-plugin-shim - ranger-ozone-plugin-shim - ranger-storm-plugin-shim - ranger-kafka-plugin-shim - ranger-solr-plugin-shim - ranger-atlas-plugin-shim ranger-kms-plugin-shim - ranger-presto-plugin-shim + ranger-trino-plugin-shim ranger-examples ranger-tools - plugin-atlas - plugin-schema-registry - plugin-sqoop - ranger-sqoop-plugin-shim - plugin-kylin - ranger-kylin-plugin-shim - plugin-elasticsearch - ranger-elasticsearch-plugin-shim 4.0.0 - ranger-presto-plugin-shim - Presto Security Plugin Shim - Presto Security Plugin Shim + ranger-trino-plugin-shim + Trino Security Plugin Shim + Trino Security Plugin Shim jar UTF-8 @@ -37,9 +37,9 @@ ${project.version} - io.prestosql - presto-spi - ${presto.version} + io.trino + trino-spi + ${trino.version} org.apache.ranger @@ -49,44 +49,44 @@ io.airlift bootstrap - ${presto.airlift.version} + ${trino.airlift.version} io.airlift log - ${presto.airlift.version} + ${trino.airlift.version} io.airlift configuration - ${presto.airlift.version} + ${trino.airlift.version} com.google.guava guava - ${presto.guava.version} + ${trino.guava.version} com.google.inject guice - ${presto.guice.version} + ${trino.guice.version} javax.validation validation-api - ${presto.validation-api.version} + ${trino.validation-api.version} org.apache.bval bval-jsr - ${presto.bval-jsr.version} + ${trino.bval-jsr.version} diff --git a/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerConfig.java b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerConfig.java similarity index 95% rename from ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerConfig.java rename to ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerConfig.java index e0ab0f3ee8..8fc6d5c1b6 100644 --- a/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerConfig.java +++ b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerConfig.java @@ -16,7 +16,7 @@ * specific language governing permissions and limitations * under the License. */ -package org.apache.ranger.authorization.presto.authorizer; +package org.apache.ranger.authorization.trino.authorizer; import io.airlift.configuration.Config; import io.airlift.configuration.ConfigDescription; @@ -50,7 +50,7 @@ public RangerConfig setPrincipal(String principal) { public boolean isUseUgi() { return useUgi; } @Config("ranger.use_ugi") - @ConfigDescription("Use Hadoop User Group Information instead of Presto groups") + @ConfigDescription("Use Hadoop User Group Information instead of Trino groups") @SuppressWarnings("unused") public RangerConfig setUseUgi(boolean useUgi) { this.useUgi = useUgi; @@ -58,7 +58,7 @@ public RangerConfig setUseUgi(boolean useUgi) { } @Config("ranger.hadoop_config") - @ConfigDescription("Path to hadoop configuration. Defaults to presto-ranger-site.xml in classpath") + @ConfigDescription("Path to hadoop configuration. Defaults to trino-ranger-site.xml in classpath") @SuppressWarnings("unused") public RangerConfig setHadoopConfigPath(String hadoopConfigPath) { this.hadoopConfigPath = hadoopConfigPath; diff --git a/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java similarity index 60% rename from ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java rename to ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java index 40638701f8..b68ed567e7 100644 --- a/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java +++ b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java @@ -11,33 +11,28 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.ranger.authorization.presto.authorizer; - -import io.prestosql.spi.connector.CatalogSchemaName; -import io.prestosql.spi.connector.CatalogSchemaRoutineName; -import io.prestosql.spi.connector.CatalogSchemaTableName; -import io.prestosql.spi.connector.ColumnMetadata; -import io.prestosql.spi.connector.SchemaTableName; -import io.prestosql.spi.security.PrestoPrincipal; -import io.prestosql.spi.security.Privilege; -import io.prestosql.spi.security.SystemAccessControl; -import io.prestosql.spi.security.SystemSecurityContext; -import io.prestosql.spi.security.ViewExpression; -import io.prestosql.spi.type.Type; +package org.apache.ranger.authorization.trino.authorizer; + +import io.trino.spi.connector.CatalogSchemaName; +import io.trino.spi.connector.CatalogSchemaRoutineName; +import io.trino.spi.connector.CatalogSchemaTableName; +import io.trino.spi.connector.ColumnSchema; +import io.trino.spi.connector.EntityKindAndName; +import io.trino.spi.connector.EntityPrivilege; +import io.trino.spi.connector.SchemaTableName; +import io.trino.spi.QueryId; +import io.trino.spi.security.*; +import io.trino.spi.type.Type; import org.apache.ranger.plugin.classloader.RangerPluginClassLoader; import javax.inject.Inject; import java.security.Principal; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Optional; -import java.util.Set; +import java.util.*; public class RangerSystemAccessControl implements SystemAccessControl { - private static final String RANGER_PLUGIN_TYPE = "presto"; - private static final String RANGER_PRESTO_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.presto.authorizer.RangerSystemAccessControl"; + private static final String RANGER_PLUGIN_TYPE = "trino"; + private static final String RANGER_TRINO_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControl"; final private RangerPluginClassLoader rangerPluginClassLoader; final private SystemAccessControl systemAccessControlImpl; @@ -48,7 +43,7 @@ public RangerSystemAccessControl(RangerConfig config) { rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass()); @SuppressWarnings("unchecked") - Class cls = (Class) Class.forName(RANGER_PRESTO_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader); + Class cls = (Class) Class.forName(RANGER_TRINO_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader); activatePluginClassLoader(); @@ -72,21 +67,54 @@ public RangerSystemAccessControl(RangerConfig config) { } } + @Deprecated @Override - public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) { + public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanSetSystemSessionProperty(context, propertyName); + systemAccessControlImpl.checkCanSetSystemSessionProperty(identity, propertyName); } finally { deactivatePluginClassLoader(); } } @Override - public void checkCanAccessCatalog(SystemSecurityContext context, String catalogName) { + public void checkCanSetSystemSessionProperty(Identity identity, QueryId queryId, String propertyName) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanAccessCatalog(context, catalogName); + systemAccessControlImpl.checkCanSetSystemSessionProperty(identity, queryId, propertyName); + } finally { + deactivatePluginClassLoader(); + } + } + + @Override + public boolean canAccessCatalog(SystemSecurityContext context, String catalogName) { + try { + activatePluginClassLoader(); + return systemAccessControlImpl.canAccessCatalog(context, catalogName); + } finally { + deactivatePluginClassLoader(); + } + } + + @Override + public void checkCanCreateCatalog(SystemSecurityContext context, String catalog) + { + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanCreateCatalog(context, catalog); + } finally { + deactivatePluginClassLoader(); + } + } + + @Override + public void checkCanDropCatalog(SystemSecurityContext context, String catalog) + { + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanDropCatalog(context, catalog); } finally { deactivatePluginClassLoader(); } @@ -105,10 +133,10 @@ public Set filterCatalogs(SystemSecurityContext context, Set cat } @Override - public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) { + public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema, Map properties) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanCreateSchema(context, schema); + systemAccessControlImpl.checkCanCreateSchema(context, schema, properties); } finally { deactivatePluginClassLoader(); } @@ -157,10 +185,10 @@ public Set filterSchemas(SystemSecurityContext context, String catalogNa } @Override - public void checkCanCreateTable(SystemSecurityContext context, CatalogSchemaTableName table) { + public void checkCanCreateTable(SystemSecurityContext context, CatalogSchemaTableName table, Map properties) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanCreateTable(context, table); + systemAccessControlImpl.checkCanCreateTable(context, table, properties); } finally { deactivatePluginClassLoader(); } @@ -228,6 +256,36 @@ public void checkCanRenameColumn(SystemSecurityContext context, CatalogSchemaTab } } + @Override + public void checkCanAlterColumn(SystemSecurityContext context, CatalogSchemaTableName table) { + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanAlterColumn(context, table); + } finally { + deactivatePluginClassLoader(); + } + } + + @Override + public void checkCanSetColumnComment(SystemSecurityContext context, CatalogSchemaTableName table) { + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanSetColumnComment(context, table); + } finally { + deactivatePluginClassLoader(); + } + } + + @Override + public void checkCanUpdateTableColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set updatedColumnNames) { + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanUpdateTableColumns(context, table, updatedColumnNames); + } finally { + deactivatePluginClassLoader(); + } + } + @Override public void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set columns) { try { @@ -238,6 +296,28 @@ public void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSche } } + @Override + public void checkCanSetTableProperties( + SystemSecurityContext context, CatalogSchemaTableName table, Map> properties + ) { + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanSetTableProperties(context, table, properties); + } finally { + deactivatePluginClassLoader(); + } + } + + @Override + public void checkCanSetViewComment(SystemSecurityContext context, CatalogSchemaTableName view){ + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanSetViewComment(context, view); + } finally { + deactivatePluginClassLoader(); + } + } + @Override public void checkCanInsertIntoTable(SystemSecurityContext context, CatalogSchemaTableName table) { try { @@ -258,6 +338,16 @@ public void checkCanDeleteFromTable(SystemSecurityContext context, CatalogSchema } } + @Override + public void checkCanTruncateTable(SystemSecurityContext context, CatalogSchemaTableName table) { + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanTruncateTable(context, table); + } finally { + deactivatePluginClassLoader(); + } + } + @Override public void checkCanCreateView(SystemSecurityContext context, CatalogSchemaTableName view) { try { @@ -299,41 +389,52 @@ public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, Str } @Override - public void checkCanImpersonateUser(SystemSecurityContext context, String userName) { + public void checkCanImpersonateUser(Identity identity, String userName) { + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanImpersonateUser(identity, userName); + } finally { + deactivatePluginClassLoader(); + } + } + + @Deprecated + @Override + public void checkCanExecuteQuery(Identity identity) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanImpersonateUser(context, userName); + systemAccessControlImpl.checkCanExecuteQuery(identity); } finally { deactivatePluginClassLoader(); } } @Override - public void checkCanExecuteQuery(SystemSecurityContext context) { + public void checkCanExecuteQuery(Identity identity, QueryId queryId) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanExecuteQuery(context); + systemAccessControlImpl.checkCanExecuteQuery(identity, queryId); } finally { deactivatePluginClassLoader(); } } @Override - public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) { + public void checkCanViewQueryOwnedBy(Identity identity, Identity queryOwner) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanViewQueryOwnedBy(context, queryOwner); + systemAccessControlImpl.checkCanViewQueryOwnedBy(identity, queryOwner); } finally { deactivatePluginClassLoader(); } } @Override - public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set queryOwners) { - Set filteredQueryOwners; + public Collection filterViewQueryOwnedBy(Identity identity, Collection queryOwners) { + Collection filteredQueryOwners; try { activatePluginClassLoader(); - filteredQueryOwners = systemAccessControlImpl.filterViewQueryOwnedBy(context, queryOwners); + filteredQueryOwners = systemAccessControlImpl.filterViewQueryOwnedBy(identity, queryOwners); } finally { deactivatePluginClassLoader(); } @@ -341,10 +442,30 @@ public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set filterColumns(SystemSecurityContext context, CatalogSchemaTableName table, List columns) { - List filteredColumns; + public Set filterColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set columns) { + Set filteredColumns; try { activatePluginClassLoader(); filteredColumns = systemAccessControlImpl.filterColumns(context, table, columns); @@ -413,7 +534,7 @@ public void checkCanRenameView(SystemSecurityContext context, CatalogSchemaTable } @Override - public void checkCanGrantTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal grantee, boolean withGrantOption) { + public void checkCanGrantTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, TrinoPrincipal grantee, boolean withGrantOption) { try { activatePluginClassLoader(); systemAccessControlImpl.checkCanGrantTablePrivilege(context, privilege, table, grantee, withGrantOption); @@ -423,7 +544,7 @@ public void checkCanGrantTablePrivilege(SystemSecurityContext context, Privilege } @Override - public void checkCanRevokeTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal revokee, boolean grantOptionFor) { + public void checkCanRevokeTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, TrinoPrincipal revokee, boolean grantOptionFor) { try { activatePluginClassLoader(); systemAccessControlImpl.checkCanRevokeTablePrivilege(context, privilege, table, revokee, grantOptionFor); @@ -433,21 +554,44 @@ public void checkCanRevokeTablePrivilege(SystemSecurityContext context, Privileg } @Override - public void checkCanShowRoles(SystemSecurityContext context, String catalogName) { + public void checkCanGrantEntityPrivilege(SystemSecurityContext context, EntityPrivilege privilege, EntityKindAndName entity, TrinoPrincipal grantee, boolean grantOption) + { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanShowRoles(context, catalogName); + systemAccessControlImpl.checkCanGrantEntityPrivilege(context, privilege, entity, grantee, grantOption); } finally { deactivatePluginClassLoader(); } } @Override - public Optional getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) { - Optional viewExpression; + public void checkCanDenyEntityPrivilege(SystemSecurityContext context, EntityPrivilege privilege, EntityKindAndName entity, TrinoPrincipal grantee) + { + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanDenyEntityPrivilege(context, privilege, entity, grantee); + } finally { + deactivatePluginClassLoader(); + } + } + + @Override + public void checkCanRevokeEntityPrivilege(SystemSecurityContext context, EntityPrivilege privilege, EntityKindAndName entity, TrinoPrincipal revokee, boolean grantOption) + { + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanRevokeEntityPrivilege(context, privilege, entity, revokee, grantOption); + } finally { + deactivatePluginClassLoader(); + } + } + + @Override + public List getRowFilters(SystemSecurityContext context, CatalogSchemaTableName tableName) { + List viewExpression; try { activatePluginClassLoader(); - viewExpression = systemAccessControlImpl.getRowFilter(context, tableName); + viewExpression = systemAccessControlImpl.getRowFilters(context, tableName); } finally { deactivatePluginClassLoader(); } @@ -467,27 +611,29 @@ public Optional getColumnMask(SystemSecurityContext context, Cat } @Override - public void checkCanSetUser(Optional principal, String userName) { + public Map getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, List columns) { + Map colMasks; try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanSetUser(principal, userName); + colMasks = systemAccessControlImpl.getColumnMasks(context, tableName, columns); } finally { deactivatePluginClassLoader(); } + return colMasks; } @Override - public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String functionName, PrestoPrincipal grantee, boolean grantOption) { + public void checkCanSetUser(Optional principal, String userName) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanGrantExecuteFunctionPrivilege(context, functionName, grantee, grantOption); + systemAccessControlImpl.checkCanSetUser(principal, userName); } finally { deactivatePluginClassLoader(); } } @Override - public void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, PrestoPrincipal principal) { + public void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, TrinoPrincipal principal) { try { activatePluginClassLoader(); systemAccessControlImpl.checkCanSetSchemaAuthorization(context, schema, principal); @@ -517,10 +663,42 @@ public void checkCanExecuteProcedure(SystemSecurityContext systemSecurityContext } @Override - public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, String functionName) { + public void checkCanExecuteTableProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName table, String procedure) { + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanExecuteTableProcedure(systemSecurityContext, table, procedure); + } finally { + deactivatePluginClassLoader(); + } + } + + @Override + public boolean canExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) { + try { + activatePluginClassLoader(); + return systemAccessControlImpl.canExecuteFunction(systemSecurityContext, functionName); + } finally { + deactivatePluginClassLoader(); + } + } + + @Override + public void checkCanShowFunctions(SystemSecurityContext systemSecurityContext, CatalogSchemaName schema) + { + // TODO: Override `filterFunctions` for filtering functions for unauthorized users. Check function comments in `super.checkCanShowFunctions`. + try { + activatePluginClassLoader(); + systemAccessControlImpl.checkCanShowFunctions(systemSecurityContext, schema); + } finally { + deactivatePluginClassLoader(); + } + } + + @Override + public void checkCanShowCreateFunction(SystemSecurityContext context, CatalogSchemaRoutineName functionName) { try { activatePluginClassLoader(); - systemAccessControlImpl.checkCanExecuteFunction(systemSecurityContext, functionName); + systemAccessControlImpl.checkCanShowCreateFunction(context, functionName); } finally { deactivatePluginClassLoader(); } diff --git a/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlFactory.java b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlFactory.java similarity index 91% rename from ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlFactory.java rename to ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlFactory.java index e446ada030..2d694ac17a 100644 --- a/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlFactory.java +++ b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlFactory.java @@ -11,13 +11,13 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.ranger.authorization.presto.authorizer; +package org.apache.ranger.authorization.trino.authorizer; import com.google.inject.Injector; import com.google.inject.Scopes; import io.airlift.bootstrap.Bootstrap; -import io.prestosql.spi.security.SystemAccessControl; -import io.prestosql.spi.security.SystemAccessControlFactory; +import io.trino.spi.security.SystemAccessControl; +import io.trino.spi.security.SystemAccessControlFactory; import java.util.Map; diff --git a/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/PrestoRangerPlugin.java b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/TrinoRangerPlugin.java similarity index 83% rename from ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/PrestoRangerPlugin.java rename to ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/TrinoRangerPlugin.java index fe707726d0..aa6ce8620d 100644 --- a/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/PrestoRangerPlugin.java +++ b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/TrinoRangerPlugin.java @@ -11,14 +11,14 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -package org.apache.ranger.authorization.presto.authorizer; +package org.apache.ranger.authorization.trino.authorizer; -import io.prestosql.spi.Plugin; -import io.prestosql.spi.security.SystemAccessControlFactory; +import io.trino.spi.Plugin; +import io.trino.spi.security.SystemAccessControlFactory; import java.util.ArrayList; -public class PrestoRangerPlugin +public class TrinoRangerPlugin implements Plugin { @Override diff --git a/ranger-presto-plugin-shim/src/main/resources/META-INF/services/io.prestosql.spi.Plugin b/ranger-trino-plugin-shim/src/main/resources/META-INF/services/io.trino.spi.Plugin similarity index 83% rename from ranger-presto-plugin-shim/src/main/resources/META-INF/services/io.prestosql.spi.Plugin rename to ranger-trino-plugin-shim/src/main/resources/META-INF/services/io.trino.spi.Plugin index ff40776aa3..484788f67a 100644 --- a/ranger-presto-plugin-shim/src/main/resources/META-INF/services/io.prestosql.spi.Plugin +++ b/ranger-trino-plugin-shim/src/main/resources/META-INF/services/io.trino.spi.Plugin @@ -9,7 +9,7 @@ # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either extrinoss or implied. # See the License for the specific language governing permissions and # limitations under the License. -org.apache.ranger.authorization.presto.authorizer.PrestoRangerPlugin +org.apache.ranger.authorization.trino.authorizer.TrinoRangerPlugin diff --git a/security-admin/pom.xml b/security-admin/pom.xml index 66891ccf2f..1e9354f22e 100644 --- a/security-admin/pom.xml +++ b/security-admin/pom.xml @@ -602,7 +602,7 @@ org.apache.maven.plugins maven-war-plugin - 2.6 + 3.3.2 prepare @@ -664,27 +664,28 @@ - - com.webcohesion.enunciate - enunciate-maven-plugin - - ${basedir}/../enunciate.xml - ${basedir}/../docs/target/ - - - - - javax.xml.bind - jaxb-api - ${jaxb.api.version} - - - javax.jws - javax.jws-api - 1.1 - - - + + com.webcohesion.enunciate + enunciate-maven-plugin + 2.15.1 + + ${basedir}/../enunciate.xml + ${basedir}/../docs/target/ + + + + + javax.xml.bind + jaxb-api + ${jaxb.api.version} + + + javax.jws + javax.jws-api + 1.1 + + + maven-resources-plugin 2.7 @@ -732,7 +733,7 @@ com.github.eirslett frontend-maven-plugin - 1.6 + 1.12.1 ${project.build.directory} ${project.build.directory} diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchForPrestoToSupportPresto333_J10038.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchForTrinoToSupportTrino333_J10038.java similarity index 69% rename from security-admin/src/main/java/org/apache/ranger/patch/PatchForPrestoToSupportPresto333_J10038.java rename to security-admin/src/main/java/org/apache/ranger/patch/PatchForTrinoToSupportTrino333_J10038.java index 1dd4272d12..e3b177c7a0 100644 --- a/security-admin/src/main/java/org/apache/ranger/patch/PatchForPrestoToSupportPresto333_J10038.java +++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchForTrinoToSupportTrino333_J10038.java @@ -41,13 +41,13 @@ import java.util.List; @Component -public class PatchForPrestoToSupportPresto333_J10038 extends BaseLoader { - private static final Logger logger = Logger.getLogger(PatchForPrestoToSupportPresto333_J10038.class); +public class PatchForTrinoToSupportTrino333_J10038 extends BaseLoader { + private static final Logger logger = Logger.getLogger(PatchForTrinoToSupportTrino333_J10038.class); - private static final List PRESTO_RESOURCES = new ArrayList<>( - Arrays.asList("function", "procedure", "prestouser", "systemproperty", "sessionproperty")); + private static final List TRINO_RESOURCES = new ArrayList<>( + Arrays.asList("function", "procedure", "trinouser", "systemproperty", "sessionproperty")); - private static final List PRESTO_ACCESS_TYPES = new ArrayList<>( + private static final List TRINO_ACCESS_TYPES = new ArrayList<>( Arrays.asList("grant", "revoke", "show", "impersonate", "execute", "delete")); @Autowired @@ -77,8 +77,8 @@ public class PatchForPrestoToSupportPresto333_J10038 extends BaseLoader { public static void main(String[] args) { logger.info("main()"); try { - PatchForPrestoToSupportPresto333_J10038 loader = (PatchForPrestoToSupportPresto333_J10038) CLIUtil - .getBean(PatchForPrestoToSupportPresto333_J10038.class); + PatchForTrinoToSupportTrino333_J10038 loader = (PatchForTrinoToSupportTrino333_J10038) CLIUtil + .getBean(PatchForTrinoToSupportTrino333_J10038.class); loader.init(); while (loader.isMoreToProcess()) { loader.load(); @@ -98,54 +98,54 @@ public void init() throws Exception { @Override public void execLoad() { - logger.info("==> PatchForPrestoToSupportPresto333.execLoad()"); + logger.info("==> PatchForTrinoToSupportTrino333.execLoad()"); try { - addPresto333Support(); + addTrino333Support(); } catch (Exception e) { throw new RuntimeException( - "Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_PRESTO_NAME + " service-def"); + "Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TRINO_NAME + " service-def"); } - logger.info("<== PatchForPrestoToSupportPresto333.execLoad()"); + logger.info("<== PatchForTrinoToSupportTrino333.execLoad()"); } @Override public void printStats() { - logger.info("PatchForPrestoToSupportPresto333 Logs"); + logger.info("PatchForTrinoToSupportTrino333 Logs"); } - private void addPresto333Support() throws Exception { + private void addTrino333Support() throws Exception { RangerServiceDef ret = null; - RangerServiceDef embeddedPrestoServiceDef = null; + RangerServiceDef embeddedTrinoServiceDef = null; XXServiceDef xXServiceDefObj = null; - RangerServiceDef dbPrestoServiceDef = null; - List embeddedPrestoResourceDefs = null; - List embeddedPrestoAccessTypes = null; + RangerServiceDef dbTrinoServiceDef = null; + List embeddedTrinoResourceDefs = null; + List embeddedTrinoAccessTypes = null; - embeddedPrestoServiceDef = EmbeddedServiceDefsUtil.instance() - .getEmbeddedServiceDef(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_PRESTO_NAME); + embeddedTrinoServiceDef = EmbeddedServiceDefsUtil.instance() + .getEmbeddedServiceDef(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TRINO_NAME); - if (embeddedPrestoServiceDef != null) { + if (embeddedTrinoServiceDef != null) { xXServiceDefObj = daoMgr.getXXServiceDef() - .findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_PRESTO_NAME); + .findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TRINO_NAME); if (xXServiceDefObj == null) { logger.info(xXServiceDefObj + ": service-def not found. No patching is needed"); return; } - dbPrestoServiceDef = svcDBStore.getServiceDefByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_PRESTO_NAME); + dbTrinoServiceDef = svcDBStore.getServiceDefByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_TRINO_NAME); - embeddedPrestoResourceDefs = embeddedPrestoServiceDef.getResources(); - embeddedPrestoAccessTypes = embeddedPrestoServiceDef.getAccessTypes(); - if (checkResourcePresent(PRESTO_RESOURCES, embeddedPrestoResourceDefs)) { - dbPrestoServiceDef.setResources(embeddedPrestoResourceDefs); - if (checkAccessPresent(PRESTO_ACCESS_TYPES, embeddedPrestoAccessTypes)) { - dbPrestoServiceDef.setAccessTypes(embeddedPrestoAccessTypes); + embeddedTrinoResourceDefs = embeddedTrinoServiceDef.getResources(); + embeddedTrinoAccessTypes = embeddedTrinoServiceDef.getAccessTypes(); + if (checkResourcePresent(TRINO_RESOURCES, embeddedTrinoResourceDefs)) { + dbTrinoServiceDef.setResources(embeddedTrinoResourceDefs); + if (checkAccessPresent(TRINO_ACCESS_TYPES, embeddedTrinoAccessTypes)) { + dbTrinoServiceDef.setAccessTypes(embeddedTrinoAccessTypes); } } RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore); - validator.validate(dbPrestoServiceDef, RangerValidator.Action.UPDATE); - ret = svcStore.updateServiceDef(dbPrestoServiceDef); + validator.validate(dbTrinoServiceDef, RangerValidator.Action.UPDATE); + ret = svcStore.updateServiceDef(dbTrinoServiceDef); if (ret == null) { logger.error("Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME + " service-def");