diff --git a/agents-common/pom.xml b/agents-common/pom.xml
index 12e093f789..08eec3f1e3 100644
--- a/agents-common/pom.xml
+++ b/agents-common/pom.xml
@@ -123,6 +123,11 @@
ranger-plugins-audit
${project.version}
+
+ org.openjdk.nashorn
+ nashorn-core
+ 15.4
+
net.java.dev.jna
jna
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/NashornScriptEngineCreator.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/NashornScriptEngineCreator.java
index db620df92b..27c936fd95 100644
--- a/agents-common/src/main/java/org/apache/ranger/plugin/util/NashornScriptEngineCreator.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/NashornScriptEngineCreator.java
@@ -23,8 +23,8 @@
import org.slf4j.LoggerFactory;
import javax.script.ScriptEngine;
-import jdk.nashorn.api.scripting.ClassFilter;
-import jdk.nashorn.api.scripting.NashornScriptEngineFactory;
+import org.openjdk.nashorn.api.scripting.ClassFilter;
+import org.openjdk.nashorn.api.scripting.NashornScriptEngineFactory;
public class NashornScriptEngineCreator implements ScriptEngineCreator {
private static final Logger LOG = LoggerFactory.getLogger(NashornScriptEngineCreator.class);
diff --git a/plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/RecordFilterJavaScript.java b/plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/RecordFilterJavaScript.java
index 77767767c7..34a5cfac34 100644
--- a/plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/RecordFilterJavaScript.java
+++ b/plugin-nestedstructure/src/main/java/org/apache/ranger/authorization/nestedstructure/authorizer/RecordFilterJavaScript.java
@@ -20,8 +20,8 @@
package org.apache.ranger.authorization.nestedstructure.authorizer;
-import jdk.nashorn.api.scripting.ClassFilter;
-import jdk.nashorn.api.scripting.NashornScriptEngineFactory;
+import org.openjdk.nashorn.api.scripting.ClassFilter;
+import org.openjdk.nashorn.api.scripting.NashornScriptEngineFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
diff --git a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
index c440bf394b..df059c0375 100644
--- a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
+++ b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
@@ -23,6 +23,7 @@
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.SchemaTableName;
import io.trino.spi.security.AccessDeniedException;
+import io.trino.spi.security.Identity;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.SystemAccessControl;
@@ -49,6 +50,7 @@
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
+import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
@@ -59,7 +61,7 @@
import static java.util.Locale.ENGLISH;
public class RangerSystemAccessControl
- implements SystemAccessControl {
+ implements SystemAccessControl {
private static Logger LOG = LoggerFactory.getLogger(RangerSystemAccessControl.class);
final public static String RANGER_CONFIG_KEYTAB = "ranger.keytab";
@@ -158,7 +160,6 @@ private boolean isRowFilterEnabled(RangerAccessResult result) {
return result != null && result.isRowFilterEnabled();
}
- @Override
public Optional getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) {
RangerTrinoAccessRequest request = createAccessRequest(createResource(tableName), context, TrinoAccessType.SELECT);
RangerAccessResult result = getRowFilterResult(request);
@@ -166,12 +167,12 @@ public Optional getRowFilter(SystemSecurityContext context, Cata
ViewExpression viewExpression = null;
if (isRowFilterEnabled(result)) {
String filter = result.getFilterExpr();
- viewExpression = new ViewExpression(
- context.getIdentity().getUser(),
- Optional.of(tableName.getCatalogName()),
- Optional.of(tableName.getSchemaTableName().getSchemaName()),
- filter
- );
+ viewExpression = ViewExpression.builder()
+ .identity(context.getIdentity().getUser())
+ .catalog(tableName.getCatalogName())
+ .schema(tableName.getSchemaTableName().getSchemaName())
+ .expression(filter)
+ .build();
}
return Optional.ofNullable(viewExpression);
}
@@ -184,9 +185,9 @@ public List getRowFilters(SystemSecurityContext context, Catalog
@Override
public Optional getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) {
RangerTrinoAccessRequest request = createAccessRequest(
- createResource(tableName.getCatalogName(), tableName.getSchemaTableName().getSchemaName(),
- tableName.getSchemaTableName().getTableName(), Optional.of(columnName)),
- context, TrinoAccessType.SELECT);
+ createResource(tableName.getCatalogName(), tableName.getSchemaTableName().getSchemaName(),
+ tableName.getSchemaTableName().getTableName(), Optional.of(columnName)),
+ context, TrinoAccessType.SELECT);
RangerAccessResult result = getDataMaskResult(request);
ViewExpression viewExpression = null;
@@ -215,12 +216,13 @@ public Optional getColumnMask(SystemSecurityContext context, Cat
transformer = transformer.replace("{col}", columnName).replace("{type}", type.getDisplayName());
}
- viewExpression = new ViewExpression(
- context.getIdentity().getUser(),
- Optional.of(tableName.getCatalogName()),
- Optional.of(tableName.getSchemaTableName().getSchemaName()),
- transformer
- );
+ viewExpression = ViewExpression.builder()
+ .identity(context.getIdentity().getUser())
+ .catalog(tableName.getCatalogName())
+ .schema(tableName.getSchemaTableName().getSchemaName())
+ .expression(transformer)
+ .build();
+
if (LOG.isDebugEnabled()) {
LOG.debug("getColumnMask: user: %s, catalog: %s, schema: %s, transformer: %s");
}
@@ -230,11 +232,6 @@ public Optional getColumnMask(SystemSecurityContext context, Cat
return Optional.ofNullable(viewExpression);
}
- @Override
- public List getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) {
- return getColumnMask(context, tableName, columnName, type).map(ImmutableList::of).orElseGet(ImmutableList::of);
- }
-
@Override
public Set filterCatalogs(SystemSecurityContext context, Set catalogs) {
LOG.debug("==> RangerSystemAccessControl.filterCatalogs("+ catalogs + ")");
@@ -277,18 +274,18 @@ public Set filterTables(SystemSecurityContext context, String c
/** SYSTEM **/
@Override
- public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
- if (!hasPermission(createSystemPropertyResource(propertyName), context, TrinoAccessType.ALTER)) {
+ public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) {
+ if (!hasPermissionWithIdentity(createSystemPropertyResource(propertyName), identity, TrinoAccessType.ALTER)) {
LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty denied");
AccessDeniedException.denySetSystemSessionProperty(propertyName);
}
}
@Override
- public void checkCanImpersonateUser(SystemSecurityContext context, String userName) {
- if (!hasPermission(createUserResource(userName), context, TrinoAccessType.IMPERSONATE)) {
+ public void checkCanImpersonateUser(Identity identity, String userName) {
+ if (!hasPermissionWithIdentity(createUserResource(userName), identity, TrinoAccessType.IMPERSONATE)) {
LOG.debug("RangerSystemAccessControl.checkCanImpersonateUser(" + userName + ") denied");
- AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), userName);
+ AccessDeniedException.denyImpersonateUser(identity.getUser(), userName);
}
}
@@ -301,7 +298,7 @@ public void checkCanSetUser(Optional principal, String userName) {
@Override
public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, String catalogName, String propertyName) {
if (!hasPermission(createCatalogSessionResource(catalogName, propertyName), context, TrinoAccessType.ALTER)) {
- LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty(" + catalogName + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanSetCatalogSessionProperty(" + catalogName + ") denied");
AccessDeniedException.denySetCatalogSessionProperty(catalogName, propertyName);
}
}
@@ -322,11 +319,8 @@ public void checkCanShowRoleGrants(SystemSecurityContext context) {
}
@Override
- public void checkCanAccessCatalog(SystemSecurityContext context, String catalogName) {
- if (!hasPermission(createResource(catalogName), context, TrinoAccessType.USE)) {
- LOG.debug("RangerSystemAccessControl.checkCanAccessCatalog(" + catalogName + ") denied");
- AccessDeniedException.denyCatalogAccess(catalogName);
- }
+ public boolean canAccessCatalog(SystemSecurityContext context, String catalogName) {
+ return hasPermission(createResource(catalogName), context, TrinoAccessType.USE);
}
@Override
@@ -360,7 +354,7 @@ public void checkCanShowCreateSchema(SystemSecurityContext context, CatalogSchem
* to create a schema when you have create rights on the catalog level
*/
@Override
- public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) {
+ public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema, Map properties) {
if (!hasPermission(createResource(schema.getCatalogName()), context, TrinoAccessType.CREATE)) {
LOG.debug("RangerSystemAccessControl.checkCanCreateSchema(" + schema.getSchemaName() + ") denied");
AccessDeniedException.denyCreateSchema(schema.getSchemaName());
@@ -460,7 +454,7 @@ public void checkCanDeleteFromTable(SystemSecurityContext context, CatalogSchema
}
}
-@Override
+ @Override
public void checkCanTruncateTable(SystemSecurityContext context, CatalogSchemaTableName table) {
if (!hasPermission(createResource(table), context, TrinoAccessType.DELETE)) {
LOG.debug("RangerSystemAccessControl.checkCanTruncateTable(" + table.getSchemaTableName().getTableName() + ") denied");
@@ -645,17 +639,16 @@ public Set filterColumns(SystemSecurityContext context, CatalogSchemaTab
/**
* This is a NOOP. Everyone can execute a query
- * @param context
*/
@Override
- public void checkCanExecuteQuery(SystemSecurityContext context) {
+ public void checkCanExecuteQuery(Identity identity) {
}
@Override
- public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
- if (!hasPermission(createUserResource(queryOwner), context, TrinoAccessType.IMPERSONATE)) {
- LOG.debug("RangerSystemAccessControl.checkCanViewQueryOwnedBy(" + queryOwner + ") denied");
- AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner);
+ public void checkCanViewQueryOwnedBy(Identity identity, Identity queryOwner) {
+ if (!hasPermissionWithIdentity(createUserResource(queryOwner.getUser()), identity, TrinoAccessType.IMPERSONATE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanViewQueryOwnedBy(" + queryOwner.getUser() + ") denied");
+ AccessDeniedException.denyImpersonateUser(identity.getUser(), queryOwner.getUser());
}
}
@@ -663,40 +656,29 @@ public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String query
* This is a NOOP, no filtering is applied
*/
@Override
- public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set queryOwners) {
+ public Collection filterViewQueryOwnedBy(Identity identity, Collection queryOwners) {
return queryOwners;
}
@Override
- public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
- if (!hasPermission(createUserResource(queryOwner), context, TrinoAccessType.IMPERSONATE)) {
- LOG.debug("RangerSystemAccessControl.checkCanKillQueryOwnedBy(" + queryOwner + ") denied");
- AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner);
+ public void checkCanKillQueryOwnedBy(Identity identity, Identity queryOwner) {
+ if (!hasPermissionWithIdentity(createUserResource(queryOwner.getUser()), identity, TrinoAccessType.IMPERSONATE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanKillQueryOwnedBy(" + queryOwner.getUser() + ") denied");
+ AccessDeniedException.denyImpersonateUser(identity.getUser(), queryOwner.getUser());
}
}
/** FUNCTIONS **/
@Override
- public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String function, TrinoPrincipal grantee, boolean grantOption) {
- if (!hasPermission(createFunctionResource(function), context, TrinoAccessType.GRANT)) {
- LOG.debug("RangerSystemAccessControl.checkCanGrantExecuteFunctionPrivilege(" + function + ") denied");
- AccessDeniedException.denyGrantExecuteFunctionPrivilege(function, context.getIdentity(), grantee.getName());
- }
- }
-
- @Override
- public void checkCanExecuteFunction(SystemSecurityContext context, String function) {
- if (!hasPermission(createFunctionResource(function), context, TrinoAccessType.EXECUTE)) {
- LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + function + ") denied");
- AccessDeniedException.denyExecuteFunction(function);
- }
+ public boolean canExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) {
+ return hasPermission(createFunctionResource(functionName.getRoutineName()), systemSecurityContext, TrinoAccessType.EXECUTE);
}
/** PROCEDURES **/
@Override
public void checkCanExecuteProcedure(SystemSecurityContext context, CatalogSchemaRoutineName procedure) {
if (!hasPermission(createProcedureResource(procedure), context, TrinoAccessType.EXECUTE)) {
- LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + procedure.getSchemaRoutineName().getRoutineName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanExecuteProcedure(" + procedure.getSchemaRoutineName().getRoutineName() + ") denied");
AccessDeniedException.denyExecuteProcedure(procedure.getSchemaRoutineName().getRoutineName());
}
}
@@ -705,7 +687,7 @@ public void checkCanExecuteProcedure(SystemSecurityContext context, CatalogSchem
public void checkCanExecuteTableProcedure(SystemSecurityContext context, CatalogSchemaTableName catalogSchemaTableName, String procedure)
{
if (!hasPermission(createResource(catalogSchemaTableName), context, TrinoAccessType.ALTER)) {
- LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + procedure + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanExecuteTableProcedure(" + procedure + ") denied");
AccessDeniedException.denyExecuteTableProcedure(catalogSchemaTableName.toString(),procedure);
}
}
@@ -713,10 +695,14 @@ public void checkCanExecuteTableProcedure(SystemSecurityContext context, Catalog
/** HELPER FUNCTIONS **/
private RangerTrinoAccessRequest createAccessRequest(RangerTrinoResource resource, SystemSecurityContext context, TrinoAccessType accessType) {
+ return createAccessRequestWithIdentity(resource, context.getIdentity(), accessType);
+ }
+
+ private RangerTrinoAccessRequest createAccessRequestWithIdentity(RangerTrinoResource resource, Identity identity, TrinoAccessType accessType) {
Set userGroups = null;
if (useUgi) {
- UserGroupInformation ugi = UserGroupInformation.createRemoteUser(context.getIdentity().getUser());
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser(identity.getUser());
String[] groups = ugi != null ? ugi.getGroupNames() : null;
@@ -724,14 +710,14 @@ private RangerTrinoAccessRequest createAccessRequest(RangerTrinoResource resourc
userGroups = new HashSet<>(Arrays.asList(groups));
}
} else {
- userGroups = context.getIdentity().getGroups();
+ userGroups = identity.getGroups();
}
RangerTrinoAccessRequest request = new RangerTrinoAccessRequest(
- resource,
- context.getIdentity().getUser(),
- userGroups,
- accessType
+ resource,
+ identity.getUser(),
+ userGroups,
+ accessType
);
return request;
@@ -750,6 +736,19 @@ private boolean hasPermission(RangerTrinoResource resource, SystemSecurityContex
return ret;
}
+ private boolean hasPermissionWithIdentity(RangerTrinoResource resource, Identity identity, TrinoAccessType accessType) {
+ boolean ret = false;
+
+ RangerTrinoAccessRequest request = createAccessRequestWithIdentity(resource, identity, accessType);
+
+ RangerAccessResult result = rangerPlugin.isAccessAllowed(request);
+ if (result != null && result.getIsAllowed()) {
+ ret = true;
+ }
+
+ return ret;
+ }
+
private static RangerTrinoResource createUserResource(String userName) {
RangerTrinoResource res = new RangerTrinoResource();
res.setValue(RangerTrinoResource.KEY_USER, userName);
@@ -794,8 +793,8 @@ private static RangerTrinoResource createResource(CatalogSchemaName catalogSchem
private static RangerTrinoResource createResource(CatalogSchemaTableName catalogSchemaTableName) {
return createResource(catalogSchemaTableName.getCatalogName(),
- catalogSchemaTableName.getSchemaTableName().getSchemaName(),
- catalogSchemaTableName.getSchemaTableName().getTableName());
+ catalogSchemaTableName.getSchemaTableName().getSchemaName(),
+ catalogSchemaTableName.getSchemaTableName().getTableName());
}
private static RangerTrinoResource createResource(String catalogName) {
@@ -820,21 +819,21 @@ private static List createResource(CatalogSchemaTableName t
if (columns.size() > 0) {
for (String column : columns) {
RangerTrinoResource rangerTrinoResource = createResource(table.getCatalogName(),
- table.getSchemaTableName().getSchemaName(),
- table.getSchemaTableName().getTableName(), Optional.of(column));
+ table.getSchemaTableName().getSchemaName(),
+ table.getSchemaTableName().getTableName(), Optional.of(column));
colRequests.add(rangerTrinoResource);
}
} else {
colRequests.add(createResource(table.getCatalogName(),
- table.getSchemaTableName().getSchemaName(),
- table.getSchemaTableName().getTableName(), Optional.empty()));
+ table.getSchemaTableName().getSchemaName(),
+ table.getSchemaTableName().getTableName(), Optional.empty()));
}
return colRequests;
}
}
class RangerTrinoResource
- extends RangerAccessResourceImpl {
+ extends RangerAccessResourceImpl {
public static final String KEY_CATALOG = "catalog";
@@ -899,11 +898,11 @@ public Optional getSchemaTable() {
}
class RangerTrinoAccessRequest
- extends RangerAccessRequestImpl {
+ extends RangerAccessRequestImpl {
public RangerTrinoAccessRequest(RangerTrinoResource resource,
- String user,
- Set userGroups,
- TrinoAccessType trinoAccessType) {
+ String user,
+ Set userGroups,
+ TrinoAccessType trinoAccessType) {
super(resource, trinoAccessType.name().toLowerCase(ENGLISH), user, userGroups, null);
setAccessTime(new Date());
}
@@ -911,4 +910,4 @@ public RangerTrinoAccessRequest(RangerTrinoResource resource,
enum TrinoAccessType {
CREATE, DROP, SELECT, INSERT, DELETE, USE, ALTER, ALL, GRANT, REVOKE, SHOW, IMPERSONATE, EXECUTE;
-}
+}
\ No newline at end of file
diff --git a/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java
index eda87db4ea..465fe81dea 100644
--- a/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java
+++ b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java
@@ -18,6 +18,7 @@
package org.apache.ranger.authorization.trino.authorizer;
import com.google.common.collect.ImmutableSet;
+import io.trino.spi.QueryId;
import io.trino.spi.connector.CatalogSchemaName;
import io.trino.spi.connector.CatalogSchemaRoutineName;
import io.trino.spi.connector.CatalogSchemaTableName;
@@ -37,11 +38,13 @@
import org.junit.Test;
import javax.security.auth.kerberos.KerberosPrincipal;
+import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
+import java.time.Instant;
public class RangerSystemAccessControlTest {
static RangerSystemAccessControl accessControlManager = null;
@@ -56,14 +59,17 @@ public class RangerSystemAccessControlTest {
//private static final Identity nonAsciiUser = Identity.ofUser("\u0194\u0194\u0194");
private static final Set allCatalogs = ImmutableSet.of("open-to-all", "all-allowed", "alice-catalog");
- private static final Set queryOwners = ImmutableSet.of("bob", "alice", "frank");
+ private static final Collection queryOwners = ImmutableSet.of(Identity.ofUser("bob"), Identity.ofUser("alice"), Identity.ofUser("frank"));
private static final String aliceCatalog = "alice-catalog";
private static final CatalogSchemaName aliceSchema = new CatalogSchemaName("alice-catalog", "schema");
private static final CatalogSchemaTableName aliceTable = new CatalogSchemaTableName("alice-catalog", "schema","table");
private static final CatalogSchemaTableName aliceView = new CatalogSchemaTableName("alice-catalog", "schema","view");
private static final CatalogSchemaRoutineName aliceProcedure = new CatalogSchemaRoutineName("alice-catalog", "schema", "procedure");
- private static final String functionName = new String("function");
+ private static final CatalogSchemaRoutineName bobFunction = new CatalogSchemaRoutineName("alice-catalog", "default", "function");
+
+ private static final QueryId queryId = new QueryId("test_query");
+ private static final Instant queryStart = Instant.now();
@BeforeClass
public static void setUpBeforeClass() throws Exception {
@@ -75,16 +81,16 @@ public static void setUpBeforeClass() throws Exception {
@SuppressWarnings("PMD")
public void testCanSetUserOperations() {
try {
- accessControlManager.checkCanImpersonateUser(context(alice), bob.getUser());
+ accessControlManager.checkCanImpersonateUser(context(alice).getIdentity(), bob.getUser());
throw new AssertionError("expected AccessDeniedExeption");
}
catch (AccessDeniedException expected) {
}
- accessControlManager.checkCanImpersonateUser(context(admin), bob.getUser());
+ accessControlManager.checkCanImpersonateUser(context(admin).getIdentity(), bob.getUser());
try {
- accessControlManager.checkCanImpersonateUser(context(kerberosInvalidAlice), bob.getUser());
+ accessControlManager.checkCanImpersonateUser(context(kerberosInvalidAlice).getIdentity(), bob.getUser());
throw new AssertionError("expected AccessDeniedExeption");
}
catch (AccessDeniedException expected) {
@@ -111,13 +117,13 @@ public void testSchemaOperations()
assertEquals(accessControlManager.filterSchemas(context(alice), aliceCatalog, aliceSchemas), aliceSchemas);
assertEquals(accessControlManager.filterSchemas(context(bob), "alice-catalog", aliceSchemas), ImmutableSet.of());
- accessControlManager.checkCanCreateSchema(context(alice), aliceSchema);
+ accessControlManager.checkCanCreateSchema(context(alice), aliceSchema, Map.of());
accessControlManager.checkCanDropSchema(context(alice), aliceSchema);
accessControlManager.checkCanRenameSchema(context(alice), aliceSchema, "new-schema");
accessControlManager.checkCanShowSchemas(context(alice), aliceCatalog);
try {
- accessControlManager.checkCanCreateSchema(context(bob), aliceSchema);
+ accessControlManager.checkCanCreateSchema(context(bob), aliceSchema, Map.of());
} catch (AccessDeniedException expected) {
}
@@ -133,7 +139,7 @@ public void testTableOperations()
assertEquals(accessControlManager.filterTables(context(alice), aliceCatalog, aliceTables), aliceTables);
assertEquals(accessControlManager.filterTables(context(bob), "alice-catalog", aliceTables), ImmutableSet.of());
- accessControlManager.checkCanCreateTable(context(alice), aliceTable,Map.of());
+ accessControlManager.checkCanCreateTable(context(alice), aliceTable, Map.of());
accessControlManager.checkCanDropTable(context(alice), aliceTable);
accessControlManager.checkCanSelectFromColumns(context(alice), aliceTable, ImmutableSet.of());
accessControlManager.checkCanInsertIntoTable(context(alice), aliceTable);
@@ -142,7 +148,7 @@ public void testTableOperations()
try {
- accessControlManager.checkCanCreateTable(context(bob), aliceTable,Map.of());
+ accessControlManager.checkCanCreateTable(context(bob), aliceTable, Map.of());
} catch (AccessDeniedException expected) {
}
}
@@ -170,34 +176,28 @@ public void testViewOperations()
@SuppressWarnings("PMD")
public void testMisc()
{
- assertEquals(accessControlManager.filterViewQueryOwnedBy(context(alice), queryOwners), queryOwners);
+ assertEquals(accessControlManager.filterViewQueryOwnedBy(context(alice).getIdentity(), queryOwners), queryOwners);
// check {type} / {col} replacement
final VarcharType varcharType = VarcharType.createVarcharType(20);
Optional ret = accessControlManager.getColumnMask(context(alice), aliceTable, "cast_me", varcharType);
- List retArray = accessControlManager.getColumnMasks(context(alice), aliceTable, "cast_me", varcharType);
assertNotNull(ret.get());
assertEquals(ret.get().getExpression(), "cast cast_me as varchar(20)");
- assertEquals(1, retArray.size());
- assertEquals("cast cast_me as varchar(20)", retArray.get(0).getExpression());
ret = accessControlManager.getColumnMask(context(alice), aliceTable,"do-not-cast-me", varcharType);
- retArray = accessControlManager.getColumnMasks(context(alice), aliceTable,"do-not-cast-me", varcharType);
assertFalse(ret.isPresent());
- assertTrue(retArray.isEmpty());
ret = accessControlManager.getRowFilter(context(alice), aliceTable);
- retArray = accessControlManager.getRowFilters(context(alice), aliceTable);
+ List retArray = accessControlManager.getRowFilters(context(alice), aliceTable);
assertFalse(ret.isPresent());
assertTrue(retArray.isEmpty());
- accessControlManager.checkCanExecuteFunction(context(alice), functionName);
- accessControlManager.checkCanGrantExecuteFunctionPrivilege(context(alice), functionName, new TrinoPrincipal(USER, "grantee"), true);
+ accessControlManager.canExecuteFunction(context(alice), bobFunction);
accessControlManager.checkCanExecuteProcedure(context(alice), aliceProcedure);
}
private SystemSecurityContext context(Identity id) {
- return new SystemSecurityContext(id, Optional.empty());
+ return new SystemSecurityContext(id, queryId, queryStart);
}
}
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index b40fbcc5a2..fbfcd1592d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -115,7 +115,7 @@
2.1.7
2.7.12
7.10.2
- 2.13.2
+ 2.15.1
4.7.3.5
27.0-jre
1.2
@@ -184,7 +184,7 @@
20211018.2
2.3
333
- 377
+ 433
5.2.2
UTF-8
3.19.3
@@ -277,7 +277,7 @@
agents-installer
credentialbuilder
embeddedwebserver
- ranger-common-ha
+ ranger-common-ha
kms
hbase-agent
hdfs-agent
@@ -347,7 +347,7 @@
agents-installer
credentialbuilder
embeddedwebserver
- ranger-common-ha
+ ranger-common-ha
kms
hbase-agent
hdfs-agent
@@ -363,7 +363,8 @@
plugin-nifi
plugin-nifi-registry
plugin-presto
- plugin-trino
+
+
plugin-kudu
ugsync-util
ugsync
@@ -387,6 +388,79 @@
ranger-atlas-plugin-shim
ranger-kms-plugin-shim
ranger-presto-plugin-shim
+
+
+ ranger-examples
+ ranger-tools
+ plugin-atlas
+ plugin-schema-registry
+ plugin-sqoop
+ ranger-sqoop-plugin-shim
+ plugin-kylin
+ ranger-kylin-plugin-shim
+ plugin-elasticsearch
+ ranger-elasticsearch-plugin-shim
+ ranger-authn
+ ranger-metrics
+
+ distro
+
+
+
+ ranger-jdk17
+
+ 17
+
+
+ jisql
+ agents-audit
+ agents-common
+ agents-cred
+ intg
+ agents-installer
+ credentialbuilder
+ embeddedwebserver
+ kms
+ hbase-agent
+ hdfs-agent
+ hive-agent
+ knox-agent
+ storm-agent
+ plugin-yarn
+ plugin-ozone
+ security-admin
+ plugin-kafka
+ plugin-solr
+ plugin-nestedstructure
+ plugin-nifi
+ plugin-nifi-registry
+ plugin-presto
+ plugin-trino
+ plugin-kudu
+ ugsync-util
+ ugsync
+ ugsync/ldapconfigchecktool/ldapconfigcheck
+ unixauthclient
+ unixauthservice
+ ranger-util
+ plugin-kms
+ tagsync
+ ranger-hdfs-plugin-shim
+ ranger-plugin-classloader
+ ranger-hive-plugin-shim
+ ranger-hbase-plugin-shim
+ ranger-knox-plugin-shim
+ ranger-yarn-plugin-shim
+ ranger-ozone-plugin-shim
+ ranger-storm-plugin-shim
+ ranger-kafka-plugin-shim
+ ranger-solr-plugin-shim
+ ranger-atlas-plugin-shim
+ ranger-kms-plugin-shim
+ ranger-presto-plugin-shim
ranger-trino-plugin-shim
ranger-examples
ranger-tools
@@ -636,6 +710,7 @@
+
ranger-trino-plugin
agents-audit
@@ -677,7 +752,7 @@
agents-installer
credentialbuilder
embeddedwebserver
- ranger-common-ha
+ ranger-common-ha
kms
hbase-agent
hdfs-agent
@@ -765,7 +840,7 @@
agents-installer
credentialbuilder
embeddedwebserver
- ranger-common-ha
+ ranger-common-ha
kms
hbase-agent
hdfs-agent
diff --git a/ranger-examples/distro/src/main/assembly/plugin-sampleapp.xml b/ranger-examples/distro/src/main/assembly/plugin-sampleapp.xml
index 16f60bc1d4..b29610ee20 100644
--- a/ranger-examples/distro/src/main/assembly/plugin-sampleapp.xml
+++ b/ranger-examples/distro/src/main/assembly/plugin-sampleapp.xml
@@ -66,4 +66,11 @@
644
+
+
+ true
+ lib
+ runtime
+
+
diff --git a/ranger-examples/distro/src/main/assembly/sampleapp.xml b/ranger-examples/distro/src/main/assembly/sampleapp.xml
index 3e927d2b9b..eef1d08df1 100644
--- a/ranger-examples/distro/src/main/assembly/sampleapp.xml
+++ b/ranger-examples/distro/src/main/assembly/sampleapp.xml
@@ -53,4 +53,11 @@
644
+
+
+ true
+ lib
+ runtime
+
+
diff --git a/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
index 10418dabb6..ad6f05e5dc 100644
--- a/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
+++ b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
@@ -17,6 +17,7 @@
import io.trino.spi.connector.CatalogSchemaRoutineName;
import io.trino.spi.connector.CatalogSchemaTableName;
import io.trino.spi.connector.SchemaTableName;
+import io.trino.spi.security.Identity;
import io.trino.spi.security.TrinoPrincipal;
import io.trino.spi.security.Privilege;
import io.trino.spi.security.SystemAccessControl;
@@ -27,6 +28,7 @@
import javax.inject.Inject;
import java.security.Principal;
+import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -34,7 +36,7 @@
import java.util.Set;
public class RangerSystemAccessControl
- implements SystemAccessControl {
+ implements SystemAccessControl {
private static final String RANGER_PLUGIN_TYPE = "trino";
private static final String RANGER_TRINO_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControl";
@@ -72,20 +74,20 @@ public RangerSystemAccessControl(RangerConfig config) {
}
@Override
- public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
+ public void checkCanSetSystemSessionProperty(Identity identity, String propertyName) {
try {
activatePluginClassLoader();
- systemAccessControlImpl.checkCanSetSystemSessionProperty(context, propertyName);
+ systemAccessControlImpl.checkCanSetSystemSessionProperty(identity, propertyName);
} finally {
deactivatePluginClassLoader();
}
}
@Override
- public void checkCanAccessCatalog(SystemSecurityContext context, String catalogName) {
+ public boolean canAccessCatalog(SystemSecurityContext context, String catalogName) {
try {
activatePluginClassLoader();
- systemAccessControlImpl.checkCanAccessCatalog(context, catalogName);
+ return systemAccessControlImpl.canAccessCatalog(context, catalogName);
} finally {
deactivatePluginClassLoader();
}
@@ -104,10 +106,10 @@ public Set filterCatalogs(SystemSecurityContext context, Set cat
}
@Override
- public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) {
+ public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema, Map properties) {
try {
activatePluginClassLoader();
- systemAccessControlImpl.checkCanCreateSchema(context, schema);
+ systemAccessControlImpl.checkCanCreateSchema(context, schema, properties);
} finally {
deactivatePluginClassLoader();
}
@@ -257,7 +259,7 @@ public void checkCanDeleteFromTable(SystemSecurityContext context, CatalogSchema
}
}
-@Override
+ @Override
public void checkCanTruncateTable(SystemSecurityContext context, CatalogSchemaTableName table)
{
try {
@@ -343,41 +345,41 @@ public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, Str
}
@Override
- public void checkCanImpersonateUser(SystemSecurityContext context, String userName) {
+ public void checkCanImpersonateUser(Identity identity, String userName) {
try {
activatePluginClassLoader();
- systemAccessControlImpl.checkCanImpersonateUser(context, userName);
+ systemAccessControlImpl.checkCanImpersonateUser(identity, userName);
} finally {
deactivatePluginClassLoader();
}
}
@Override
- public void checkCanExecuteQuery(SystemSecurityContext context) {
+ public void checkCanExecuteQuery(Identity identity) {
try {
activatePluginClassLoader();
- systemAccessControlImpl.checkCanExecuteQuery(context);
+ systemAccessControlImpl.checkCanExecuteQuery(identity);
} finally {
deactivatePluginClassLoader();
}
}
@Override
- public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
+ public void checkCanViewQueryOwnedBy(Identity identity, Identity queryOwner) {
try {
activatePluginClassLoader();
- systemAccessControlImpl.checkCanViewQueryOwnedBy(context, queryOwner);
+ systemAccessControlImpl.checkCanViewQueryOwnedBy(identity, queryOwner);
} finally {
deactivatePluginClassLoader();
}
}
@Override
- public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set queryOwners) {
- Set filteredQueryOwners;
+ public Collection filterViewQueryOwnedBy(Identity identity, Collection queryOwners) {
+ Collection filteredQueryOwners;
try {
activatePluginClassLoader();
- filteredQueryOwners = systemAccessControlImpl.filterViewQueryOwnedBy(context, queryOwners);
+ filteredQueryOwners = systemAccessControlImpl.filterViewQueryOwnedBy(identity, queryOwners);
} finally {
deactivatePluginClassLoader();
}
@@ -385,10 +387,10 @@ public Set filterViewQueryOwnedBy(SystemSecurityContext context, Set getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) {
- Optional viewExpression;
- try {
- activatePluginClassLoader();
- viewExpression = systemAccessControlImpl.getRowFilter(context, tableName);
- } finally {
- deactivatePluginClassLoader();
- }
- return viewExpression;
- }
-
@Override
public List getRowFilters(SystemSecurityContext context, CatalogSchemaTableName tableName) {
List viewExpressionList;
@@ -553,18 +543,6 @@ public Optional getColumnMask(SystemSecurityContext context, Cat
return viewExpression;
}
- @Override
- public List getColumnMasks(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) {
- List viewExpressionList;
- try {
- activatePluginClassLoader();
- viewExpressionList = systemAccessControlImpl.getColumnMasks(context, tableName, columnName, type);
- } finally {
- deactivatePluginClassLoader();
- }
- return viewExpressionList;
- }
-
@Override
public void checkCanSetUser(Optional principal, String userName) {
try {
@@ -575,16 +553,6 @@ public void checkCanSetUser(Optional principal, String userName) {
}
}
- @Override
- public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String functionName, TrinoPrincipal grantee, boolean grantOption) {
- try {
- activatePluginClassLoader();
- systemAccessControlImpl.checkCanGrantExecuteFunctionPrivilege(context, functionName, grantee, grantOption);
- } finally {
- deactivatePluginClassLoader();
- }
- }
-
@Override
public void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, TrinoPrincipal principal) {
try {
@@ -627,10 +595,10 @@ public void checkCanExecuteTableProcedure(SystemSecurityContext systemSecurityCo
}
@Override
- public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, String functionName) {
+ public boolean canExecuteFunction(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName functionName) {
try {
activatePluginClassLoader();
- systemAccessControlImpl.checkCanExecuteFunction(systemSecurityContext, functionName);
+ return systemAccessControlImpl.canExecuteFunction(systemSecurityContext, functionName);
} finally {
deactivatePluginClassLoader();
}
@@ -647,4 +615,4 @@ private void deactivatePluginClassLoader() {
rangerPluginClassLoader.deactivate();
}
}
-}
+}
\ No newline at end of file
diff --git a/security-admin/pom.xml b/security-admin/pom.xml
index fc59287d06..3871f37843 100644
--- a/security-admin/pom.xml
+++ b/security-admin/pom.xml
@@ -817,7 +817,7 @@
org.apache.maven.plugins
maven-war-plugin
- 2.6
+ 3.4.0
prepare