morningman commented on code in PR #17424:
URL: https://github.com/apache/doris/pull/17424#discussion_r1125592206
##########
fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/RangerHiveAccessController.java:
##########
@@ -33,33 +34,49 @@
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import java.util.concurrent.ScheduledThreadPoolExecutor;
+import java.util.concurrent.TimeUnit;
public class RangerHiveAccessController implements CatalogAccessController {
public static final String CLIENT_TYPE_DORIS = "doris";
private static final Logger LOG =
LogManager.getLogger(RangerHiveAccessController.class);
+ private static ScheduledThreadPoolExecutor logFlushTimer =
ThreadPoolManager.newDaemonScheduledThreadPool(1,
+ "ranger-hive-audit-log-flusher-timer", true);
private RangerHivePlugin hivePlugin;
private RangerHiveAuditHandler auditHandler;
public RangerHiveAccessController(Map<String, String> properties) {
String serviceName = properties.get("ranger.service.name");
hivePlugin = new RangerHivePlugin(serviceName);
auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
+ //start a timed log flusher
+ logFlushTimer.scheduleAtFixedRate(new
RangerHiveAuditLogFlusher(auditHandler), 10, 20L, TimeUnit.SECONDS);
}
private RangerAccessRequestImpl createRequest(UserIdentity currentUser,
HiveAccessType accessType) {
RangerAccessRequestImpl request = new RangerAccessRequestImpl();
- request.setUser(currentUser.getQualifiedUser());
- request.setUserRoles(currentUser.getRoles());
+ // currentUser.getQualifiedUser() is as of form:
default_cluster:user1, only use `user1`
+ String[] userArray = currentUser.getQualifiedUser().split(":");
+ request.setUser(userArray[1]);
+ request.setClusterName(userArray[0]);
Review Comment:
You can use `ClusterNamespace.getNameFromFullName(xxx)` directly.
##########
fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/RangerHiveAccessController.java:
##########
@@ -152,27 +165,30 @@ public HiveAccessType convertToAccessType(PrivPredicate
predicate) {
return HiveAccessType.CREATE;
} else if (predicate == PrivPredicate.DROP) {
return HiveAccessType.DROP;
- } else if (predicate == PrivPredicate.SELECT) {
- return HiveAccessType.SELECT;
} else {
return HiveAccessType.NONE;
}
}
+ private String removeDefaultClusterName(String nameWithDefaultCluster) {
Review Comment:
See `ClusterNamespace.getNameFromFullName(xxx)`
##########
fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/RangerHiveAccessController.java:
##########
@@ -33,33 +34,49 @@
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import java.util.concurrent.ScheduledThreadPoolExecutor;
+import java.util.concurrent.TimeUnit;
public class RangerHiveAccessController implements CatalogAccessController {
public static final String CLIENT_TYPE_DORIS = "doris";
private static final Logger LOG =
LogManager.getLogger(RangerHiveAccessController.class);
+ private static ScheduledThreadPoolExecutor logFlushTimer =
ThreadPoolManager.newDaemonScheduledThreadPool(1,
+ "ranger-hive-audit-log-flusher-timer", true);
private RangerHivePlugin hivePlugin;
private RangerHiveAuditHandler auditHandler;
public RangerHiveAccessController(Map<String, String> properties) {
String serviceName = properties.get("ranger.service.name");
hivePlugin = new RangerHivePlugin(serviceName);
auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
+ //start a timed log flusher
+ logFlushTimer.scheduleAtFixedRate(new
RangerHiveAuditLogFlusher(auditHandler), 10, 20L, TimeUnit.SECONDS);
}
private RangerAccessRequestImpl createRequest(UserIdentity currentUser,
HiveAccessType accessType) {
RangerAccessRequestImpl request = new RangerAccessRequestImpl();
- request.setUser(currentUser.getQualifiedUser());
- request.setUserRoles(currentUser.getRoles());
+ // currentUser.getQualifiedUser() is as of form:
default_cluster:user1, only use `user1`
+ String[] userArray = currentUser.getQualifiedUser().split(":");
+ request.setUser(userArray[1]);
+ request.setClusterName(userArray[0]);
+ Set<String> roles = new HashSet<>();
+ for (String role : currentUser.getRoles()) {
+ // some roles are as of form: default_role_rbac_test@%, only use
`default_role_rbac_test`
+ roles.add(role.split("@")[0]);
+ }
+ request.setUserRoles(roles);
request.setAction(accessType.name());
if (accessType == HiveAccessType.USE) {
request.setAccessType(RangerPolicyEngine.ANY_ACCESS);
} else {
request.setAccessType(accessType.name().toLowerCase());
}
request.setClientIPAddress(currentUser.getHost());
+ request.setClusterType(CLIENT_TYPE_DORIS);
Review Comment:
`CLIENT_TYPE_DORIS`, what is this for? Does user need to set it somewhere in
Ranger?
##########
fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/RangerHiveAccessController.java:
##########
@@ -33,33 +34,49 @@
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
+import java.util.concurrent.ScheduledThreadPoolExecutor;
+import java.util.concurrent.TimeUnit;
public class RangerHiveAccessController implements CatalogAccessController {
public static final String CLIENT_TYPE_DORIS = "doris";
private static final Logger LOG =
LogManager.getLogger(RangerHiveAccessController.class);
+ private static ScheduledThreadPoolExecutor logFlushTimer =
ThreadPoolManager.newDaemonScheduledThreadPool(1,
+ "ranger-hive-audit-log-flusher-timer", true);
private RangerHivePlugin hivePlugin;
private RangerHiveAuditHandler auditHandler;
public RangerHiveAccessController(Map<String, String> properties) {
String serviceName = properties.get("ranger.service.name");
hivePlugin = new RangerHivePlugin(serviceName);
auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
+ //start a timed log flusher
+ logFlushTimer.scheduleAtFixedRate(new
RangerHiveAuditLogFlusher(auditHandler), 10, 20L, TimeUnit.SECONDS);
}
private RangerAccessRequestImpl createRequest(UserIdentity currentUser,
HiveAccessType accessType) {
RangerAccessRequestImpl request = new RangerAccessRequestImpl();
- request.setUser(currentUser.getQualifiedUser());
- request.setUserRoles(currentUser.getRoles());
+ // currentUser.getQualifiedUser() is as of form:
default_cluster:user1, only use `user1`
+ String[] userArray = currentUser.getQualifiedUser().split(":");
+ request.setUser(userArray[1]);
+ request.setClusterName(userArray[0]);
+ Set<String> roles = new HashSet<>();
+ for (String role : currentUser.getRoles()) {
+ // some roles are as of form: default_role_rbac_test@%, only use
`default_role_rbac_test`
+ roles.add(role.split("@")[0]);
Review Comment:
Actually, `default_role_rbac_test@%` is the real name of a user.
Each user will have an implicit default role, which name is exactly same as
username(`default_role_rbac_test@%`).
And you can add new roles to user.
##########
fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/RangerHiveAccessController.java:
##########
@@ -99,20 +112,20 @@ private boolean checkPrivilege(UserIdentity currentUser,
HiveAccessType accessTy
request.setResource(resource);
RangerAccessResult result = hivePlugin.isAccessAllowed(request,
auditHandler);
- auditHandler.flushAudit();
if (result == null) {
- LOG.warn(String.format("Error getting authorizer result, please
check your ranger config. Request: %s",
- request));
+ LOG.warn(String.format("Error getting authorizer result, please
check your ranger config. Make sure "
+ + "ranger policy engine is initialized. Request: %s",
request));
Review Comment:
Maybe we should tell user how to check Ranger's log, eg, add `log4j.xml` in
`fe/conf`, in our document.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org
