diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java index 938b41915ae1a8..7495b0db9ecb2f 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java @@ -2267,6 +2267,12 @@ public class Config extends ConfigBase { @ConfField public static long stats_cache_size = 50_0000; + /** + * This config used for ranger cache data mask/row policy + */ + @ConfField + public static long ranger_cache_size = 10000; + /** * This configuration is used to enable the statistics of query information, which will record * the access status of databases, tables, and columns, and can be used to guide the diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java new file mode 100644 index 00000000000000..4b2aca0628a59a --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/CatalogCacheAccessController.java @@ -0,0 +1,91 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.cache; + +import org.apache.doris.analysis.ResourceTypeEnum; +import org.apache.doris.analysis.UserIdentity; +import org.apache.doris.common.AuthorizationException; +import org.apache.doris.mysql.privilege.CatalogAccessController; +import org.apache.doris.mysql.privilege.DataMaskPolicy; +import org.apache.doris.mysql.privilege.PrivPredicate; +import org.apache.doris.mysql.privilege.RowFilterPolicy; + +import java.util.List; +import java.util.Optional; +import java.util.Set; + +public abstract class CatalogCacheAccessController implements CatalogAccessController { + public abstract CatalogAccessController getProxyController(); + + public abstract RangerCache getCache(); + + + @Override + public boolean checkGlobalPriv(UserIdentity currentUser, PrivPredicate wanted) { + return getProxyController().checkGlobalPriv(currentUser, wanted); + } + + @Override + public boolean checkCtlPriv(UserIdentity currentUser, String ctl, PrivPredicate wanted) { + return getProxyController().checkCtlPriv(currentUser, ctl, wanted); + } + + @Override + public boolean checkDbPriv(UserIdentity currentUser, String ctl, String db, PrivPredicate wanted) { + return getProxyController().checkDbPriv(currentUser, ctl, db, wanted); + } + + @Override + public boolean checkTblPriv(UserIdentity currentUser, String ctl, String db, String tbl, PrivPredicate wanted) { + return getProxyController().checkTblPriv(currentUser, ctl, db, tbl, wanted); + } + + @Override + public boolean checkResourcePriv(UserIdentity currentUser, String resourceName, PrivPredicate wanted) { + return getProxyController().checkResourcePriv(currentUser, resourceName, wanted); + } + + @Override + public boolean checkWorkloadGroupPriv(UserIdentity currentUser, String workloadGroupName, PrivPredicate wanted) { + return getProxyController().checkWorkloadGroupPriv(currentUser, workloadGroupName, wanted); + } + + @Override + public void checkColsPriv(UserIdentity currentUser, String ctl, String db, String tbl, Set cols, + PrivPredicate wanted) throws AuthorizationException { + getProxyController().checkColsPriv(currentUser, ctl, db, tbl, cols, wanted); + } + + @Override + public boolean checkCloudPriv(UserIdentity currentUser, String resourceName, PrivPredicate wanted, + ResourceTypeEnum type) { + return getProxyController().checkCloudPriv(currentUser, resourceName, wanted, type); + } + + @Override + public Optional evalDataMaskPolicy(UserIdentity currentUser, String ctl, String db, String tbl, + String col) { + return getCache().getDataMask(new DatamaskCacheKey(currentUser, ctl, db, tbl, col)); + } + + @Override + public List evalRowFilterPolicies(UserIdentity currentUser, String ctl, String db, + String tbl) { + return getCache().getRowFilters(new RowFilterCacheKey(currentUser, ctl, db, tbl)); + } +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java new file mode 100644 index 00000000000000..d2262d094f9cef --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/DatamaskCacheKey.java @@ -0,0 +1,89 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.cache; + +import org.apache.doris.analysis.UserIdentity; + +import com.google.common.base.Objects; + +public class DatamaskCacheKey { + private UserIdentity userIdentity; + private String ctl; + private String db; + private String tbl; + private String col; + + public DatamaskCacheKey(UserIdentity userIdentity, String ctl, String db, String tbl, String col) { + this.userIdentity = userIdentity; + this.ctl = ctl; + this.db = db; + this.tbl = tbl; + this.col = col; + } + + public UserIdentity getUserIdentity() { + return userIdentity; + } + + public String getCtl() { + return ctl; + } + + public String getDb() { + return db; + } + + public String getTbl() { + return tbl; + } + + public String getCol() { + return col; + } + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + DatamaskCacheKey that = (DatamaskCacheKey) o; + return Objects.equal(userIdentity, that.userIdentity) + && Objects.equal(ctl, that.ctl) && Objects.equal(db, that.db) + && Objects.equal(tbl, that.tbl) && Objects.equal(col, + that.col); + } + + @Override + public int hashCode() { + return Objects.hashCode(userIdentity, ctl, db, tbl, col); + } + + @Override + public String toString() { + return "DatamaskCacheKey{" + + "userIdentity=" + userIdentity + + ", ctl='" + ctl + '\'' + + ", db='" + db + '\'' + + ", tbl='" + tbl + '\'' + + ", col='" + col + '\'' + + '}'; + } +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java new file mode 100644 index 00000000000000..29c068b1aff991 --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCache.java @@ -0,0 +1,107 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.cache; + +import org.apache.doris.common.Config; +import org.apache.doris.datasource.CacheException; +import org.apache.doris.mysql.privilege.CatalogAccessController; +import org.apache.doris.mysql.privilege.DataMaskPolicy; +import org.apache.doris.mysql.privilege.RowFilterPolicy; + +import com.google.common.cache.CacheBuilder; +import com.google.common.cache.CacheLoader; +import com.google.common.cache.LoadingCache; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.List; +import java.util.Objects; +import java.util.Optional; +import java.util.concurrent.ExecutionException; + +public class RangerCache { + private static final Logger LOG = LoggerFactory.getLogger(RangerCache.class); + + private CatalogAccessController controller; + private LoadingCache> datamaskCache = CacheBuilder.newBuilder() + .maximumSize(Config.ranger_cache_size) + .build(new CacheLoader>() { + @Override + public Optional load(DatamaskCacheKey key) { + return loadDataMask(key); + } + }); + + private LoadingCache> rowFilterCache = CacheBuilder.newBuilder() + .maximumSize(Config.ranger_cache_size) + .build(new CacheLoader>() { + @Override + public List load(RowFilterCacheKey key) { + return loadRowFilter(key); + } + }); + + public RangerCache() { + } + + public void init(CatalogAccessController controller) { + this.controller = controller; + } + + private Optional loadDataMask(DatamaskCacheKey key) { + Objects.requireNonNull(controller, "controller can not be null"); + if (LOG.isDebugEnabled()) { + LOG.debug("load datamask: {}", key); + } + return controller.evalDataMaskPolicy(key.getUserIdentity(), key.getCtl(), key.getDb(), key.getTbl(), + key.getCol()); + } + + private List loadRowFilter(RowFilterCacheKey key) { + Objects.requireNonNull(controller, "controller can not be null"); + if (LOG.isDebugEnabled()) { + LOG.debug("load row filter: {}", key); + } + return controller.evalRowFilterPolicies(key.getUserIdentity(), key.getCtl(), key.getDb(), key.getTbl()); + } + + public void invalidateDataMaskCache() { + datamaskCache.invalidateAll(); + } + + public void invalidateRowFilterCache() { + rowFilterCache.invalidateAll(); + } + + public Optional getDataMask(DatamaskCacheKey key) { + try { + return datamaskCache.get(key); + } catch (ExecutionException e) { + throw new CacheException("failed to get datamask for:" + key, e); + } + } + + public List getRowFilters(RowFilterCacheKey key) { + try { + return rowFilterCache.get(key); + } catch (ExecutionException e) { + throw new CacheException("failed to get row filter for:" + key, e); + } + } + +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java new file mode 100644 index 00000000000000..4af56a8ff1bacf --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RangerCacheInvalidateListener.java @@ -0,0 +1,41 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.cache; + +import org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController; + +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.apache.ranger.plugin.service.RangerAuthContextListener; + +public class RangerCacheInvalidateListener implements RangerAuthContextListener { + private static final Logger LOG = LogManager.getLogger(RangerDorisAccessController.class); + + private RangerCache cache; + + public RangerCacheInvalidateListener(RangerCache cache) { + this.cache = cache; + } + + @Override + public void contextChanged() { + LOG.info("ranger context changed"); + cache.invalidateDataMaskCache(); + cache.invalidateRowFilterCache(); + } +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java new file mode 100644 index 00000000000000..08afcb40fcb59b --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/cache/RowFilterCacheKey.java @@ -0,0 +1,82 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.cache; + +import org.apache.doris.analysis.UserIdentity; + +import com.google.common.base.Objects; + +public class RowFilterCacheKey { + private UserIdentity userIdentity; + private String ctl; + private String db; + private String tbl; + + public RowFilterCacheKey(UserIdentity userIdentity, String ctl, String db, String tbl) { + this.userIdentity = userIdentity; + this.ctl = ctl; + this.db = db; + this.tbl = tbl; + } + + public UserIdentity getUserIdentity() { + return userIdentity; + } + + public String getCtl() { + return ctl; + } + + public String getDb() { + return db; + } + + public String getTbl() { + return tbl; + } + + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + RowFilterCacheKey that = (RowFilterCacheKey) o; + return Objects.equal(userIdentity, that.userIdentity) + && Objects.equal(ctl, that.ctl) && Objects.equal(db, that.db) + && Objects.equal(tbl, that.tbl); + } + + @Override + public int hashCode() { + return Objects.hashCode(userIdentity, ctl, db, tbl); + } + + @Override + public String toString() { + return "DatamaskCacheKey{" + + "userIdentity=" + userIdentity + + ", ctl='" + ctl + '\'' + + ", db='" + db + '\'' + + ", tbl='" + tbl + '\'' + + '}'; + } +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java new file mode 100644 index 00000000000000..2cbc8111d52c9c --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerCacheDorisAccessController.java @@ -0,0 +1,44 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.doris; + +import org.apache.doris.catalog.authorizer.ranger.cache.CatalogCacheAccessController; +import org.apache.doris.catalog.authorizer.ranger.cache.RangerCache; +import org.apache.doris.catalog.authorizer.ranger.cache.RangerCacheInvalidateListener; +import org.apache.doris.mysql.privilege.CatalogAccessController; + +public class RangerCacheDorisAccessController extends CatalogCacheAccessController { + private CatalogAccessController proxyController; + private RangerCache cache; + + public RangerCacheDorisAccessController(String serviceName) { + this.cache = new RangerCache(); + this.proxyController = new RangerDorisAccessController(serviceName, new RangerCacheInvalidateListener(cache)); + this.cache.init(proxyController); + } + + @Override + public CatalogAccessController getProxyController() { + return proxyController; + } + + @Override + public RangerCache getCache() { + return cache; + } +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java index 2060242b024df6..b0deea1887b370 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java @@ -33,6 +33,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl; import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor; +import org.apache.ranger.plugin.service.RangerAuthContextListener; import org.apache.ranger.plugin.service.RangerBasePlugin; import java.util.ArrayList; @@ -50,7 +51,11 @@ public class RangerDorisAccessController extends RangerAccessController { // private RangerHiveAuditHandler auditHandler; public RangerDorisAccessController(String serviceName) { - dorisPlugin = new RangerDorisPlugin(serviceName); + this(serviceName, null); + } + + public RangerDorisAccessController(String serviceName, RangerAuthContextListener rangerAuthContextListener) { + dorisPlugin = new RangerDorisPlugin(serviceName, rangerAuthContextListener); // auditHandler = new RangerHiveAuditHandler(dorisPlugin.getConfig()); // start a timed log flusher // logFlushTimer.scheduleAtFixedRate(new RangerHiveAuditLogFlusher(auditHandler), 10, 20L, TimeUnit.SECONDS); diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisPlugin.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisPlugin.java index 34f098c8df8cf5..0da65aaeb7f097 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisPlugin.java +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisPlugin.java @@ -17,11 +17,17 @@ package org.apache.doris.catalog.authorizer.ranger.doris; +import org.apache.ranger.plugin.service.RangerAuthContextListener; import org.apache.ranger.plugin.service.RangerBasePlugin; public class RangerDorisPlugin extends RangerBasePlugin { public RangerDorisPlugin(String serviceName) { + this(serviceName, null); + } + + public RangerDorisPlugin(String serviceName, RangerAuthContextListener rangerAuthContextListener) { super(serviceName, null, null); super.init(); + super.registerAuthContextEventListener(rangerAuthContextListener); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java new file mode 100644 index 00000000000000..f4f510a12e641c --- /dev/null +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerCacheHiveAccessController.java @@ -0,0 +1,47 @@ +// Licensed to the Apache Software Foundation (ASF) under one +// or more contributor license agreements. See the NOTICE file +// distributed with this work for additional information +// regarding copyright ownership. The ASF licenses this file +// to you under the Apache License, Version 2.0 (the +// "License"); you may not use this file except in compliance +// with the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package org.apache.doris.catalog.authorizer.ranger.hive; + +import org.apache.doris.catalog.authorizer.ranger.cache.CatalogCacheAccessController; +import org.apache.doris.catalog.authorizer.ranger.cache.RangerCache; +import org.apache.doris.catalog.authorizer.ranger.cache.RangerCacheInvalidateListener; +import org.apache.doris.mysql.privilege.CatalogAccessController; + +import java.util.Map; + +public class RangerCacheHiveAccessController extends CatalogCacheAccessController { + + private CatalogAccessController proxyController; + private RangerCache cache; + + public RangerCacheHiveAccessController(Map properties) { + this.cache = new RangerCache(); + this.proxyController = new RangerHiveAccessController(properties, new RangerCacheInvalidateListener(cache)); + this.cache.init(proxyController); + } + + @Override + public CatalogAccessController getProxyController() { + return proxyController; + } + + @Override + public RangerCache getCache() { + return cache; + } +} diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java index c2298345a5ddd0..5ca0589aefb73b 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java @@ -35,6 +35,7 @@ import org.apache.ranger.plugin.policyengine.RangerAccessResult; import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor; import org.apache.ranger.plugin.policyengine.RangerPolicyEngine; +import org.apache.ranger.plugin.service.RangerAuthContextListener; import org.apache.ranger.plugin.service.RangerBasePlugin; import java.util.ArrayList; @@ -55,8 +56,13 @@ public class RangerHiveAccessController extends RangerAccessController { private RangerHiveAuditHandler auditHandler; public RangerHiveAccessController(Map properties) { + this(properties, null); + } + + public RangerHiveAccessController(Map properties, + RangerAuthContextListener rangerAuthContextListener) { String serviceName = properties.get("ranger.service.name"); - hivePlugin = new RangerHivePlugin(serviceName); + hivePlugin = new RangerHivePlugin(serviceName, rangerAuthContextListener); auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig()); // start a timed log flusher logFlushTimer.scheduleAtFixedRate(new RangerHiveAuditLogFlusher(auditHandler), 10, 20L, TimeUnit.SECONDS); diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java index 3e9f11d9f8ec56..545e7a26836761 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessControllerFactory.java @@ -25,6 +25,6 @@ public class RangerHiveAccessControllerFactory implements AccessControllerFactory { @Override public CatalogAccessController createAccessController(Map prop) { - return new RangerHiveAccessController(prop); + return new RangerCacheHiveAccessController(prop); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHivePlugin.java b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHivePlugin.java index cf675b9a1025e4..7ee393bae454e0 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHivePlugin.java +++ b/fe/fe-core/src/main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHivePlugin.java @@ -17,11 +17,17 @@ package org.apache.doris.catalog.authorizer.ranger.hive; +import org.apache.ranger.plugin.service.RangerAuthContextListener; import org.apache.ranger.plugin.service.RangerBasePlugin; public class RangerHivePlugin extends RangerBasePlugin { public RangerHivePlugin(String serviceName) { + super(serviceName, null); + } + + public RangerHivePlugin(String serviceName, RangerAuthContextListener rangerAuthContextListener) { super(serviceName, null, null); super.init(); + super.registerAuthContextEventListener(rangerAuthContextListener); } } diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java index e12b0a737dc6f8..ba23c91e27df78 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/privilege/AccessControllerManager.java @@ -22,7 +22,7 @@ import org.apache.doris.analysis.UserIdentity; import org.apache.doris.catalog.AuthorizationInfo; import org.apache.doris.catalog.Env; -import org.apache.doris.catalog.authorizer.ranger.doris.RangerDorisAccessController; +import org.apache.doris.catalog.authorizer.ranger.doris.RangerCacheDorisAccessController; import org.apache.doris.common.Config; import org.apache.doris.common.UserException; import org.apache.doris.datasource.CatalogIf; @@ -58,7 +58,7 @@ public class AccessControllerManager { public AccessControllerManager(Auth auth) { this.auth = auth; if (Config.access_controller_type.equalsIgnoreCase("ranger-doris")) { - defaultAccessController = new RangerDorisAccessController("doris"); + defaultAccessController = new RangerCacheDorisAccessController("doris"); } else { defaultAccessController = new InternalAccessController(auth); }