apache · morningman · Mar 18, 2024 · Mar 12, 2024 · Mar 13, 2024 · Mar 14, 2024
diff --git a/...core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java b/...core/src/main/java/org/apache/doris/catalog/authorizer/ranger/RangerAccessController.java
@@ -17,15 +17,27 @@
 
 package org.apache.doris.catalog.authorizer.ranger;
 
+import org.apache.doris.analysis.UserIdentity;
 import org.apache.doris.common.AuthorizationException;
 import org.apache.doris.mysql.privilege.CatalogAccessController;
+import org.apache.doris.mysql.privilege.DataMaskPolicy;
+import org.apache.doris.mysql.privilege.RangerDataMaskPolicy;
+import org.apache.doris.mysql.privilege.RangerRowFilterPolicy;
+import org.apache.doris.mysql.privilege.RowFilterPolicy;
 
+import com.google.common.collect.Lists;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
 
 import java.util.Collection;
+import java.util.List;
+import java.util.Optional;
 
 public abstract class RangerAccessController implements CatalogAccessController {
     private static final Logger LOG = LogManager.getLogger(RangerAccessController.class);
@@ -74,4 +86,70 @@ public static void checkRequestResults(Collection<RangerAccessResult> results, S
             }
         }
     }
+
+    @Override
+    public List<? extends RowFilterPolicy> evalRowFilterPolicies(UserIdentity currentUser, String ctl, String db,
+            String tbl) {
+        RangerAccessResourceImpl resource = createResource(ctl, db, tbl);
+        RangerAccessRequestImpl request = createRequest(currentUser);
+        request.setResource(resource);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("ranger request: {}", request);
+        }
+        List<RangerRowFilterPolicy> res = Lists.newArrayList();
+        RangerAccessResult policy = getPlugin().evalRowFilterPolicies(request, getAccessResultProcessor());
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("ranger response: {}", policy);
+        }
+        if (policy == null) {
+            return res;
+        }
+        String filterExpr = policy.getFilterExpr();
+        if (StringUtils.isEmpty(filterExpr)) {
+            return res;
+        }
+        res.add(new RangerRowFilterPolicy(currentUser, ctl, db, tbl, policy.getPolicyId(), policy.getPolicyVersion(),
+                filterExpr));
+        return res;
+    }
+
+    @Override
+    public Optional<DataMaskPolicy> evalDataMaskPolicy(UserIdentity currentUser, String ctl, String db, String tbl,
+            String col) {
+        RangerAccessResourceImpl resource = createResource(ctl, db, tbl, col);
+        RangerAccessRequestImpl request = createRequest(currentUser);
+        request.setResource(resource);
+
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("ranger request: {}", request);
+        }
+        RangerAccessResult policy = getPlugin().evalDataMaskPolicies(request, getAccessResultProcessor());
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("ranger response: {}", policy);
+        }
+        if (policy == null) {
+            return Optional.empty();
+        }
+        String maskType = policy.getMaskType();
+        if (StringUtils.isEmpty(maskType)) {
+            return Optional.empty();
+        }
+        String transformer = policy.getMaskTypeDef().getTransformer();
+        if (StringUtils.isEmpty(transformer)) {
+            return Optional.empty();
+        }
+        return Optional.of(new RangerDataMaskPolicy(currentUser, ctl, db, tbl, col, policy.getPolicyId(),
+                policy.getPolicyVersion(), maskType, transformer.replace("{col}", col)));
+    }
+
+    protected abstract RangerAccessRequestImpl createRequest(UserIdentity currentUser);
+
+    protected abstract RangerAccessResourceImpl createResource(String ctl, String db, String tbl);
+
+    protected abstract RangerAccessResourceImpl createResource(String ctl, String db, String tbl, String col);
+
+    protected abstract RangerBasePlugin getPlugin();
+
+    protected abstract RangerAccessResultProcessor getAccessResultProcessor();
 }
diff --git a/...in/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java b/...in/java/org/apache/doris/catalog/authorizer/ranger/doris/RangerDorisAccessController.java
@@ -21,7 +21,6 @@
 import org.apache.doris.analysis.UserIdentity;
 import org.apache.doris.catalog.Env;
 import org.apache.doris.catalog.authorizer.ranger.RangerAccessController;
-import org.apache.doris.catalog.authorizer.ranger.hive.RangerHiveResource;
 import org.apache.doris.cluster.ClusterNamespace;
 import org.apache.doris.common.AuthorizationException;
 import org.apache.doris.mysql.privilege.PrivPredicate;
@@ -31,6 +30,8 @@
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
 
 import java.util.ArrayList;
 import java.util.Collection;
@@ -54,14 +55,20 @@ public RangerDorisAccessController(String serviceName) {
     }
 
     private RangerAccessRequestImpl createRequest(UserIdentity currentUser, DorisAccessType accessType) {
+        RangerAccessRequestImpl request = createRequest(currentUser);
+        request.setAction(accessType.name());
+        request.setAccessType(accessType.name());
+        return request;
+    }
+
+    @Override
+    protected RangerAccessRequestImpl createRequest(UserIdentity currentUser) {
         RangerAccessRequestImpl request = new RangerAccessRequestImpl();
         request.setUser(ClusterNamespace.getNameFromFullName(currentUser.getQualifiedUser()));
         Set<String> roles = Env.getCurrentEnv().getAuth().getRolesByUser(currentUser, false);
         request.setUserRoles(roles.stream().map(role -> ClusterNamespace.getNameFromFullName(role)).collect(
                 Collectors.toSet()));
 
-        request.setAction(accessType.name());
-        request.setAccessType(accessType.name());
         request.setClientIPAddress(currentUser.getHost());
         request.setClusterType(CLIENT_TYPE_DORIS);
         request.setClientType(CLIENT_TYPE_DORIS);
@@ -96,27 +103,6 @@ private boolean checkPrivilege(UserIdentity currentUser, DorisAccessType accessT
         return checkRequestResult(request, result, accessType.name());
     }
 
-    public String getFilterExpr(UserIdentity currentUser, DorisAccessType accessType,
-            RangerHiveResource resource) {
-        RangerAccessRequestImpl request = createRequest(currentUser, accessType);
-        request.setResource(resource);
-        RangerAccessResult result = dorisPlugin.isAccessAllowed(request);
-
-        return result.getFilterExpr();
-    }
-
-    public void getColumnMask(UserIdentity currentUser, DorisAccessType accessType,
-            RangerHiveResource resource) {
-        RangerAccessRequestImpl request = createRequest(currentUser, accessType);
-        request.setResource(resource);
-        RangerAccessResult result = dorisPlugin.isAccessAllowed(request);
-
-        if (LOG.isDebugEnabled()) {
-            LOG.debug(String.format("maskType: %s, maskTypeDef: %s, maskedValue: %s", result.getMaskType(),
-                    result.getMaskTypeDef(), result.getMaskedValue()));
-        }
-    }
-
     @Override
     public boolean checkGlobalPriv(UserIdentity currentUser, PrivPredicate wanted) {
         // ranger does not support global privilege,
@@ -159,7 +145,7 @@ public void checkColsPriv(UserIdentity currentUser, String ctl, String db, Strin
 
     @Override
     public boolean checkCloudPriv(UserIdentity currentUser, String resourceName,
-                                  PrivPredicate wanted, ResourceTypeEnum type) {
+            PrivPredicate wanted, ResourceTypeEnum type) {
         return false;
     }
 
@@ -175,6 +161,28 @@ public boolean checkWorkloadGroupPriv(UserIdentity currentUser, String workloadG
         return checkPrivilege(currentUser, DorisAccessType.toAccessType(wanted), resource);
     }
 
+    @Override
+    protected RangerDorisResource createResource(String ctl, String db, String tbl) {
+        return new RangerDorisResource(DorisObjectType.TABLE,
+                ctl, ClusterNamespace.getNameFromFullName(db), tbl);
+    }
+
+    @Override
+    protected RangerDorisResource createResource(String ctl, String db, String tbl, String col) {
+        return new RangerDorisResource(DorisObjectType.COLUMN,
+                ctl, ClusterNamespace.getNameFromFullName(db), tbl, col);
+    }
+
+    @Override
+    protected RangerBasePlugin getPlugin() {
+        return dorisPlugin;
+    }
+
+    @Override
+    protected RangerAccessResultProcessor getAccessResultProcessor() {
+        return null;
+    }
+
     // For test only
     public static void main(String[] args) {
         RangerDorisAccessController ac = new RangerDorisAccessController("doris");

diff --git a/...main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java b/...main/java/org/apache/doris/catalog/authorizer/ranger/hive/RangerHiveAccessController.java
@@ -25,22 +25,25 @@
 import org.apache.doris.common.AuthorizationException;
 import org.apache.doris.common.ThreadPoolManager;
 import org.apache.doris.datasource.InternalCatalog;
+import org.apache.doris.mysql.privilege.DataMaskPolicy;
 import org.apache.doris.mysql.privilege.PrivPredicate;
 
 import com.google.common.collect.Maps;
-import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
 import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
 import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
 import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
 
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Date;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ScheduledThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
@@ -57,23 +60,28 @@ public RangerHiveAccessController(Map<String, String> properties) {
         String serviceName = properties.get("ranger.service.name");
         hivePlugin = new RangerHivePlugin(serviceName);
         auditHandler = new RangerHiveAuditHandler(hivePlugin.getConfig());
-        //start a timed log flusher
+        // start a timed log flusher
         logFlushTimer.scheduleAtFixedRate(new RangerHiveAuditLogFlusher(auditHandler), 10, 20L, TimeUnit.SECONDS);
     }
 
     private RangerAccessRequestImpl createRequest(UserIdentity currentUser, HiveAccessType accessType) {
+        RangerAccessRequestImpl request = createRequest(currentUser);
+        if (accessType == HiveAccessType.USE) {
+            request.setAccessType(RangerPolicyEngine.ANY_ACCESS);
+        } else {
+            request.setAccessType(accessType.name().toLowerCase());
+        }
+        return request;
+    }
+
+    @Override
+    protected RangerAccessRequestImpl createRequest(UserIdentity currentUser) {
         RangerAccessRequestImpl request = new RangerAccessRequestImpl();
         String user = currentUser.getQualifiedUser();
         request.setUser(ClusterNamespace.getNameFromFullName(user));
         Set<String> roles = Env.getCurrentEnv().getAuth().getRolesByUser(currentUser, false);
         request.setUserRoles(roles.stream().map(role -> ClusterNamespace.getNameFromFullName(role)).collect(
                 Collectors.toSet()));
-        request.setAction(accessType.name());
-        if (accessType == HiveAccessType.USE) {
-            request.setAccessType(RangerPolicyEngine.ANY_ACCESS);
-        } else {
-            request.setAccessType(accessType.name().toLowerCase());
-        }
         request.setClientIPAddress(currentUser.getHost());
         request.setClusterType(CLIENT_TYPE_DORIS);
         request.setClientType(CLIENT_TYPE_DORIS);
@@ -104,27 +112,6 @@ private boolean checkPrivilege(UserIdentity currentUser, HiveAccessType accessTy
         return checkRequestResult(request, result, accessType.name());
     }
 
-    public String getFilterExpr(UserIdentity currentUser, HiveAccessType accessType,
-            RangerHiveResource resource) throws HiveAccessControlException {
-        RangerAccessRequestImpl request = createRequest(currentUser, accessType);
-        request.setResource(resource);
-        RangerAccessResult result = hivePlugin.isAccessAllowed(request, auditHandler);
-
-        return result.getFilterExpr();
-    }
-
-    public void getColumnMask(UserIdentity currentUser, HiveAccessType accessType,
-            RangerHiveResource resource) {
-        RangerAccessRequestImpl request = createRequest(currentUser, accessType);
-        request.setResource(resource);
-        RangerAccessResult result = hivePlugin.isAccessAllowed(request, auditHandler);
-
-        if (LOG.isDebugEnabled()) {
-            LOG.debug(String.format("maskType: %s, maskTypeDef: %s, maskedValue: %s", result.getMaskType(),
-                    result.getMaskTypeDef(), result.getMaskedValue()));
-        }
-    }
-
     private HiveAccessType convertToAccessType(PrivPredicate predicate) {
         if (predicate == PrivPredicate.SHOW) {
             return HiveAccessType.USE;
@@ -187,10 +174,16 @@ public void checkColsPriv(UserIdentity currentUser, String ctl, String db, Strin
 
     @Override
     public boolean checkCloudPriv(UserIdentity currentUser, String resourceName,
-                                  PrivPredicate wanted, ResourceTypeEnum type) {
+            PrivPredicate wanted, ResourceTypeEnum type) {
         return false;
     }
 
+    @Override
+    public Optional<DataMaskPolicy> evalDataMaskPolicy(UserIdentity currentUser, String ctl, String db, String tbl,
+            String col) {
+        return Optional.empty();
+    }
+
     @Override
     public boolean checkResourcePriv(UserIdentity currentUser, String resourceName, PrivPredicate wanted) {
         return false;
@@ -201,6 +194,28 @@ public boolean checkWorkloadGroupPriv(UserIdentity currentUser, String workloadG
         return false;
     }
 
+    @Override
+    protected RangerHiveResource createResource(String ctl, String db, String tbl) {
+        return new RangerHiveResource(HiveObjectType.TABLE,
+                ClusterNamespace.getNameFromFullName(db), tbl);
+    }
+
+    @Override
+    protected RangerHiveResource createResource(String ctl, String db, String tbl, String col) {
+        return new RangerHiveResource(HiveObjectType.COLUMN,
+                ClusterNamespace.getNameFromFullName(db), tbl, col);
+    }
+
+    @Override
+    protected RangerBasePlugin getPlugin() {
+        return hivePlugin;
+    }
+
+    @Override
+    protected RangerAccessResultProcessor getAccessResultProcessor() {
+        return auditHandler;
+    }
+
     // For test only
     public static void main(String[] args) {
         Map<String, String> properties = Maps.newHashMap();