[feat](Authorization-plugin)Authorization framework modularization #40750
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# AccessControllerFactory Interface
## Overview
The `AccessControllerFactory` interface is responsible for creating and managing `CatalogAccessController` instances. The interface includes the following methods:
- **`default String factoryIdentifier()`**: Returns the identifier for the factory, defaulting to the simple name of the implementing class. To maintain compatibility with user-defined plugins from older versions, the `factoryIdentifier` method provides a default implementation that returns the simple name of the current implementation class, ensuring that each factory has a unique identifier.
- **`CatalogAccessController createAccessController(Map<String, String> prop)`**: Creates a new instance of `CatalogAccessController` and initializes it with the provided properties.
## Factory Identifier
Each class implementing `AccessControllerFactory` will automatically use its class name as the factory identifier. This helps in identifying different factory instances during plugin loading and selection.
## Instance Creation
The `createAccessController` method allows you to create and initialize `CatalogAccessController` instances. The `prop` parameter provides the configuration properties needed for initialization.
## Compatibility
- If you are using the previously built-in `range-dorir` authentication plugin, no configuration changes are required; it will continue to function as before.
- For custom plugins, configuration information should be defined in `conf/access.conf`. Then, in `fe.conf`, specify the `access_controller_type` as the identifier for the custom plugin.
## How to Extend
- Add the `fe-core` dependency to your Maven `pom.xml` file.
```xml
<dependency>
<groupId>org.apache.doris</groupId>
<artifactId>fe-core</artifactId>
<version>1.2-SNAPSHOT</version>
<scope>provided</scope>
</dependency>
```
Then, implement the AccessControllerFactory interface to create your own plugin factory class as follows:
```java
public class SimpleAccessControllerFactory implements AccessControllerFactory {
@OverRide
public String factoryIdentifier() {
return "local-simple";
}
@OverRide
public CatalogAccessController createAccessController(Map<String, String> map) {
return new SimpleAccessController(map);
}
}
package org.example.access;
import org.apache.doris.analysis.ResourceTypeEnum;
import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.common.AuthorizationException;
import org.apache.doris.mysql.privilege.CatalogAccessController;
import org.apache.doris.mysql.privilege.DataMaskPolicy;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.doris.mysql.privilege.RowFilterPolicy;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
public class SimpleAccessController implements CatalogAccessController {
private HashMap<String, Boolean> databasePrivs = new HashMap<>();
// just for test
public SimpleAccessController(Map<String, String> prop) {
prop.forEach((k, v) -> {
databasePrivs.put(k, Boolean.parseBoolean(v));
});
}
@OverRide
public boolean checkGlobalPriv(UserIdentity userIdentity, PrivPredicate privPredicate) {
return false;
}
@OverRide
public boolean checkCtlPriv(UserIdentity userIdentity, String s, PrivPredicate privPredicate) {
return true;
}
...
```
Add a new folder named **META-INF/services** under the resources directory, Create a new file named **org.apache.doris.mysql.privilege.AccessControllerFactory.**
with a file containing **org.apache.doris.mysql.privilege.AccessControllerFactory.**
## How to Use
- In `fe.conf`, specify the **access_controller_type=local-simple**
- Put the jar file containing the custom plugin in the **fe/custom_lib** directory.
|
Thank you for your contribution to Apache Doris. Since 2024-03-18, the Document has been moved to doris-website. |
CalvinKirs
changed the title
CalvinKirs
changed the title
Member
Author
|
run buildall |
TPC-H: Total hot run time: 42976 ms |
Member
Author
|
run performance |
morningman
reviewed
Sep 23, 2024
| private Auth auth; | ||
| private CatalogAccessController defaultAccessController; | ||
| private Map<String, CatalogAccessController> ctlToCtlAccessController = Maps.newConcurrentMap(); | ||
| private ConcurrentHashMap<String, AccessControllerFactory> accessControllerFactoriesCache |
Contributor
There was a problem hiding this comment.
Add comment to explain key and value of the map
| prop = PropertiesUtils.loadAccessControllerPropertiesOrNull(); | ||
| } catch (IOException e) { | ||
| LOG.warn("Failed to load access controller properties,Using default access controller plugin", e); | ||
| return new InternalAccessController(auth); |
Contributor
There was a problem hiding this comment.
I think we should stop process if user specified access controller is not found
| import java.util.Properties; | ||
|
|
||
| public class PropertiesUtils { | ||
| public static final String ACCESS_PROPERTIES_FILE_DIR = "/conf/access.conf"; |
When the configuration plugin name cannot be found, an error is reported.
github-actions
bot
added
the
approved
Contributor
|
PR approved by at least one committer and no changes requested. |
Contributor
|
PR approved by anyone and no changes requested. |
morningman
reviewed
Sep 23, 2024
| return accessControllerFactoriesCache.get(accessControllerName).createAccessController(prop); | ||
| } | ||
| throw new RuntimeException("No authorization plugin factory found for " + accessControllerName | ||
| + "Please confirm that your plugin is placed in the correct location."); |
Contributor
There was a problem hiding this comment.
Suggested change
| + "Please confirm that your plugin is placed in the correct location."); | |
| + ". Please confirm that your plugin is placed in the correct location."); |
| .createAccessController(prop); | ||
| if (!isDryRun) { | ||
| ctlToCtlAccessController.put(ctl, accessController); | ||
| LOG.info("create access controller {} for catalog {}", ctl, acFactoryClassName); |
Contributor
There was a problem hiding this comment.
Suggested change
| LOG.info("create access controller {} for catalog {}", ctl, acFactoryClassName); | |
| LOG.info("create access controller {} for catalog {}", acFactoryClassName, ctl); |
| prop = PropertiesUtils.loadAccessControllerPropertiesOrNull(); | ||
| } catch (IOException e) { | ||
| throw new RuntimeException("Failed to load authorization properties," | ||
| + "please check the configuration file, authorization name is " + accessControllerName, e); |
Contributor
There was a problem hiding this comment.
Suggested change
| + "please check the configuration file, authorization name is " + accessControllerName, e); | |
| + " Please check the configuration file, authorization name is " + accessControllerName, e); |
| try { | ||
| prop = PropertiesUtils.loadAccessControllerPropertiesOrNull(); | ||
| } catch (IOException e) { | ||
| throw new RuntimeException("Failed to load authorization properties," |
Contributor
There was a problem hiding this comment.
Suggested change
| throw new RuntimeException("Failed to load authorization properties," | |
| throw new RuntimeException("Failed to load authorization properties." |
github-actions
bot
removed
the
approved
Contributor
|
run buildall |
github-actions
bot
added
the
approved
Contributor
|
PR approved by at least one committer and no changes requested. |
Member
Author
|
run buildall |
zy-kkk
approved these changes
Sep 24, 2024
bobhan1
pushed a commit
to bobhan1/doris
that referenced
this pull request
Oct 23, 2024
…pache#40750) # AccessControllerFactory Interface ## Overview The `AccessControllerFactory` interface is responsible for creating and managing `CatalogAccessController` instances. The interface includes the following methods: - **`default String factoryIdentifier()`**: Returns the identifier for the factory, defaulting to the simple name of the implementing class. To maintain compatibility with user-defined plugins from older versions, the `factoryIdentifier` method provides a default implementation that returns the simple name of the current implementation class, ensuring that each factory has a unique identifier. - **`CatalogAccessController createAccessController(Map<String, String> prop)`**: Creates a new instance of `CatalogAccessController` and initializes it with the provided properties. ## Factory Identifier Each class implementing `AccessControllerFactory` will automatically use its class name as the factory identifier. This helps in identifying different factory instances during plugin loading and selection. ## Instance Creation The `createAccessController` method allows you to create and initialize `CatalogAccessController` instances. The `prop` parameter provides the configuration properties needed for initialization. ## Compatibility - If you are using the previously built-in `range-dorir` authentication plugin, no configuration changes are required; it will continue to function as before. - For custom plugins, configuration information should be defined in `conf/access.conf`. Then, in `fe.conf`, specify the `access_controller_type` as the identifier for the custom plugin. ## How to Extend - Add the `fe-core` dependency to your Maven `pom.xml` file. ```xml <dependency> <groupId>org.apache.doris</groupId> <artifactId>fe-core</artifactId> <version>1.2-SNAPSHOT</version> <scope>provided</scope> </dependency> ``` Then, implement the AccessControllerFactory interface to create your own plugin factory class as follows: ```java public class SimpleAccessControllerFactory implements AccessControllerFactory { @OverRide public String factoryIdentifier() { return "local-simple"; } @OverRide public CatalogAccessController createAccessController(Map<String, String> map) { return new SimpleAccessController(map); } } package org.example.access; import org.apache.doris.analysis.ResourceTypeEnum; import org.apache.doris.analysis.UserIdentity; import org.apache.doris.common.AuthorizationException; import org.apache.doris.mysql.privilege.CatalogAccessController; import org.apache.doris.mysql.privilege.DataMaskPolicy; import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.mysql.privilege.RowFilterPolicy; import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; public class SimpleAccessController implements CatalogAccessController { private HashMap<String, Boolean> databasePrivs = new HashMap<>(); // just for test public SimpleAccessController(Map<String, String> prop) { prop.forEach((k, v) -> { databasePrivs.put(k, Boolean.parseBoolean(v)); }); } @OverRide public boolean checkGlobalPriv(UserIdentity userIdentity, PrivPredicate privPredicate) { return false; } @OverRide public boolean checkCtlPriv(UserIdentity userIdentity, String s, PrivPredicate privPredicate) { return true; } ... ``` Add a new folder named **META-INF/services** under the resources directory, Create a new file named **org.apache.doris.mysql.privilege.AccessControllerFactory.** with a file containing **org.apache.doris.mysql.privilege.AccessControllerFactory.** ## How to Use - In `fe.conf`, specify the **access_controller_type=local-simple** - Put the jar file containing the custom plugin in the **fe/custom_lib** directory. (cherry picked from commit dd5605e)
morningman
pushed a commit
to morningman/doris
that referenced
this pull request
Nov 21, 2024
…pache#40750) The `AccessControllerFactory` interface is responsible for creating and managing `CatalogAccessController` instances. The interface includes the following methods: - **`default String factoryIdentifier()`**: Returns the identifier for the factory, defaulting to the simple name of the implementing class. To maintain compatibility with user-defined plugins from older versions, the `factoryIdentifier` method provides a default implementation that returns the simple name of the current implementation class, ensuring that each factory has a unique identifier. - **`CatalogAccessController createAccessController(Map<String, String> prop)`**: Creates a new instance of `CatalogAccessController` and initializes it with the provided properties. Each class implementing `AccessControllerFactory` will automatically use its class name as the factory identifier. This helps in identifying different factory instances during plugin loading and selection. The `createAccessController` method allows you to create and initialize `CatalogAccessController` instances. The `prop` parameter provides the configuration properties needed for initialization. - If you are using the previously built-in `range-dorir` authentication plugin, no configuration changes are required; it will continue to function as before. - For custom plugins, configuration information should be defined in `conf/access.conf`. Then, in `fe.conf`, specify the `access_controller_type` as the identifier for the custom plugin. - Add the `fe-core` dependency to your Maven `pom.xml` file. ```xml <dependency> <groupId>org.apache.doris</groupId> <artifactId>fe-core</artifactId> <version>1.2-SNAPSHOT</version> <scope>provided</scope> </dependency> ``` Then, implement the AccessControllerFactory interface to create your own plugin factory class as follows: ```java public class SimpleAccessControllerFactory implements AccessControllerFactory { @OverRide public String factoryIdentifier() { return "local-simple"; } @OverRide public CatalogAccessController createAccessController(Map<String, String> map) { return new SimpleAccessController(map); } } package org.example.access; import org.apache.doris.analysis.ResourceTypeEnum; import org.apache.doris.analysis.UserIdentity; import org.apache.doris.common.AuthorizationException; import org.apache.doris.mysql.privilege.CatalogAccessController; import org.apache.doris.mysql.privilege.DataMaskPolicy; import org.apache.doris.mysql.privilege.PrivPredicate; import org.apache.doris.mysql.privilege.RowFilterPolicy; import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; public class SimpleAccessController implements CatalogAccessController { private HashMap<String, Boolean> databasePrivs = new HashMap<>(); // just for test public SimpleAccessController(Map<String, String> prop) { prop.forEach((k, v) -> { databasePrivs.put(k, Boolean.parseBoolean(v)); }); } @OverRide public boolean checkGlobalPriv(UserIdentity userIdentity, PrivPredicate privPredicate) { return false; } @OverRide public boolean checkCtlPriv(UserIdentity userIdentity, String s, PrivPredicate privPredicate) { return true; } ... ``` Add a new folder named **META-INF/services** under the resources directory, Create a new file named **org.apache.doris.mysql.privilege.AccessControllerFactory.** with a file containing **org.apache.doris.mysql.privilege.AccessControllerFactory.** - In `fe.conf`, specify the **access_controller_type=local-simple** - Put the jar file containing the custom plugin in the **fe/custom_lib** directory.
morrySnow
pushed a commit
that referenced
this pull request
Jul 1, 2025
CalvinKirs
added a commit
to CalvinKirs/incubator-doris
that referenced
this pull request
Jul 1, 2025
…arization (apache#40750) apache#40750 (cherry picked from commit dd5605e)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
AccessControllerFactory Interface
Overview
The
AccessControllerFactoryinterface is responsible for creating and managingCatalogAccessControllerinstances. The interface includes the following methods:default String factoryIdentifier(): Returns the identifier for the factory, defaulting to the simple name of the implementing class. To maintain compatibility with user-defined plugins from older versions, thefactoryIdentifiermethod provides a default implementation that returns the simple name of the current implementation class, ensuring that each factory has a unique identifier.CatalogAccessController createAccessController(Map<String, String> prop): Creates a new instance ofCatalogAccessControllerand initializes it with the provided properties.Factory Identifier
Each class implementing
AccessControllerFactorywill automatically use its class name as the factory identifier. This helps in identifying different factory instances during plugin loading and selection.Instance Creation
The
createAccessControllermethod allows you to create and initializeCatalogAccessControllerinstances. Thepropparameter provides the configuration properties needed for initialization.Compatibility
range-dorirauthentication plugin, no configuration changes are required; it will continue to function as before.conf/access.conf. Then, infe.conf, specify theaccess_controller_typeas the identifier for the custom plugin.How to Extend
fe-coredependency to your Mavenpom.xmlfile.Then, implement the AccessControllerFactory interface to create your own plugin factory class as follows:
Add a new folder named META-INF/services under the resources directory, Create a new file named org.apache.doris.mysql.privilege.AccessControllerFactory. with a file containing org.apache.doris.mysql.privilege.AccessControllerFactory.
How to Use
fe.conf, specify the access_controller_type=local-simple