Implement Apache Ranger Authorization Plugin for Apache Polaris (#274)#3928
Implement Apache Ranger Authorization Plugin for Apache Polaris (#274)#3928sneethiraj wants to merge 66 commits intoapache:mainfrom
Conversation
…classes into RangerUtils class
added unit tests to verify operations on ROOT and CATALOG renamed ranger-plugin.properties to ranger-authorizer.properties
…ined or non-ranger-auth
…d fixed some validations on permissions for targets/secondaries
…the permissions requested
…or secondaries - but, secondary objects are being passed on.
replaced multiple authz requests with a single request
…ll] and [gradlew check]
…horizer interface
|
|
||
| # force the locale, just in case the system's using another default locale | ||
| quarkus.default-locale=en_US | ||
|
|
gradle/libs.versions.toml
Outdated
| caffeine = { module = "com.github.ben-manes.caffeine:caffeine", version = "3.2.3" } | ||
| cel-bom = { module = "org.projectnessie.cel:cel-bom", version = "0.6.0" } | ||
| checkstyle = { module = "com.puppycrawl.tools:checkstyle", version.ref = "checkstyle" } # required by the polaris-java plugin | ||
| commons-collections = { module = "commons-collections:commons-collections", version = "3.2.2" } |
There was a problem hiding this comment.
These two new dependencies seem unused.
| exclude("org.apache.hadoop", "hadoop-client-api") | ||
| exclude("org.apache.hadoop", "hadoop-client-runtime") | ||
| } | ||
| implementation(libs.commons.lang3) |
There was a problem hiding this comment.
commons.lang3 is used in RangerPolarisAuthorizerFactory and RangerUtils.
| implementation(libs.graalvm.js.js.scriptengine) | ||
| implementation(libs.graalvm.polyglot.js) | ||
| implementation(libs.graalvm.polyglot.polyglot) |
There was a problem hiding this comment.
All GraalVM dependencies seem unused, did you mean to use runtimeOnly instead?
There was a problem hiding this comment.
Yes, that is correct; will change dependency to runtimeOnly. Thank you.
| @@ -0,0 +1,26 @@ | |||
| # | |||
| @@ -0,0 +1,25 @@ | |||
| # | |||
| import org.apache.polaris.core.persistence.ResolvedPolarisEntity; | ||
| import org.junit.jupiter.api.Test; | ||
|
|
||
| public class TestRangerPolarisAuthorizer { |
There was a problem hiding this comment.
Nit: the naming convention in Polaris is: RangerPolarisAuthorizerTest. Same for RangerPolarisAuthorizerFactoryTest.
| import org.apache.polaris.core.entity.CatalogEntity; | ||
|
|
||
| public class RangerTestUtils { | ||
| public static RangerPolarisAuthorizerConfig createConfig() { |
There was a problem hiding this comment.
Have you considered writing @QuarkusTests rather than pure unit tests instead? The advantage is that you don't need to create all the fixtures, and you would be testing the "real thing".
There was a problem hiding this comment.
I haven't tried @QuarkusTest yet; can this be taken up in a follow-up PR? I would prefer to retain current light-weight unit tests though.
|
|
||
| @Test | ||
| public void testAuthzRoot() throws Exception { | ||
| runTests(authorizer, "/authz_tests/tests_authz_root.json"); |
There was a problem hiding this comment.
nit: what is the advantage of writing your test cases as JSON, just to have them mapped to Java beans with Jackson? Isn't it simpler to just write your test cases in Java, maybe with parameterized tests? Especially given the significant amount of boilerplate code related to Jackson deserialization that needs to be introduced.
There was a problem hiding this comment.
I think capturing test input/output in Json format makes it easier to focus on test details, without any scaffolding distractions while doing the same in Java.
There was a problem hiding this comment.
Quite frankly, something like this would be way more readable imho:
@ParameterizedTest
@CsvSource({
"CREATE_CATALOG , admin1 , ROOT:root_container , true",
"LIST_CATALOGS , admin1 , ROOT:root_container , true",
"CREATE_PRINCIPAL , admin1 , ROOT:root_container , true",
"LIST_PRINCIPALS , admin1 , ROOT:root_container , true",
"CREATE_CATALOG , user1 , ROOT:root_container , false",
"LIST_CATALOGS , user1 , ROOT:root_container , true",
"CREATE_PRINCIPAL , user1 , ROOT:root_container , false",
"LIST_PRINCIPALS , user1 , ROOT:root_container , true",
"CREATE_CATALOG , user2 , ROOT:root_container , false",
"LIST_CATALOGS , user2 , ROOT:root_container , false",
"CREATE_PRINCIPAL , user2 , ROOT:root_container , false",
"LIST_PRINCIPALS , user2 , ROOT:root_container , false",
})
void testAuthzRoot(
PolarisAuthorizableOperation authzOp,
String principalName,
String target,
boolean isAllowed) {
assertAuthz(authzOp, principalName, target, null, isAllowed);
}There was a problem hiding this comment.
@adutra - ok, thanks for the sample. Unless this is a blocker, I would prefer to retain current unit tests.
|
@adutra, @dimas-b, @flyingImer, @flyrain - thank you all so much for the thoroughness in reviewing the PR and suggestions. Are there any blocker items to address before this PR approved and merged? |
|
Thanks @mneethiraj for working on it. LGTM overall. I'd suggest to file issues for followups and fix the CI failures. |
adnanhemani
left a comment
adnanhemani
left a comment
There was a problem hiding this comment.
Thanks all for the thorough reviews. I just took a look and everything looks about right except the few outstanding comments, which I believe are all for follow up items.
There's a failure in the CI, relating to Licenses and Notices. Once that's taken care of, I'd be ready to approve!
Thank you for this great work, @sneethiraj!
Thanks @flyrain. I updated the LICENSE file to address failures in @flyrain, @adutra, @dimas-b - can you please review and confirm that this license is indeed not allowed? If its not allowed, the only option seems to exclude this library. It seems excluding this library can result in failures in locale-specific handling of custom expressions in Ranger policies. Though this issue may not impact most use cases of Ranger policies, needs to be investigated further and documented. |
|
Unicode license is OK to include, https://www.apache.org/legal/resolved.html#category-a. We need to update the license checker. |
|
Thanks @adnanhemani for your efforts to review and provide valuable comments! |
Thanks @flyrain. Apart from above failure from |
8 participants
RFC : https://docs.google.com/document/d/10UIpPMeWVU3VA0goGz_y8OAbXhIDigah/edit?usp=sharing&ouid=103452742845206345322&rtpof=true&sd=true
This RFC proposes integrating Apache Ranger as an external authorization plugin for Apache Polaris by implementing the PolarisAuthorizer SPI. By leveraging Ranger’s mature ecosystem, Polaris can provide enterprises with centralized policy management, fine-grained resource-based access control (RBAC/ABAC), and comprehensive audit logging without replacing its internal authorization model. This integration addresses key enterprise challenges by providing a uniform, centralized security and governance platform for policy management and data access auditing.
Checklist
CHANGELOG.md(if needed)site/content/in-dev/unreleased(if needed)