[apache#5336]feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and…

… compatible for existing ranger policy
theoryxu · Nov 26, 2024 · 552f08e · 552f08e
1 parent fbd9fc4
commit 552f08e
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 35 deletions.
diff --git a/...er/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java b/...er/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
@@ -800,15 +800,8 @@ private void doRemoveSchemaMetadataObject(RangerMetadataObject rangerMetadataObj
       try {
         List<RangerPolicy> policies = rangerClient.getPoliciesInService(rangerServiceName);
         policies.stream()
-            .forEach(
-                policy -> {
-                  try {
-                    rangerClient.deletePolicy(policy.getId());
-                  } catch (RangerServiceException e) {
-                    LOG.error("Failed to rename the policy {}!", policy);
-                    throw new RuntimeException(e);
-                  }
-                });
+            .filter(rangerHelper::hasGravitinoManagedPolicyItem)
+            .forEach(rangerHelper::removeAllGravitinoManagedPolicyItem);
       } catch (RangerServiceException e) {
         throw new RuntimeException(e);
       }
@@ -977,32 +970,7 @@ private void removePolicyByMetadataObject(List<String> metadataNames) {
                                         .getValues()
                                         .contains(preciseFilters.get(entry.getKey()))))
             .collect(Collectors.toList());
-    policies.stream()
-        .forEach(
-            policy -> {
-              try {
-                policy.setPolicyItems(
-                    policy.getPolicyItems().stream()
-                        .filter(i -> !rangerHelper.isGravitinoManagedPolicyItemAccess(i))
-                        .collect(Collectors.toList()));
-                policy.setDenyPolicyItems(
-                    policy.getDenyPolicyItems().stream()
-                        .filter(i -> !rangerHelper.isGravitinoManagedPolicyItemAccess(i))
-                        .collect(Collectors.toList()));
-                policy.setRowFilterPolicyItems(
-                    policy.getRowFilterPolicyItems().stream()
-                        .filter(i -> !rangerHelper.isGravitinoManagedPolicyItemAccess(i))
-                        .collect(Collectors.toList()));
-                policy.setDataMaskPolicyItems(
-                    policy.getDataMaskPolicyItems().stream()
-                        .filter(i -> !rangerHelper.isGravitinoManagedPolicyItemAccess(i))
-                        .collect(Collectors.toList()));
-                rangerClient.updatePolicy(policy.getId(), policy);
-              } catch (RangerServiceException e) {
-                LOG.error("Failed to rename the policy {}!", policy);
-                throw new RuntimeException(e);
-              }
-            });
+    policies.forEach(rangerHelper::removeAllGravitinoManagedPolicyItem);
   }
 
   private void updatePolicyByMetadataObject(

diff --git a/...rization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java b/...rization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
@@ -246,6 +246,39 @@ public boolean isGravitinoManagedPolicyItemAccess(RangerPolicy.RangerPolicyItem
     return policyItem.getRoles().stream().anyMatch(role -> role.startsWith(GRAVITINO_ROLE_PREFIX));
   }
 
+  public boolean hasGravitinoManagedPolicyItem(RangerPolicy policy) {
+    List<RangerPolicy.RangerPolicyItem> policyItems = policy.getPolicyItems();
+    policyItems.addAll(policy.getDenyPolicyItems());
+    policyItems.addAll(policy.getRowFilterPolicyItems());
+    policyItems.addAll(policy.getDataMaskPolicyItems());
+    return policyItems.stream().anyMatch(this::isGravitinoManagedPolicyItemAccess);
+  }
+
+  public void removeAllGravitinoManagedPolicyItem(RangerPolicy policy) {
+    try {
+      policy.setPolicyItems(
+          policy.getPolicyItems().stream()
+              .filter(i -> !isGravitinoManagedPolicyItemAccess(i))
+              .collect(Collectors.toList()));
+      policy.setDenyPolicyItems(
+          policy.getDenyPolicyItems().stream()
+              .filter(i -> !isGravitinoManagedPolicyItemAccess(i))
+              .collect(Collectors.toList()));
+      policy.setRowFilterPolicyItems(
+          policy.getRowFilterPolicyItems().stream()
+              .filter(i -> !isGravitinoManagedPolicyItemAccess(i))
+              .collect(Collectors.toList()));
+      policy.setDataMaskPolicyItems(
+          policy.getDataMaskPolicyItems().stream()
+              .filter(i -> !isGravitinoManagedPolicyItemAccess(i))
+              .collect(Collectors.toList()));
+      rangerClient.updatePolicy(policy.getId(), policy);
+    } catch (RangerServiceException e) {
+      LOG.error("Failed to update the policy {}!", policy);
+      throw new RuntimeException(e);
+    }
+  }
+
   protected boolean checkRangerRole(String roleName) throws AuthorizationPluginException {
     roleName = generateGravitinoRoleName(roleName);
     try {