[apache#5336]feat(auth-ranger): Remove MANAGED_BY_GRAVITINO limit and…

… compatible for existing ranger policy

authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java

@@ -980,19 +980,19 @@ private void removePolicyByMetadataObject(List<String> metadataNames) {
               try {
                 policy.setPolicyItems(
                     policy.getPolicyItems().stream()
-                        .filter(rangerHelper::isNotGravitinoManagedPolicyItemAccess)
+                        .filter(i -> !rangerHelper.isGravitinoManagedPolicyItemAccess(i))
                         .collect(Collectors.toList()));
                 policy.setDenyPolicyItems(
                     policy.getDenyPolicyItems().stream()
-                        .filter(rangerHelper::isNotGravitinoManagedPolicyItemAccess)
+                        .filter(i -> !rangerHelper.isGravitinoManagedPolicyItemAccess(i))
                         .collect(Collectors.toList()));
                 policy.setRowFilterPolicyItems(
                     policy.getRowFilterPolicyItems().stream()
-                        .filter(rangerHelper::isNotGravitinoManagedPolicyItemAccess)
+                        .filter(i -> !rangerHelper.isGravitinoManagedPolicyItemAccess(i))
                         .collect(Collectors.toList()));
                 policy.setDataMaskPolicyItems(
                     policy.getDataMaskPolicyItems().stream()
-                        .filter(rangerHelper::isNotGravitinoManagedPolicyItemAccess)
+                        .filter(i -> !rangerHelper.isGravitinoManagedPolicyItemAccess(i))
                         .collect(Collectors.toList()));
                 rangerClient.updatePolicy(policy.getId(), policy);
               } catch (RangerServiceException e) {

authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java

@@ -19,7 +19,6 @@
 package org.apache.gravitino.authorization.ranger;
 
 import com.google.common.base.Preconditions;
-import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -225,7 +224,7 @@ public RangerPolicy findManagedPolicy(RangerMetadataObject rangerMetadataObject)
     }
     // Only return the policies that are managed by Gravitino.
     if (policies.size() > 1) {
-      throw new AuthorizationPluginException("Every metadata object has only a policy.");
+      throw new AuthorizationPluginException("Each metadata object can have at most one policy.");
     }
 
     if (policies.isEmpty()) {
@@ -254,10 +253,6 @@ boolean isGravitinoManagedPolicyItemAccess(RangerPolicy.RangerPolicyItem policyI
     return policyItem.getRoles().stream().anyMatch(role -> role.startsWith(GRAVITINO_ROLE_PREFIX));
   }
 
-  boolean isNotGravitinoManagedPolicyItemAccess(RangerPolicy.RangerPolicyItem policyItem) {
-    return !isGravitinoManagedPolicyItemAccess(policyItem);
-  }
-
   protected boolean checkRangerRole(String roleName) throws AuthorizationPluginException {
     roleName = rangerRoleName(roleName);
     try {

authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java

@@ -327,20 +327,16 @@ public void testFindManagedPolicy() {
     String dbName = currentFunName();
     createHivePolicy(
         Lists.newArrayList(String.format("%s*", dbName), "*"),
-        GravitinoITUtils.genRandomName(currentFunName()),
-        true);
+        GravitinoITUtils.genRandomName(currentFunName()));
     createHivePolicy(
         Lists.newArrayList(String.format("%s*", dbName), "tab*"),
-        GravitinoITUtils.genRandomName(currentFunName()),
-        true);
+        GravitinoITUtils.genRandomName(currentFunName()));
     createHivePolicy(
         Lists.newArrayList(String.format("%s3", dbName), "*"),
-        GravitinoITUtils.genRandomName(currentFunName()),
-        true);
+        GravitinoITUtils.genRandomName(currentFunName()));
     createHivePolicy(
         Lists.newArrayList(String.format("%s3", dbName), "tab*"),
-        GravitinoITUtils.genRandomName(currentFunName()),
-        true);
+        GravitinoITUtils.genRandomName(currentFunName()));
     // findManagedPolicy function use precise search, so return null
     RangerSecurableObject rangerSecurableObject =
         rangerAuthHivePlugin.generateRangerSecurableObject(
@@ -354,8 +350,7 @@ public void testFindManagedPolicy() {
     // Add a policy for `db3.tab1`
     createHivePolicy(
         Lists.newArrayList(String.format("%s3", dbName), "tab1"),
-        GravitinoITUtils.genRandomName(currentFunName()),
-        true);
+        GravitinoITUtils.genRandomName(currentFunName()));
     // findManagedPolicy function use precise search, so return not null
     Assertions.assertNotNull(rangerHelper.findManagedPolicy(rangerSecurableObject));
   }
@@ -372,15 +367,14 @@ public void testManagedByGravitinoLabel() {
                       SecurableObjects.DOT_SPLITTER.splitToList(securableObject.fullName()));
               names.remove(0); // remove catalog node
               // Manual create the Ranger Policy
-              createHivePolicy(Lists.newArrayList(names), DOT_JOINER.join(names), false);
+              createHivePolicy(Lists.newArrayList(names), DOT_JOINER.join(names));
             });
     // Use role to create Ranger Policy
     Assertions.assertThrows(
         AuthorizationPluginException.class, () -> rangerAuthHivePlugin.onRoleCreated(role));
   }
 
-  static void createHivePolicy(
-      List<String> metaObjects, String roleName, boolean labelManagedByGravitino) {
+  static void createHivePolicy(List<String> metaObjects, String roleName) {
     Assertions.assertTrue(metaObjects.size() < 4);
     Map<String, RangerPolicy.RangerPolicyResource> policyResourceMap = new HashMap<>();
     for (int i = 0; i < metaObjects.size(); i++) {
@@ -404,8 +398,7 @@ static void createHivePolicy(
         RangerITEnv.RANGER_HIVE_REPO_NAME,
         roleName,
         policyResourceMap,
-        Collections.singletonList(policyItem),
-        labelManagedByGravitino);
+        Collections.singletonList(policyItem));
   }
 
   static boolean deleteHivePolicy(RangerSecurableObject rangerSecurableObject) {
@@ -808,20 +801,16 @@ void metadataObjectChangeRemoveMetalakeOrCatalog(String funcName, MetadataObject
       throws RangerServiceException {
     createHivePolicy(
         Lists.newArrayList(String.format("%s*", funcName), "*"),
-        GravitinoITUtils.genRandomName(currentFunName()),
-        true);
+        GravitinoITUtils.genRandomName(currentFunName()));
     createHivePolicy(
         Lists.newArrayList(String.format("%s*", funcName), "tab*"),
-        GravitinoITUtils.genRandomName(currentFunName()),
-        true);
+        GravitinoITUtils.genRandomName(currentFunName()));
     createHivePolicy(
         Lists.newArrayList(String.format("%s3", funcName), "*"),
-        GravitinoITUtils.genRandomName(currentFunName()),
-        true);
+        GravitinoITUtils.genRandomName(currentFunName()));
     createHivePolicy(
         Lists.newArrayList(String.format("%s3", funcName), "tab*"),
-        GravitinoITUtils.genRandomName(currentFunName()),
-        true);
+        GravitinoITUtils.genRandomName(currentFunName()));
     Assertions.assertEquals(
         4, rangerClient.getPoliciesInService(RangerITEnv.RANGER_HIVE_REPO_NAME).size());
 
@@ -1764,7 +1753,6 @@ private void verifyRangerSecurableObjectInRanger(
     }
 
     Assertions.assertEquals(policy.getName(), policyName);
-    Assertions.assertTrue(policy.getPolicyLabels().contains(RangerHelper.MANAGED_BY_GRAVITINO));
 
     // verify namespace
     List<String> metaObjNamespaces = rangerSecurableObject.names();

authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java

@@ -20,7 +20,6 @@
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.Lists;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
@@ -180,8 +179,7 @@ static void allowAnyoneAccessHDFS() {
         RANGER_HDFS_REPO_NAME,
         policyName,
         policyResourceMap,
-        Collections.singletonList(policyItem),
-        false);
+        Collections.singletonList(policyItem));
   }
 
   /**
@@ -218,8 +216,7 @@ static void allowAnyoneAccessInformationSchema() {
         RANGER_HIVE_REPO_NAME,
         policyName,
         policyResourceMap,
-        Collections.singletonList(policyItem),
-        false);
+        Collections.singletonList(policyItem));
   }
 
   public void createRangerTrinoRepository(String trinoIp) {
@@ -515,13 +512,11 @@ protected static void updateOrCreateRangerPolicy(
       String serviceName,
       String policyName,
       Map<String, RangerPolicy.RangerPolicyResource> policyResourceMap,
-      List<RangerPolicy.RangerPolicyItem> policyItems,
-      boolean labelManagedByGravitino) {
+      List<RangerPolicy.RangerPolicyItem> policyItems) {
 
     Map<String, String> resourceFilter = new HashMap<>(); // use to match the precise policy
     Map<String, String> policyFilter = new HashMap<>();
     policyFilter.put(SearchFilter.SERVICE_NAME, serviceName);
-    policyFilter.put(SearchFilter.POLICY_LABELS_PARTIAL, RangerHelper.MANAGED_BY_GRAVITINO);
     final int[] index = {0};
     policyResourceMap.forEach(
         (k, v) -> {
@@ -575,9 +570,6 @@ protected static void updateOrCreateRangerPolicy(
         policy.setServiceType(type);
         policy.setService(serviceName);
         policy.setName(policyName);
-        if (labelManagedByGravitino) {
-          policy.setPolicyLabels(Lists.newArrayList(RangerHelper.MANAGED_BY_GRAVITINO));
-        }
         policy.setResources(policyResourceMap);
         policy.setPolicyItems(policyItems);
         rangerClient.createPolicy(policy);