You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hawq.apache.org by wl...@apache.org on 2017/02/04 08:22:02 UTC
incubator-hawq git commit: HAWQ-1292. Change GUC enable_ranger(bool)
to a text GUC(hawq_acl_type), which can allow other kinds of ACL.
Repository: incubator-hawq
Updated Branches:
refs/heads/master 7d02472b8 -> e4ac516b2
HAWQ-1292. Change GUC enable_ranger(bool) to a text GUC(hawq_acl_type), which can allow other kinds of ACL.
Project: http://git-wip-us.apache.org/repos/asf/incubator-hawq/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-hawq/commit/e4ac516b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-hawq/tree/e4ac516b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-hawq/diff/e4ac516b
Branch: refs/heads/master
Commit: e4ac516b24853a83f3c0c7c66d858e92437f8d46
Parents: 7d02472
Author: stanlyxiang <st...@gmail.com>
Authored: Sat Jan 14 15:31:28 2017 +0800
Committer: Wen Lin <wl...@pivotal.io>
Committed: Sat Feb 4 16:21:19 2017 +0800
----------------------------------------------------------------------
src/backend/catalog/aclchk.c | 22 +++++++-------
src/backend/catalog/namespace.c | 4 +--
src/backend/parser/parse_relation.c | 5 +--
src/backend/tcop/postgres.c | 17 +++++++++--
src/backend/utils/adt/acl.c | 3 +-
src/backend/utils/misc/guc.c | 52 ++++++++++++++++----------------
src/include/utils/acl.h | 14 ++++++++-
src/include/utils/guc.h | 4 ++-
8 files changed, 75 insertions(+), 46 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/backend/catalog/aclchk.c
----------------------------------------------------------------------
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 33fa9ab..667aa61 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -228,7 +228,7 @@ restrict_and_check_grant(bool is_grant, AclMode avail_goptions, bool all_privs,
*/
if (avail_goptions == ACL_NO_RIGHTS && Gp_role != GP_ROLE_EXECUTE)
{
- if (enable_ranger && !fallBackToNativeCheck(objkind, objectId, grantorId)) {
+ if (aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(objkind, objectId, grantorId)) {
if (pg_rangercheck(objkind, objectId, grantorId,
whole_mask | ACL_GRANT_OPTION_FOR(whole_mask),
ACLMASK_ANY) != ACLCHECK_OK)
@@ -3851,7 +3851,7 @@ pg_class_aclcheck(Oid table_oid, Oid roleid, AclMode mode)
if (Gp_role == GP_ROLE_EXECUTE)
return ACLCHECK_OK;
- if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_CLASS, table_oid, roleid))
+ if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_CLASS, table_oid, roleid))
{
return pg_rangercheck(ACL_KIND_CLASS, table_oid, roleid, mode, ACLMASK_ANY);
}
@@ -3871,7 +3871,7 @@ pg_database_aclcheck(Oid db_oid, Oid roleid, AclMode mode)
if (Gp_role == GP_ROLE_EXECUTE)
return ACLCHECK_OK;
- if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_DATABASE, db_oid, roleid))
+ if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_DATABASE, db_oid, roleid))
{
return pg_rangercheck(ACL_KIND_DATABASE, db_oid, roleid, mode, ACLMASK_ANY);
}
@@ -3891,7 +3891,7 @@ pg_proc_aclcheck(Oid proc_oid, Oid roleid, AclMode mode)
if (Gp_role == GP_ROLE_EXECUTE)
return ACLCHECK_OK;
- if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_PROC, proc_oid, roleid))
+ if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_PROC, proc_oid, roleid))
{
return pg_rangercheck(ACL_KIND_PROC, proc_oid, roleid, mode, ACLMASK_ANY);
}
@@ -3911,7 +3911,7 @@ pg_language_aclcheck(Oid lang_oid, Oid roleid, AclMode mode)
if (Gp_role == GP_ROLE_EXECUTE)
return ACLCHECK_OK;
- if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_LANGUAGE, lang_oid, roleid))
+ if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_LANGUAGE, lang_oid, roleid))
{
return pg_rangercheck(ACL_KIND_LANGUAGE, lang_oid, roleid, mode, ACLMASK_ANY);
}
@@ -3931,7 +3931,7 @@ pg_namespace_aclcheck(Oid nsp_oid, Oid roleid, AclMode mode)
if (Gp_role == GP_ROLE_EXECUTE)
return ACLCHECK_OK;
- if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_NAMESPACE, nsp_oid, roleid))
+ if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_NAMESPACE, nsp_oid, roleid))
{
return pg_rangercheck(ACL_KIND_NAMESPACE, nsp_oid, roleid, mode, ACLMASK_ANY);
}
@@ -3951,7 +3951,7 @@ pg_tablespace_aclcheck(Oid spc_oid, Oid roleid, AclMode mode)
if (Gp_role == GP_ROLE_EXECUTE)
return ACLCHECK_OK;
- if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_TABLESPACE, spc_oid, roleid))
+ if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_TABLESPACE, spc_oid, roleid))
{
return pg_rangercheck(ACL_KIND_TABLESPACE, spc_oid, roleid, mode, ACLMASK_ANY);
}
@@ -3972,7 +3972,7 @@ pg_foreign_data_wrapper_aclcheck(Oid fdw_oid, Oid roleid, AclMode mode)
if (Gp_role == GP_ROLE_EXECUTE)
return ACLCHECK_OK;
- if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_FDW, fdw_oid, roleid))
+ if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_FDW, fdw_oid, roleid))
{
return pg_rangercheck(ACL_KIND_FDW, fdw_oid, roleid, mode, ACLMASK_ANY);
}
@@ -3993,7 +3993,7 @@ pg_foreign_server_aclcheck(Oid srv_oid, Oid roleid, AclMode mode)
if (Gp_role == GP_ROLE_EXECUTE)
return ACLCHECK_OK;
- if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_FOREIGN_SERVER, srv_oid, roleid))
+ if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_FOREIGN_SERVER, srv_oid, roleid))
{
return pg_rangercheck(ACL_KIND_FOREIGN_SERVER, srv_oid, roleid, mode, ACLMASK_ANY);
}
@@ -4014,7 +4014,7 @@ pg_extprotocol_aclcheck(Oid ptcid, Oid roleid, AclMode mode)
if (Gp_role == GP_ROLE_EXECUTE)
return ACLCHECK_OK;
- if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_EXTPROTOCOL, ptcid, roleid))
+ if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_EXTPROTOCOL, ptcid, roleid))
{
return pg_rangercheck(ACL_KIND_EXTPROTOCOL, ptcid, roleid, mode, ACLMASK_ANY);
}
@@ -4034,7 +4034,7 @@ pg_filesystem_aclcheck(Oid fsysid, Oid roleid, AclMode mode)
if (Gp_role == GP_ROLE_EXECUTE)
return ACLCHECK_OK;
- if(enable_ranger && !fallBackToNativeCheck(ACL_KIND_FILESYSTEM, fsysid, roleid))
+ if(aclType == HAWQ_ACL_RANGER && !fallBackToNativeCheck(ACL_KIND_FILESYSTEM, fsysid, roleid))
{
return pg_rangercheck(ACL_KIND_FILESYSTEM, fsysid, roleid, mode, ACLMASK_ANY);
}
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/backend/catalog/namespace.c
----------------------------------------------------------------------
diff --git a/src/backend/catalog/namespace.c b/src/backend/catalog/namespace.c
index a780625..e67570e 100644
--- a/src/backend/catalog/namespace.c
+++ b/src/backend/catalog/namespace.c
@@ -1946,7 +1946,7 @@ recomputeNamespacePath(void)
*/
if (namespaceSearchPathValid && namespaceUser == roleid)
{
- if (!enable_ranger)
+ if (aclType != HAWQ_ACL_RANGER)
{
return;
}
@@ -1959,7 +1959,7 @@ recomputeNamespacePath(void)
if (current_query_sign == last_query_sign)
return;
last_query_sign = current_query_sign;
- elog(DEBUG3, "recompute search_path[%s] when enable_ranger", namespace_search_path);
+ elog(DEBUG3, "recompute search_path[%s] when acl_type is ranger", namespace_search_path);
}
}
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/backend/parser/parse_relation.c
----------------------------------------------------------------------
diff --git a/src/backend/parser/parse_relation.c b/src/backend/parser/parse_relation.c
index 1dc6b86..676f8bf 100644
--- a/src/backend/parser/parse_relation.c
+++ b/src/backend/parser/parse_relation.c
@@ -2714,7 +2714,7 @@ warnAutoRange(ParseState *pstate, RangeVar *relation, int location)
void
ExecCheckRTPerms(List *rangeTable)
{
- if (enable_ranger && !fallBackToNativeChecks(ACL_KIND_CLASS,rangeTable,GetUserId()))
+ if (aclType == HAWQ_ACL_RANGER && !fallBackToNativeChecks(ACL_KIND_CLASS,rangeTable,GetUserId()))
{
if(rangeTable!=NULL)
ExecCheckRTPermsWithRanger(rangeTable);
@@ -2729,7 +2729,8 @@ ExecCheckRTPerms(List *rangeTable)
/*
* ExecCheckRTPerms
- * Batch implementation: Check access permissions for all relations listed in a range table with enable_ranger is true.
+ * Batch implementation: Check access permissions for all relations
+ * listed in a range table with acl_type is ranger.
*/
void
ExecCheckRTPermsWithRanger(List *rangeTable)
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/backend/tcop/postgres.c
----------------------------------------------------------------------
diff --git a/src/backend/tcop/postgres.c b/src/backend/tcop/postgres.c
index 74c5dd6..7cbe206 100644
--- a/src/backend/tcop/postgres.c
+++ b/src/backend/tcop/postgres.c
@@ -4395,8 +4395,21 @@ PostgresMain(int argc, char *argv[], const char *username)
BuildFlatFiles(true);
}
- /* for enable ranger*/
- if (AmIMaster() && enable_ranger && !curl_context_ranger.hasInited)
+ if (strcasecmp(acl_type, HAWQ_ACL_TYPE_STANDALONE) == 0)
+ {
+ aclType = HAWQ_ACL_NATIVE;
+ }
+ else if (strcasecmp(acl_type, HAWQ_ACL_TYPE_RANGER) == 0)
+ {
+ aclType = HAWQ_ACL_RANGER;
+ }
+ else
+ {
+ elog(ERROR, "invalid acl check type : %s.", acl_type);
+ }
+ elog(LOG, "acl check type is %s, the acl type value is %d.", acl_type, aclType);
+ /* for acl_type is ranger*/
+ if (AmIMaster() && aclType == HAWQ_ACL_RANGER && !curl_context_ranger.hasInited)
{
memset(&curl_context_ranger, 0, sizeof(curl_context_t));
curl_global_init(CURL_GLOBAL_ALL);
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/backend/utils/adt/acl.c
----------------------------------------------------------------------
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index e9a4244..27e1bbb 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -32,6 +32,7 @@
#include "utils/lsyscache.h"
#include "utils/memutils.h"
#include "utils/syscache.h"
+#include "utils/guc.h"
typedef struct
{
@@ -108,7 +109,7 @@ static AclResult pg_role_aclcheck(Oid role_oid, Oid roleid, AclMode mode);
static void RoleMembershipCacheCallback(Datum arg, Oid relid);
-
+AclType aclType;
/*
* getid
* Consumes the first alphanumeric string (identifier) found in string
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/backend/utils/misc/guc.c
----------------------------------------------------------------------
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index e87d514..bd03d5e 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -732,7 +732,6 @@ int hawq_rm_nvseg_for_analyze_nopart_perquery_perseg_limit;
int hawq_rm_nvseg_for_analyze_part_perquery_perseg_limit;
int hawq_rm_nvseg_for_analyze_nopart_perquery_limit;
int hawq_rm_nvseg_for_analyze_part_perquery_limit;
-bool enable_ranger = false;
double optimizer_cost_threshold;
double optimizer_nestloop_factor;
double locality_upper_bound;
@@ -781,6 +780,8 @@ bool gp_plpgsql_clear_cache_always = false;
/* indicate whether called by gpdump, if yes, processutility will open some limitations */
bool gp_called_by_pgdump = false;
+char *acl_type;
+
char *rps_addr_host;
char *rps_addr_suffix;
int rps_addr_port;
@@ -4332,16 +4333,6 @@ static struct config_bool ConfigureNamesBool[] =
},
{
- {"enable_ranger", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
- gettext_noop("Enable Apache Ranger for HAWQ privilege management."),
- NULL,
- GUC_SUPERUSER_ONLY
- },
- &enable_ranger,
- false, NULL, NULL
- },
-
- {
{"filesystem_support_truncate", PGC_USERSET, APPENDONLY_TABLES,
gettext_noop("the file system support truncate feature."),
NULL,
@@ -8188,22 +8179,31 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"hawq_rps_address_host", PGC_POSTMASTER, PRESET_OPTIONS,
- gettext_noop("ranger plugin server address hostname"),
- NULL
- },
- &rps_addr_host,
- "localhost", NULL, NULL
- },
+ {"hawq_rps_address_host", PGC_POSTMASTER, PRESET_OPTIONS,
+ gettext_noop("ranger plugin server address hostname"),
+ NULL
+ },
+ &rps_addr_host,
+ "localhost", NULL, NULL
+ },
- {
- {"hawq_rps_address_suffix", PGC_POSTMASTER, PRESET_OPTIONS,
- gettext_noop("ranger plugin server suffix of restful service address"),
- NULL
- },
- &rps_addr_suffix,
- "rps", NULL, NULL
- },
+ {
+ {"hawq_rps_address_suffix", PGC_POSTMASTER, PRESET_OPTIONS,
+ gettext_noop("ranger plugin server suffix of restful service address"),
+ NULL
+ },
+ &rps_addr_suffix,
+ "rps", NULL, NULL
+ },
+
+ {
+ {"hawq_acl_type", PGC_POSTMASTER, PRESET_OPTIONS,
+ gettext_noop("hawq acl mode, currently 'standalone' and 'ranger' is available"),
+ NULL
+ },
+ &acl_type,
+ "standalone", NULL, NULL
+ },
{
{"hawq_standby_address_host", PGC_POSTMASTER, PRESET_OPTIONS,
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/include/utils/acl.h
----------------------------------------------------------------------
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index da6f512..863f5ae 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -26,7 +26,6 @@
#include "nodes/parsenodes.h"
#include "utils/array.h"
-//#include "utils/rangerrest.h"
/*
@@ -156,6 +155,19 @@ typedef ArrayType Acl;
#define ACL_ALL_RIGHTS_NAMESPACE (ACL_USAGE|ACL_CREATE)
#define ACL_ALL_RIGHTS_TABLESPACE (ACL_CREATE)
+/* how hawq do acl check */
+#define HAWQ_ACL_TYPE_STANDALONE "standalone"
+#define HAWQ_ACL_TYPE_RANGER "ranger"
+
+/* acl type */
+typedef enum
+{
+ HAWQ_ACL_NATIVE,
+ HAWQ_ACL_RANGER
+} AclType;
+
+extern AclType aclType;
+
/* operation codes for pg_*_aclmask */
typedef enum
{
http://git-wip-us.apache.org/repos/asf/incubator-hawq/blob/e4ac516b/src/include/utils/guc.h
----------------------------------------------------------------------
diff --git a/src/include/utils/guc.h b/src/include/utils/guc.h
index 2315778..77cee1e 100644
--- a/src/include/utils/guc.h
+++ b/src/include/utils/guc.h
@@ -275,7 +275,6 @@ extern bool gp_plpgsql_clear_cache_always;
extern bool gp_disable_catalog_access_on_segment;
extern bool gp_called_by_pgdump;
-extern bool enable_ranger;
/* Debug DTM Action */
typedef enum
@@ -453,6 +452,9 @@ extern int information_schema_namespcace_oid;
*/
extern bool optimizer_partition_selection_log;
+/* acl type for privileges check */
+extern char *acl_type;
+
/**
* rps host and port
*/