You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pegasus.apache.org by wa...@apache.org on 2023/03/09 06:41:08 UTC
[incubator-pegasus] branch master updated: feat(Ranger): Compatible with the old ACL and the new ACL (#1379)
This is an automated email from the ASF dual-hosted git repository.
wangdan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-pegasus.git
The following commit(s) were added to refs/heads/master by this push:
new 84ce5fb97 feat(Ranger): Compatible with the old ACL and the new ACL (#1379)
84ce5fb97 is described below
commit 84ce5fb977c6ddf6c324e50a3789fcfc2e0f8f93
Author: WHBANG <38...@users.noreply.github.com>
AuthorDate: Thu Mar 9 14:41:02 2023 +0800
feat(Ranger): Compatible with the old ACL and the new ACL (#1379)
https://github.com/apache/incubator-pegasus/issues/1054
This patch is compatible with old and new acl.
- Modify some method names and parameter names to make them more accurate.
- Defines the configuration parameters that the new ACL needs to use.
- Two new 'allowed()' methods are provided for meta_server and replica_server.
- Some incompatible methods will be removed, (allowed&pre_check)commented.
---
src/replica/replica_config.cpp | 2 +-
src/runtime/security/access_controller.cpp | 27 +++++++++++++---
src/runtime/security/access_controller.h | 36 ++++++++++++++++------
src/runtime/security/replica_access_controller.cpp | 2 +-
src/runtime/security/replica_access_controller.h | 2 +-
5 files changed, 52 insertions(+), 17 deletions(-)
diff --git a/src/replica/replica_config.cpp b/src/replica/replica_config.cpp
index 10eaf4f0b..8d99fa632 100644
--- a/src/replica/replica_config.cpp
+++ b/src/replica/replica_config.cpp
@@ -525,7 +525,7 @@ void replica::update_ac_allowed_users(const std::map<std::string, std::string> &
allowed_users = iter->second;
}
- _access_controller->update(allowed_users);
+ _access_controller->update_allowed_users(allowed_users);
}
void replica::update_allow_ingest_behind(const std::map<std::string, std::string> &envs)
diff --git a/src/runtime/security/access_controller.cpp b/src/runtime/security/access_controller.cpp
index 7e97dd739..c0f1a42a1 100644
--- a/src/runtime/security/access_controller.cpp
+++ b/src/runtime/security/access_controller.cpp
@@ -26,11 +26,23 @@
namespace dsn {
namespace security {
DSN_DEFINE_bool(security, enable_acl, false, "whether enable access controller or not");
-DSN_TAG_VARIABLE(enable_acl, FT_MUTABLE);
+DSN_DEFINE_bool(security,
+ enable_ranger_acl,
+ false,
+ "whether enable access controller integrate to Apache Ranger or not");
+DSN_DEFINE_string(security,
+ super_users,
+ "",
+ "super users for access controller, comma-separated list of user names");
-DSN_DEFINE_string(security, super_users, "", "super user for access controller");
-
-access_controller::access_controller() { utils::split_args(FLAGS_super_users, _super_users, ','); }
+access_controller::access_controller()
+{
+ // when FLAGS_enable_ranger_acl is true, FLAGS_enable_acl must be true.
+ // TODO(wanghao): check with DSN_DEFINE_group_validator().
+ CHECK(!FLAGS_enable_ranger_acl || FLAGS_enable_acl,
+ "when FLAGS_enable_ranger_acl is true, FLAGS_enable_acl must be true too");
+ utils::split_args(FLAGS_super_users, _super_users, ',');
+}
access_controller::~access_controller() {}
@@ -42,6 +54,13 @@ bool access_controller::pre_check(const std::string &user_name)
return false;
}
+bool access_controller::is_enable_ranger_acl() { return FLAGS_enable_ranger_acl; }
+
+bool access_controller::is_super_user(const std::string &user_name) const
+{
+ return _super_users.find(user_name) != _super_users.end();
+}
+
std::unique_ptr<access_controller> create_meta_access_controller()
{
return make_unique<meta_access_controller>();
diff --git a/src/runtime/security/access_controller.h b/src/runtime/security/access_controller.h
index eab1c509d..7ddbb233e 100644
--- a/src/runtime/security/access_controller.h
+++ b/src/runtime/security/access_controller.h
@@ -21,6 +21,8 @@
#include <string>
#include <unordered_set>
+#include "runtime/ranger/ranger_resource_policy.h"
+
namespace dsn {
class message_ex;
namespace security {
@@ -31,20 +33,33 @@ public:
access_controller();
virtual ~access_controller() = 0;
- /**
- * update the access controller
- * acls - the new acls to update
- **/
- virtual void update(const std::string &acls){};
+ // Update the access controller.
+ // users - the new allowed users to update
+ virtual void update_allowed_users(const std::string &users) {}
+
+ // Check whether the Ranger ACL is enabled or not.
+ bool is_enable_ranger_acl();
+
+ // Check if the message received is allowd to access the system.
+ // msg - the message received
+ virtual bool allowed(message_ex *msg, dsn::ranger::access_type req_type) { return false; }
- /**
- * check if the message received is allowd to do something.
- * msg - the message received
- **/
+ // Check if the message received is allowd to access the table.
+ // msg - the message received
+ // app_name - tables involved in ACL
+ virtual bool allowed(message_ex *msg, const std::string &app_name) { return false; }
+
+ // TODO(wanghao): this method will be deleted in the next patch.
+ // check if the message received is allowd to do something.
+ // msg - the message received
virtual bool allowed(message_ex *msg) = 0;
protected:
+ // TODO(wanghao): this method will be deleted in the next patch.
bool pre_check(const std::string &user_name);
+
+ // Check if 'user_name' is the super user.
+ bool is_super_user(const std::string &user_name) const;
friend class meta_access_controller_test;
std::unordered_set<std::string> _super_users;
@@ -52,6 +67,7 @@ protected:
std::unique_ptr<access_controller> create_meta_access_controller();
-std::unique_ptr<access_controller> create_replica_access_controller(const std::string &name);
+std::unique_ptr<access_controller>
+create_replica_access_controller(const std::string &replica_name);
} // namespace security
} // namespace dsn
diff --git a/src/runtime/security/replica_access_controller.cpp b/src/runtime/security/replica_access_controller.cpp
index 6620c940a..097ab0576 100644
--- a/src/runtime/security/replica_access_controller.cpp
+++ b/src/runtime/security/replica_access_controller.cpp
@@ -46,7 +46,7 @@ bool replica_access_controller::allowed(message_ex *msg)
}
}
-void replica_access_controller::update(const std::string &users)
+void replica_access_controller::update_allowed_users(const std::string &users)
{
{
// check to see whether we should update it or not.
diff --git a/src/runtime/security/replica_access_controller.h b/src/runtime/security/replica_access_controller.h
index 47ffd46b1..c9771a0f6 100644
--- a/src/runtime/security/replica_access_controller.h
+++ b/src/runtime/security/replica_access_controller.h
@@ -27,7 +27,7 @@ class replica_access_controller : public access_controller
public:
explicit replica_access_controller(const std::string &name);
bool allowed(message_ex *msg) override;
- void update(const std::string &users) override;
+ void update_allowed_users(const std::string &users) override;
private:
utils::rw_lock_nr _lock; // [
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pegasus.apache.org
For additional commands, e-mail: commits-help@pegasus.apache.org