You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by ma...@apache.org on 2020/05/17 18:17:49 UTC
[ranger] branch master updated: RANGER-2826: updated Presto plugin
to support PrestoSQL version 333
This is an automated email from the ASF dual-hosted git repository.
madhan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 454537a RANGER-2826: updated Presto plugin to support PrestoSQL version 333
454537a is described below
commit 454537a95494477312b592256cd38878d004a167
Author: Bolke de Bruin <bo...@xs4all.nl>
AuthorDate: Thu May 14 22:21:55 2020 +0200
RANGER-2826: updated Presto plugin to support PrestoSQL version 333
Signed-off-by: Madhan Neethiraj <ma...@apache.org>
---
.../service-defs/ranger-servicedef-presto.json | 61 +++++-
.../authorizer/RangerSystemAccessControl.java | 122 +++++++++---
.../authorizer/RangerSystemAccessControlTest.java | 12 +-
.../src/test/resources/presto-policies.json | 208 +++++++++++++++++++--
pom.xml | 2 +-
.../authorizer/RangerSystemAccessControl.java | 51 +++++
.../PatchForPrestoToSupportPresto333_J10037.java | 178 ++++++++++++++++++
7 files changed, 580 insertions(+), 54 deletions(-)
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json
index 4d5b795..b16b02a 100644
--- a/agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-presto.json
@@ -113,7 +113,8 @@
"validationMessage": "",
"uiHint": "",
"label": "Presto User",
- "description": "Presto User"
+ "description": "Presto User",
+ "accessTypeRestrictions": ["impersonate"]
},
{
"itemId": 6,
@@ -134,7 +135,8 @@
"validationMessage": "",
"uiHint": "",
"label": "System Property",
- "description": "Presto System Property"
+ "description": "Presto System Property",
+ "accessTypeRestrictions": ["alter"]
},
{
"itemId": 7,
@@ -155,7 +157,52 @@
"validationMessage": "",
"uiHint": "",
"label": "Catalog Session Property",
- "description": "Presto Catalog Session Property"
+ "description": "Presto Catalog Session Property",
+ "accessTypeRestrictions": ["alter"]
+ },
+ {
+ "itemId": 8,
+ "name": "function",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Presto Function",
+ "description": "Presto Function",
+ "accessTypeRestrictions": ["execute", "grant"]
+ },
+ {
+ "itemId": 9,
+ "name": "procedure",
+ "type": "string",
+ "level": 30,
+ "parent": "schema",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Schema Procedure",
+ "description": "Schema Procedure",
+ "accessTypeRestrictions": ["execute", "grant"]
}
],
"accessTypes": [
@@ -229,8 +276,14 @@
"grant",
"revoke",
"show",
- "impersonate"
+ "impersonate",
+ "execute"
]
+ },
+ {
+ "itemId": 13,
+ "name": "execute",
+ "label": "execute"
}
],
"configs": [
diff --git a/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java b/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
index d4521a3..4742847 100644
--- a/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
+++ b/plugin-presto/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
@@ -19,6 +19,7 @@
package org.apache.ranger.authorization.presto.authorizer;
import io.prestosql.spi.connector.CatalogSchemaName;
+import io.prestosql.spi.connector.CatalogSchemaRoutineName;
import io.prestosql.spi.connector.CatalogSchemaTableName;
import io.prestosql.spi.connector.ColumnMetadata;
import io.prestosql.spi.connector.SchemaTableName;
@@ -260,14 +261,14 @@ public class RangerSystemAccessControl
return filteredTableNames;
}
- /** PERMISSION CHECKS ORDERED BY SYSTEM, CATALOG, SCHEMA, TABLE, VIEW, COLUMN, QUERY **/
+ /** PERMISSION CHECKS ORDERED BY SYSTEM, CATALOG, SCHEMA, TABLE, VIEW, COLUMN, QUERY, FUNCTIONS, PROCEDURES **/
/** SYSTEM **/
@Override
public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
if (!hasPermission(createSystemPropertyResource(propertyName), context, PrestoAccessType.ALTER)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanSetSystemSessionProperty denied");
+ LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty denied");
AccessDeniedException.denySetSystemSessionProperty(propertyName);
}
}
@@ -275,7 +276,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanImpersonateUser(SystemSecurityContext context, String userName) {
if (!hasPermission(createUserResource(userName), context, PrestoAccessType.IMPERSONATE)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanImpersonateUser(" + userName + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanImpersonateUser(" + userName + ") denied");
AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), userName);
}
}
@@ -289,7 +290,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, String catalogName, String propertyName) {
if (!hasPermission(createCatalogSessionResource(catalogName, propertyName), context, PrestoAccessType.ALTER)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanSetSystemSessionProperty(" + catalogName + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty(" + catalogName + ") denied");
AccessDeniedException.denySetCatalogSessionProperty(catalogName, propertyName);
}
}
@@ -297,7 +298,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanShowRoles(SystemSecurityContext context, String catalogName) {
if (!hasPermission(createResource(catalogName), context, PrestoAccessType.SHOW)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanShowRoles(" + catalogName + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanShowRoles(" + catalogName + ") denied");
AccessDeniedException.denyShowRoles(catalogName);
}
}
@@ -306,7 +307,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanAccessCatalog(SystemSecurityContext context, String catalogName) {
if (!hasPermission(createResource(catalogName), context, PrestoAccessType.USE)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanAccessCatalog(" + catalogName + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanAccessCatalog(" + catalogName + ") denied");
AccessDeniedException.denyCatalogAccess(catalogName);
}
}
@@ -314,13 +315,29 @@ public class RangerSystemAccessControl
@Override
public void checkCanShowSchemas(SystemSecurityContext context, String catalogName) {
if (!hasPermission(createResource(catalogName), context, PrestoAccessType.SHOW)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanShowSchemas(" + catalogName + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanShowSchemas(" + catalogName + ") denied");
AccessDeniedException.denyShowSchemas(catalogName);
}
}
/** SCHEMA **/
+ @Override
+ public void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, PrestoPrincipal principal) {
+ if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, PrestoAccessType.GRANT)) {
+ LOG.debug("RangerSystemAccessControl.checkCanSetSchemaAuthorization(" + schema.getSchemaName() + ") denied");
+ AccessDeniedException.denySetSchemaAuthorization(schema.getSchemaName(), principal);
+ }
+ }
+
+ @Override
+ public void checkCanShowCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) {
+ if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, PrestoAccessType.SHOW)) {
+ LOG.debug("RangerSystemAccessControl.checkCanShowCreateSchema(" + schema.getSchemaName() + ") denied");
+ AccessDeniedException.denyShowCreateSchema(schema.getSchemaName());
+ }
+ }
+
/**
* Create schema is evaluated on the level of the Catalog. This means that it is assumed you have permission
* to create a schema when you have create rights on the catalog level
@@ -328,7 +345,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) {
if (!hasPermission(createResource(schema.getCatalogName()), context, PrestoAccessType.CREATE)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanCreateSchema(" + schema.getSchemaName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanCreateSchema(" + schema.getSchemaName() + ") denied");
AccessDeniedException.denyCreateSchema(schema.getSchemaName());
}
}
@@ -339,7 +356,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanDropSchema(SystemSecurityContext context, CatalogSchemaName schema) {
if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, PrestoAccessType.DROP)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanDropSchema(" + schema.getSchemaName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanDropSchema(" + schema.getSchemaName() + ") denied");
AccessDeniedException.denyDropSchema(schema.getSchemaName());
}
}
@@ -351,7 +368,7 @@ public class RangerSystemAccessControl
public void checkCanRenameSchema(SystemSecurityContext context, CatalogSchemaName schema, String newSchemaName) {
RangerPrestoResource res = createResource(schema.getCatalogName(), schema.getSchemaName());
if (!hasPermission(res, context, PrestoAccessType.ALTER)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanRenameSchema(" + schema.getSchemaName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanRenameSchema(" + schema.getSchemaName() + ") denied");
AccessDeniedException.denyRenameSchema(schema.getSchemaName(), newSchemaName);
}
}
@@ -361,7 +378,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanShowTables(SystemSecurityContext context, CatalogSchemaName schema) {
if (!hasPermission(createResource(schema), context, PrestoAccessType.SHOW)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanShowTables(" + schema.toString() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanShowTables(" + schema.toString() + ") denied");
AccessDeniedException.denyShowTables(schema.toString());
}
}
@@ -370,7 +387,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanShowCreateTable(SystemSecurityContext context, CatalogSchemaTableName table) {
if (!hasPermission(createResource(table), context, PrestoAccessType.SHOW)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanShowTables(" + table.toString() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanShowTables(" + table.toString() + ") denied");
AccessDeniedException.denyShowCreateTable(table.toString());
}
}
@@ -381,7 +398,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanCreateTable(SystemSecurityContext context, CatalogSchemaTableName table) {
if (!hasPermission(createResource(table.getCatalogName(), table.getSchemaTableName().getSchemaName()), context, PrestoAccessType.CREATE)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanCreateTable(" + table.getSchemaTableName().getTableName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanCreateTable(" + table.getSchemaTableName().getTableName() + ") denied");
AccessDeniedException.denyCreateTable(table.getSchemaTableName().getTableName());
}
}
@@ -392,7 +409,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanDropTable(SystemSecurityContext context, CatalogSchemaTableName table) {
if (!hasPermission(createResource(table), context, PrestoAccessType.DROP)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanDropTable(" + table.getSchemaTableName().getTableName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanDropTable(" + table.getSchemaTableName().getTableName() + ") denied");
AccessDeniedException.denyDropTable(table.getSchemaTableName().getTableName());
}
}
@@ -404,7 +421,7 @@ public class RangerSystemAccessControl
public void checkCanRenameTable(SystemSecurityContext context, CatalogSchemaTableName table, CatalogSchemaTableName newTable) {
RangerPrestoResource res = createResource(table);
if (!hasPermission(res, context, PrestoAccessType.ALTER)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanRenameTable(" + table.getSchemaTableName().getTableName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanRenameTable(" + table.getSchemaTableName().getTableName() + ") denied");
AccessDeniedException.denyRenameTable(table.getSchemaTableName().getTableName(), newTable.getSchemaTableName().getTableName());
}
}
@@ -413,7 +430,7 @@ public class RangerSystemAccessControl
public void checkCanInsertIntoTable(SystemSecurityContext context, CatalogSchemaTableName table) {
RangerPrestoResource res = createResource(table);
if (!hasPermission(res, context, PrestoAccessType.INSERT)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanInsertIntoTable(" + table.getSchemaTableName().getTableName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanInsertIntoTable(" + table.getSchemaTableName().getTableName() + ") denied");
AccessDeniedException.denyInsertTable(table.getSchemaTableName().getTableName());
}
}
@@ -421,7 +438,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanDeleteFromTable(SystemSecurityContext context, CatalogSchemaTableName table) {
if (!hasPermission(createResource(table), context, PrestoAccessType.DELETE)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanDeleteFromTable(" + table.getSchemaTableName().getTableName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanDeleteFromTable(" + table.getSchemaTableName().getTableName() + ") denied");
AccessDeniedException.denyDeleteTable(table.getSchemaTableName().getTableName());
}
}
@@ -429,7 +446,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanGrantTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal grantee, boolean withGrantOption) {
if (!hasPermission(createResource(table), context, PrestoAccessType.GRANT)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanGrantTablePrivilege(" + table + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanGrantTablePrivilege(" + table + ") denied");
AccessDeniedException.denyGrantTablePrivilege(privilege.toString(), table.toString());
}
}
@@ -437,7 +454,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanRevokeTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal revokee, boolean grantOptionFor) {
if (!hasPermission(createResource(table), context, PrestoAccessType.REVOKE)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanRevokeTablePrivilege(" + table + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanRevokeTablePrivilege(" + table + ") denied");
AccessDeniedException.denyRevokeTablePrivilege(privilege.toString(), table.toString());
}
}
@@ -445,7 +462,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanSetTableComment(SystemSecurityContext context, CatalogSchemaTableName table) {
if (!hasPermission(createResource(table), context, PrestoAccessType.ALTER)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanSetTableComment(" + table.toString() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanSetTableComment(" + table.toString() + ") denied");
AccessDeniedException.denyCommentTable(table.toString());
}
}
@@ -456,7 +473,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanCreateView(SystemSecurityContext context, CatalogSchemaTableName view) {
if (!hasPermission(createResource(view.getCatalogName(), view.getSchemaTableName().getSchemaName()), context, PrestoAccessType.CREATE)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanCreateView(" + view.getSchemaTableName().getTableName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanCreateView(" + view.getSchemaTableName().getTableName() + ") denied");
AccessDeniedException.denyCreateView(view.getSchemaTableName().getTableName());
}
}
@@ -467,7 +484,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanDropView(SystemSecurityContext context, CatalogSchemaTableName view) {
if (!hasPermission(createResource(view), context, PrestoAccessType.DROP)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanDropView(" + view.getSchemaTableName().getTableName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanDropView(" + view.getSchemaTableName().getTableName() + ") denied");
AccessDeniedException.denyCreateView(view.getSchemaTableName().getTableName());
}
}
@@ -480,7 +497,7 @@ public class RangerSystemAccessControl
try {
checkCanCreateView(context, table);
} catch (AccessDeniedException ade) {
- LOG.debug("==> RangerSystemAccessControl.checkCanCreateViewWithSelectFromColumns(" + table.getSchemaTableName().getTableName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanCreateViewWithSelectFromColumns(" + table.getSchemaTableName().getTableName() + ") denied");
AccessDeniedException.denyCreateViewWithSelect(table.getSchemaTableName().getTableName(), context.getIdentity());
}
}
@@ -491,7 +508,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanRenameView(SystemSecurityContext context, CatalogSchemaTableName view, CatalogSchemaTableName newView) {
if (!hasPermission(createResource(view), context, PrestoAccessType.ALTER)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanRenameView(" + view.toString() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanRenameView(" + view.toString() + ") denied");
AccessDeniedException.denyRenameView(view.toString(), newView.toString());
}
}
@@ -516,7 +533,7 @@ public class RangerSystemAccessControl
public void checkCanDropColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
RangerPrestoResource res = createResource(table);
if (!hasPermission(res, context, PrestoAccessType.DROP)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanDropColumn(" + table.getSchemaTableName().getTableName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanDropColumn(" + table.getSchemaTableName().getTableName() + ") denied");
AccessDeniedException.denyDropColumn(table.getSchemaTableName().getTableName());
}
}
@@ -528,7 +545,7 @@ public class RangerSystemAccessControl
public void checkCanRenameColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
RangerPrestoResource res = createResource(table);
if (!hasPermission(res, context, PrestoAccessType.ALTER)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanRenameColumn(" + table.getSchemaTableName().getTableName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanRenameColumn(" + table.getSchemaTableName().getTableName() + ") denied");
AccessDeniedException.denyRenameColumn(table.getSchemaTableName().getTableName());
}
}
@@ -539,7 +556,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanShowColumns(SystemSecurityContext context, CatalogSchemaTableName table) {
if (!hasPermission(createResource(table), context, PrestoAccessType.SHOW)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanShowTables(" + table.toString() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanShowTables(" + table.toString() + ") denied");
AccessDeniedException.denyShowColumns(table.toString());
}
}
@@ -548,7 +565,7 @@ public class RangerSystemAccessControl
public void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
for (RangerPrestoResource res : createResource(table, columns)) {
if (!hasPermission(res, context, PrestoAccessType.SELECT)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanSelectFromColumns(" + table.getSchemaTableName().getTableName() + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanSelectFromColumns(" + table.getSchemaTableName().getTableName() + ") denied");
AccessDeniedException.denySelectColumns(table.getSchemaTableName().getTableName(), columns);
}
}
@@ -575,7 +592,7 @@ public class RangerSystemAccessControl
@Override
public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
if (!hasPermission(createUserResource(queryOwner), context, PrestoAccessType.IMPERSONATE)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanViewQueryOwnedBy(" + queryOwner + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanViewQueryOwnedBy(" + queryOwner + ") denied");
AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner);
}
}
@@ -591,11 +608,36 @@ public class RangerSystemAccessControl
@Override
public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
if (!hasPermission(createUserResource(queryOwner), context, PrestoAccessType.IMPERSONATE)) {
- LOG.debug("==> RangerSystemAccessControl.checkCanKillQueryOwnedBy(" + queryOwner + ") denied");
+ LOG.debug("RangerSystemAccessControl.checkCanKillQueryOwnedBy(" + queryOwner + ") denied");
AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner);
}
}
+ /** FUNCTIONS **/
+ @Override
+ public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String function, PrestoPrincipal grantee, boolean grantOption) {
+ if (!hasPermission(createFunctionResource(function), context, PrestoAccessType.GRANT)) {
+ LOG.debug("RangerSystemAccessControl.checkCanGrantExecuteFunctionPrivilege(" + function + ") denied");
+ AccessDeniedException.denyGrantExecuteFunctionPrivilege(function, context.getIdentity(), grantee.getName());
+ }
+ }
+
+ @Override
+ public void checkCanExecuteFunction(SystemSecurityContext context, String function) {
+ if (!hasPermission(createFunctionResource(function), context, PrestoAccessType.EXECUTE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + function + ") denied");
+ AccessDeniedException.denyExecuteFunction(function);
+ }
+ }
+
+ /** PROCEDURES **/
+ @Override
+ public void checkCanExecuteProcedure(SystemSecurityContext context, CatalogSchemaRoutineName procedure) {
+ if (!hasPermission(createProcedureResource(procedure), context, PrestoAccessType.EXECUTE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + procedure.getSchemaRoutineName().getRoutineName() + ") denied");
+ AccessDeniedException.denyExecuteProcedure(procedure.getSchemaRoutineName().getRoutineName());
+ }
+ }
/** HELPER FUNCTIONS **/
@@ -644,6 +686,22 @@ public class RangerSystemAccessControl
return res;
}
+ private static RangerPrestoResource createFunctionResource(String function) {
+ RangerPrestoResource res = new RangerPrestoResource();
+ res.setValue(RangerPrestoResource.KEY_FUNCTION, function);
+
+ return res;
+ }
+
+ private static RangerPrestoResource createProcedureResource(CatalogSchemaRoutineName procedure) {
+ RangerPrestoResource res = new RangerPrestoResource();
+ res.setValue(RangerPrestoResource.KEY_CATALOG, procedure.getCatalogName());
+ res.setValue(RangerPrestoResource.KEY_SCHEMA, procedure.getSchemaRoutineName().getSchemaName());
+ res.setValue(RangerPrestoResource.KEY_PROCEDURE, procedure.getSchemaRoutineName().getRoutineName());
+
+ return res;
+ }
+
private static RangerPrestoResource createCatalogSessionResource(String catalogName, String propertyName) {
RangerPrestoResource res = new RangerPrestoResource();
res.setValue(RangerPrestoResource.KEY_CATALOG, catalogName);
@@ -713,6 +771,8 @@ class RangerPrestoResource
public static final String KEY_TABLE = "table";
public static final String KEY_COLUMN = "column";
public static final String KEY_USER = "prestouser";
+ public static final String KEY_FUNCTION = "function";
+ public static final String KEY_PROCEDURE = "procedure";
public static final String KEY_SYSTEM_PROPERTY = "systemproperty";
public static final String KEY_SESSION_PROPERTY = "sessionproperty";
@@ -779,5 +839,5 @@ class RangerPrestoAccessRequest
}
enum PrestoAccessType {
- CREATE, DROP, SELECT, INSERT, DELETE, USE, ALTER, ALL, GRANT, REVOKE, SHOW, IMPERSONATE;
+ CREATE, DROP, SELECT, INSERT, DELETE, USE, ALTER, ALL, GRANT, REVOKE, SHOW, IMPERSONATE, EXECUTE;
}
\ No newline at end of file
diff --git a/plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlTest.java b/plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlTest.java
index c00d519..ed8c837 100644
--- a/plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlTest.java
+++ b/plugin-presto/src/test/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControlTest.java
@@ -19,6 +19,7 @@ package org.apache.ranger.authorization.presto.authorizer;
import com.google.common.collect.ImmutableSet;
import io.prestosql.spi.connector.CatalogSchemaName;
+import io.prestosql.spi.connector.CatalogSchemaRoutineName;
import io.prestosql.spi.connector.CatalogSchemaTableName;
import io.prestosql.spi.connector.SchemaTableName;
import io.prestosql.spi.security.AccessDeniedException;
@@ -60,6 +61,8 @@ public class RangerSystemAccessControlTest {
private static final CatalogSchemaTableName aliceTable = new CatalogSchemaTableName("alice-catalog", "schema","table");
private static final CatalogSchemaTableName aliceView = new CatalogSchemaTableName("alice-catalog", "schema","view");
+ private static final CatalogSchemaRoutineName aliceProcedure = new CatalogSchemaRoutineName("alice-catalog", "schema", "procedure");
+ private static final String functionName = new String("function");
@BeforeClass
public static void setUpBeforeClass() throws Exception {
@@ -116,6 +119,9 @@ public class RangerSystemAccessControlTest {
accessControlManager.checkCanCreateSchema(context(bob), aliceSchema);
} catch (AccessDeniedException expected) {
}
+
+ accessControlManager.checkCanSetSchemaAuthorization(context(alice), aliceSchema, new PrestoPrincipal(USER, "principal"));
+ accessControlManager.checkCanShowCreateSchema(context(alice), aliceSchema);
}
@Test
@@ -177,9 +183,13 @@ public class RangerSystemAccessControlTest {
ret = accessControlManager.getRowFilter(context(alice), aliceTable);
assertFalse(ret.isPresent());
+
+ accessControlManager.checkCanExecuteFunction(context(alice), functionName);
+ accessControlManager.checkCanGrantExecuteFunctionPrivilege(context(alice), functionName, new PrestoPrincipal(USER, "grantee"), true);
+ accessControlManager.checkCanExecuteProcedure(context(alice), aliceProcedure);
}
private SystemSecurityContext context(Identity id) {
- return new SystemSecurityContext(id);
+ return new SystemSecurityContext(id, Optional.empty());
}
}
\ No newline at end of file
diff --git a/plugin-presto/src/test/resources/presto-policies.json b/plugin-presto/src/test/resources/presto-policies.json
index 28eabf2..6dbaabb 100644
--- a/plugin-presto/src/test/resources/presto-policies.json
+++ b/plugin-presto/src/test/resources/presto-policies.json
@@ -54,6 +54,59 @@
},
{
"service": "cl1_presto",
+ "name": "checkFunction",
+ "policyType": 0,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "function": {
+ "values": [
+ "function"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "execute",
+ "isAllowed": true
+ },
+ {
+ "type": "grant",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "alice"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "serviceType": "presto",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 51,
+ "guid": "7ab96b62-6fd3-4193-bf49-af462c25784d",
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "cl1_presto",
"name": "alice-schema",
"policyType": 0,
"policyPriority": 0,
@@ -101,6 +154,10 @@
{
"type": "show",
"isAllowed": true
+ },
+ {
+ "type": "grant",
+ "isAllowed": true
}
],
"users": [
@@ -291,6 +348,69 @@
},
{
"service": "cl1_presto",
+ "name": "alice-procedure",
+ "policyType": 0,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "schema": {
+ "values": [
+ "schema"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "catalog": {
+ "values": [
+ "alice-catalog"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "procedure": {
+ "values": [
+ "procedure"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "execute",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "alice"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "serviceType": "presto",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 55,
+ "guid": "b47e1c19-a05f-41f8-94ef-f86c14076ad9",
+ "isEnabled": true,
+ "version": 2
+ },
+ {
+ "service": "cl1_presto",
"name": "alice-view",
"policyType": 0,
"policyPriority": 0,
@@ -734,7 +854,8 @@
"validationMessage": "",
"uiHint": "",
"label": "Presto User",
- "description": "Presto User"
+ "description": "Presto User",
+ "accessTypeRestrictions": ["impersonate"]
},
{
"itemId": 6,
@@ -755,7 +876,8 @@
"validationMessage": "",
"uiHint": "",
"label": "System Property",
- "description": "Presto System Property"
+ "description": "Presto System Property",
+ "accessTypeRestrictions": ["alter"]
},
{
"itemId": 7,
@@ -776,7 +898,52 @@
"validationMessage": "",
"uiHint": "",
"label": "Catalog Session Property",
- "description": "Presto Catalog Session Property"
+ "description": "Presto Catalog Session Property",
+ "accessTypeRestrictions": ["alter"]
+ },
+ {
+ "itemId": 8,
+ "name": "function",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Presto Function",
+ "description": "Presto Function",
+ "accessTypeRestrictions": ["execute", "grant"]
+ },
+ {
+ "itemId": 9,
+ "name": "procedure",
+ "type": "string",
+ "level": 30,
+ "parent": "schema",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Schema Procedure",
+ "description": "Schema Procedure",
+ "accessTypeRestrictions": ["execute", "grant"]
}
],
"accessTypes": [
@@ -837,6 +1004,11 @@
},
{
"itemId": 12,
+ "name": "execute",
+ "label": "execute"
+ },
+ {
+ "itemId": 13,
"name": "all",
"label": "All",
"impliedGrants": [
@@ -850,7 +1022,8 @@
"grant",
"revoke",
"show",
- "impersonate"
+ "impersonate",
+ "execute"
]
}
],
@@ -900,7 +1073,8 @@
],
"contextEnrichers": [
],
- "policyConditions": [
+ "policyConditions":
+ [
],
"dataMaskDef": {
"accessTypes": [
@@ -912,34 +1086,34 @@
{
"name": "catalog",
"matcherOptions": {
- "wildCard": "false"
+ "wildCard": "true"
},
"lookupSupported": true,
- "uiHint": "{ \"singleValue\":true }"
+ "uiHint":"{ \"singleValue\":true }"
},
{
"name": "schema",
"matcherOptions": {
- "wildCard": "false"
+ "wildCard": "true"
},
"lookupSupported": true,
- "uiHint": "{ \"singleValue\":true }"
+ "uiHint":"{ \"singleValue\":true }"
},
{
"name": "table",
"matcherOptions": {
- "wildCard": "false"
+ "wildCard": "true"
},
"lookupSupported": true,
- "uiHint": "{ \"singleValue\":true }"
+ "uiHint":"{ \"singleValue\":true }"
},
{
"name": "column",
"matcherOptions": {
- "wildCard": "false"
+ "wildCard": "true"
},
"lookupSupported": true,
- "uiHint": "{ \"singleValue\":true }"
+ "uiHint":"{ \"singleValue\":true }"
}
],
"maskTypes": [
@@ -948,7 +1122,7 @@
"name": "MASK",
"label": "Redact",
"description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'",
- "transformer": "cast(regexp_replace(regexp_replace(regexp_replace({col},'([A-Z])', 'X'),'([a-z])','x'),'([0-9])','0') as {type}",
+ "transformer": "cast(regexp_replace(regexp_replace(regexp_replace({col},'([A-Z])', 'X'),'([a-z])','x'),'([0-9])','0') as {type})",
"dataMaskOptions": {
}
},
@@ -1010,7 +1184,7 @@
{
"name": "catalog",
"matcherOptions": {
- "wildCard": "false"
+ "wildCard": "true"
},
"lookupSupported": true,
"mandatory": true,
@@ -1019,7 +1193,7 @@
{
"name": "schema",
"matcherOptions": {
- "wildCard": "false"
+ "wildCard": "true"
},
"lookupSupported": true,
"mandatory": true,
@@ -1028,7 +1202,7 @@
{
"name": "table",
"matcherOptions": {
- "wildCard": "false"
+ "wildCard": "true"
},
"lookupSupported": true,
"mandatory": true,
diff --git a/pom.xml b/pom.xml
index b292a7c..0b2e092 100644
--- a/pom.xml
+++ b/pom.xml
@@ -168,7 +168,7 @@
<noggit.version>0.8</noggit.version>
<owasp-java-html-sanitizer.version>r239</owasp-java-html-sanitizer.version>
<paranamer.version>2.3</paranamer.version>
- <presto.version>331</presto.version>
+ <presto.version>333</presto.version>
<poi.version>3.17</poi.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<protobuf-java.version>2.5.0</protobuf-java.version>
diff --git a/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java b/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
index bfb3a59..4063870 100644
--- a/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
+++ b/ranger-presto-plugin-shim/src/main/java/org/apache/ranger/authorization/presto/authorizer/RangerSystemAccessControl.java
@@ -14,6 +14,7 @@
package org.apache.ranger.authorization.presto.authorizer;
import io.prestosql.spi.connector.CatalogSchemaName;
+import io.prestosql.spi.connector.CatalogSchemaRoutineName;
import io.prestosql.spi.connector.CatalogSchemaTableName;
import io.prestosql.spi.connector.ColumnMetadata;
import io.prestosql.spi.connector.SchemaTableName;
@@ -475,6 +476,56 @@ public class RangerSystemAccessControl
}
}
+ @Override
+ public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String functionName, PrestoPrincipal grantee, boolean grantOption) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanGrantExecuteFunctionPrivilege(context, functionName, grantee, grantOption);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, PrestoPrincipal principal) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanSetSchemaAuthorization(context, schema, principal);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanShowCreateSchema(SystemSecurityContext context, CatalogSchemaName schemaName) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanShowCreateSchema(context, schemaName);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanExecuteProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName procedure) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanExecuteProcedure(systemSecurityContext, procedure);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, String functionName) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanExecuteFunction(systemSecurityContext, functionName);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
private void activatePluginClassLoader() {
if (rangerPluginClassLoader != null) {
rangerPluginClassLoader.activate();
diff --git a/security-admin/src/main/java/org/apache/ranger/patch/PatchForPrestoToSupportPresto333_J10037.java b/security-admin/src/main/java/org/apache/ranger/patch/PatchForPrestoToSupportPresto333_J10037.java
new file mode 100644
index 0000000..17405c7
--- /dev/null
+++ b/security-admin/src/main/java/org/apache/ranger/patch/PatchForPrestoToSupportPresto333_J10037.java
@@ -0,0 +1,178 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ranger.patch;
+
+import org.apache.log4j.Logger;
+import org.apache.ranger.biz.ServiceDBStore;
+import org.apache.ranger.common.GUIDUtil;
+import org.apache.ranger.common.JSONUtil;
+import org.apache.ranger.common.RangerValidatorFactory;
+import org.apache.ranger.common.StringUtil;
+import org.apache.ranger.db.RangerDaoManager;
+import org.apache.ranger.entity.XXServiceDef;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
+import org.apache.ranger.plugin.model.validation.RangerValidator;
+import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
+import org.apache.ranger.service.RangerPolicyService;
+import org.apache.ranger.util.CLIUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+public class PatchForPrestoToSupportPresto333_J10037 extends BaseLoader {
+ private static final Logger logger = Logger.getLogger(PatchForPrestoToSupportPresto333_J10037.class);
+
+ private static final List<String> PRESTO_RESOURCES = new ArrayList<>(
+ Arrays.asList("function", "procedure", "prestouser", "systemproperty", "sessionproperty"));
+
+ private static final List<String> PRESTO_ACCESS_TYPES = new ArrayList<>(
+ Arrays.asList("grant", "revoke", "show", "impersonate", "execute", "delete"));
+
+ @Autowired
+ RangerDaoManager daoMgr;
+
+ @Autowired
+ ServiceDBStore svcDBStore;
+
+ @Autowired
+ GUIDUtil guidUtil;
+
+ @Autowired
+ JSONUtil jsonUtil;
+
+ @Autowired
+ StringUtil stringUtil;
+
+ @Autowired
+ RangerValidatorFactory validatorFactory;
+
+ @Autowired
+ ServiceDBStore svcStore;
+
+ @Autowired
+ RangerPolicyService policyService;
+
+ public static void main(String[] args) {
+ logger.info("main()");
+ try {
+ PatchForPrestoToSupportPresto333_J10037 loader = (PatchForPrestoToSupportPresto333_J10037) CLIUtil
+ .getBean(PatchForPrestoToSupportPresto333_J10037.class);
+ loader.init();
+ while (loader.isMoreToProcess()) {
+ loader.load();
+ }
+ logger.info("Load complete. Exiting!!!");
+ System.exit(0);
+ } catch (Exception e) {
+ logger.error("Error loading", e);
+ System.exit(1);
+ }
+ }
+
+ @Override
+ public void init() throws Exception {
+ // Do Nothing
+ }
+
+ @Override
+ public void execLoad() {
+ logger.info("==> PatchForPrestoToSupportPresto333.execLoad()");
+ try {
+ addPresto333Support();
+ } catch (Exception e) {
+ throw new RuntimeException(
+ "Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_PRESTO_NAME + " service-def");
+ }
+ logger.info("<== PatchForPrestoToSupportPresto333.execLoad()");
+ }
+
+ @Override
+ public void printStats() {
+ logger.info("PatchForPrestoToSupportPresto333 Logs");
+ }
+
+ private void addPresto333Support() throws Exception {
+ RangerServiceDef ret = null;
+ RangerServiceDef embeddedPrestoServiceDef = null;
+ XXServiceDef xXServiceDefObj = null;
+ RangerServiceDef dbPrestoServiceDef = null;
+ List<RangerServiceDef.RangerResourceDef> embeddedPrestoResourceDefs = null;
+ List<RangerServiceDef.RangerAccessTypeDef> embeddedPrestoAccessTypes = null;
+
+ embeddedPrestoServiceDef = EmbeddedServiceDefsUtil.instance()
+ .getEmbeddedServiceDef(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_PRESTO_NAME);
+
+ if (embeddedPrestoServiceDef != null) {
+ xXServiceDefObj = daoMgr.getXXServiceDef()
+ .findByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_PRESTO_NAME);
+ if (xXServiceDefObj == null) {
+ logger.info(xXServiceDefObj + ": service-def not found. No patching is needed");
+ return;
+ }
+
+ dbPrestoServiceDef = svcDBStore.getServiceDefByName(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_PRESTO_NAME);
+
+ embeddedPrestoResourceDefs = embeddedPrestoServiceDef.getResources();
+ embeddedPrestoAccessTypes = embeddedPrestoServiceDef.getAccessTypes();
+ if (checkResourcePresent(PRESTO_RESOURCES, embeddedPrestoResourceDefs)) {
+ dbPrestoServiceDef.setResources(embeddedPrestoResourceDefs);
+ if (checkAccessPresent(PRESTO_ACCESS_TYPES, embeddedPrestoAccessTypes)) {
+ dbPrestoServiceDef.setAccessTypes(embeddedPrestoAccessTypes);
+ }
+ }
+
+ RangerServiceDefValidator validator = validatorFactory.getServiceDefValidator(svcStore);
+ validator.validate(dbPrestoServiceDef, RangerValidator.Action.UPDATE);
+ ret = svcStore.updateServiceDef(dbPrestoServiceDef);
+ if (ret == null) {
+ logger.error("Error while updating " + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME
+ + " service-def");
+ throw new RuntimeException("Error while updating "
+ + EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME + " service-def");
+ }
+
+ }
+ }
+
+ private boolean checkResourcePresent(List<String> resources, List<RangerServiceDef.RangerResourceDef> resourceDefs) {
+ boolean ret = false;
+ for (RangerServiceDef.RangerResourceDef resourceDef : resourceDefs) {
+ if (resources.contains(resourceDef.getName())) {
+ ret = true;
+ break;
+ }
+ }
+ return ret;
+ }
+
+ private boolean checkAccessPresent(List<String> accesses, List<RangerServiceDef.RangerAccessTypeDef> embeddedAtlasAccessTypes) {
+ boolean ret = false;
+ for (RangerServiceDef.RangerAccessTypeDef accessDef : embeddedAtlasAccessTypes) {
+ if (accesses.contains(accessDef.getName())) {
+ ret = true;
+ break;
+ }
+ }
+ return ret;
+ }
+}