You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by rm...@apache.org on 2022/05/09 03:36:17 UTC
[ranger] branch ranger-2.3 updated: RANGER-3182: Rename Prestosql to Trino
This is an automated email from the ASF dual-hosted git repository.
rmani pushed a commit to branch ranger-2.3
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.3 by this push:
new e64833bbd RANGER-3182: Rename Prestosql to Trino
e64833bbd is described below
commit e64833bbd87298e55cf24bf43989eadb08741abf
Author: Aakash Nand <aa...@gmail.com>
AuthorDate: Fri May 6 18:48:29 2022 +0900
RANGER-3182: Rename Prestosql to Trino
Refactored prestosql plugin to work with rebranded trino and
fixed missing jars from classpath which are required to work with Trino.
Fixed password decryption in TrinoClient and PrestoClient.
This patch also add and updates
some of the unimplemented methods from SystemAccessControl from trino-spi
as listed below:
checkCanCreateTable,
checkCanShowRoles,
checkCanSetViewAuthorization,
checkCanTruncateTable,
checkCanSetTableComment,
checkCanExecuteTableProcedure
---
agents-common/scripts/enable-agent.sh | 34 +
.../plugin/store/EmbeddedServiceDefsUtil.java | 8 +-
.../service-defs/ranger-servicedef-trino.json | 473 ++++++++
distro/pom.xml | 30 +
distro/src/main/assembly/admin-web.xml | 19 +
distro/src/main/assembly/plugin-trino.xml | 222 ++++
.../services/presto/client/PrestoClient.java | 12 +
plugin-trino/.gitignore | 1 +
plugin-trino/conf/ranger-policymgr-ssl-changes.cfg | 21 +
plugin-trino/conf/ranger-policymgr-ssl.xml | 49 +
plugin-trino/conf/ranger-trino-audit-changes.cfg | 74 ++
plugin-trino/conf/ranger-trino-audit.xml | 216 ++++
.../conf/ranger-trino-security-changes.cfg | 28 +
plugin-trino/conf/ranger-trino-security.xml | 74 ++
plugin-trino/pom.xml | 136 +++
plugin-trino/scripts/install.properties | 177 +++
.../authorizer/RangerSystemAccessControl.java | 902 +++++++++++++++
.../ranger/services/trino/RangerServiceTrino.java | 125 ++
.../ranger/services/trino/client/TrinoClient.java | 74 +-
.../trino/client/TrinoConnectionManager.java | 94 ++
.../trino/client/TrinoResourceManager.java | 178 +++
.../trino/authorizer/RangerAdminClientImpl.java | 43 +
.../authorizer/RangerSystemAccessControlTest.java | 195 ++++
plugin-trino/src/test/resources/logback.xml | 32 +
.../src/test/resources/ranger-trino-security.xml | 52 +
.../src/test/resources/trino-policies.json | 1214 ++++++++++++++++++++
pom.xml | 29 +
ranger-trino-plugin-shim/.gitignore | 1 +
ranger-trino-plugin-shim/pom.xml | 198 ++++
.../trino/authorizer/RangerConfig.java | 69 ++
.../authorizer/RangerSystemAccessControl.java | 625 ++++++++++
.../RangerSystemAccessControlFactory.java | 61 +
.../trino/authorizer/TrinoRangerPlugin.java | 32 +
.../META-INF/services/io.trino.spi.Plugin | 15 +
34 files changed, 5481 insertions(+), 32 deletions(-)
diff --git a/agents-common/scripts/enable-agent.sh b/agents-common/scripts/enable-agent.sh
index ad021feee..b04f359d9 100755
--- a/agents-common/scripts/enable-agent.sh
+++ b/agents-common/scripts/enable-agent.sh
@@ -218,6 +218,12 @@ elif [ "${HCOMPONENT_NAME}" = "presto" ]; then
echo "INFO: Creating ${HCOMPONENT_LIB_DIR}"
mkdir -p ${HCOMPONENT_LIB_DIR}
fi
+elif [ "${HCOMPONENT_NAME}" = "trino" ]; then
+ HCOMPONENT_LIB_DIR=${HCOMPONENT_INSTALL_DIR}/plugin/ranger
+ if [ ! -d "${HCOMPONENT_LIB_DIR}" ]; then
+ echo "INFO: Creating ${HCOMPONENT_LIB_DIR}"
+ mkdir -p ${HCOMPONENT_LIB_DIR}
+ fi
fi
HCOMPONENT_CONF_DIR=${HCOMPONENT_INSTALL_DIR}/conf
@@ -248,6 +254,8 @@ elif [ "${HCOMPONENT_NAME}" = "elasticsearch" ]; then
fi
elif [ "${HCOMPONENT_NAME}" = "presto" ]; then
HCOMPONENT_CONF_DIR=${HCOMPONENT_INSTALL_DIR}/etc
+elif [ "${HCOMPONENT_NAME}" = "trino" ]; then
+ HCOMPONENT_CONF_DIR=${HCOMPONENT_INSTALL_DIR}/etc
fi
HCOMPONENT_ARCHIVE_CONF_DIR=${HCOMPONENT_CONF_DIR}/.archive
@@ -808,6 +816,32 @@ then
ln -sf ${HCOMPONENT_CONF_DIR} conf
fi
+if [ "${HCOMPONENT_NAME}" = "trino" ]
+then
+ if [ "${action}" = "enable" ]
+ then
+ controlName="ranger"
+ else
+ controlName="allow-all"
+ fi
+ dt=`date '+%Y%m%d%H%M%S'`
+ fn=`ls ${HCOMPONENT_CONF_DIR}/access-control.properties 2> /dev/null`
+ if [ -f "${fn}" ]
+ then
+ dn=`dirname ${fn}`
+ bn=`basename ${fn}`
+ bf=${dn}/.${bn}.${dt}
+ echo "backup of ${fn} to ${bf} ..."
+ cp ${fn} ${bf}
+ else
+ fn=${HCOMPONENT_CONF_DIR}/access-control.properties
+ fi
+ echo "Add or Update properties file: [${fn}] ... "
+ addOrUpdatePropertyToFile access-control.name $controlName ${fn}
+ echo "Linking config files"
+ cd ${HCOMPONENT_LIB_DIR}/ranger-trino-plugin-impl/
+ ln -sf ${HCOMPONENT_CONF_DIR} conf
+fi
#
# Set notice to restart the ${HCOMPONENT_NAME}
diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
index 5ff782f9e..db629c85d 100755
--- a/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
+++ b/agents-common/src/main/java/org/apache/ranger/plugin/store/EmbeddedServiceDefsUtil.java
@@ -49,7 +49,7 @@ public class EmbeddedServiceDefsUtil {
// following servicedef list should be reviewed/updated whenever a new embedded service-def is added
- public static final String DEFAULT_BOOTSTRAP_SERVICEDEF_LIST = "tag,hdfs,hbase,hive,kms,knox,storm,yarn,kafka,solr,atlas,nifi,nifi-registry,sqoop,kylin,elasticsearch,presto,ozone,kudu,schema-registry";
+ public static final String DEFAULT_BOOTSTRAP_SERVICEDEF_LIST = "tag,hdfs,hbase,hive,kms,knox,storm,yarn,kafka,solr,atlas,nifi,nifi-registry,sqoop,kylin,elasticsearch,presto,trino,ozone,kudu,schema-registry";
private static final String PROPERTY_SUPPORTED_SERVICE_DEFS = "ranger.supportedcomponents";
private Set<String> supportedServiceDefs;
public static final String EMBEDDED_SERVICEDEF_TAG_NAME = "tag";
@@ -72,6 +72,7 @@ public class EmbeddedServiceDefsUtil {
public static final String EMBEDDED_SERVICEDEF_ABFS_NAME = "abfs";
public static final String EMBEDDED_SERVICEDEF_ELASTICSEARCH_NAME = "elasticsearch";
public static final String EMBEDDED_SERVICEDEF_PRESTO_NAME = "presto";
+ public static final String EMBEDDED_SERVICEDEF_TRINO_NAME = "trino";
public static final String EMBEDDED_SERVICEDEF_OZONE_NAME = "ozone";
public static final String EMBEDDED_SERVICEDEF_KUDU_NAME = "kudu";
@@ -90,6 +91,7 @@ public class EmbeddedServiceDefsUtil {
public static final String NIFI_IMPL_CLASS_NAME = "org.apache.ranger.services.nifi.RangerServiceNiFi";
public static final String ATLAS_IMPL_CLASS_NAME = "org.apache.ranger.services.atlas.RangerServiceAtlas";
public static final String PRESTO_IMPL_CLASS_NAME = "org.apache.ranger.services.presto.RangerServicePresto";
+ public static final String TRINO_IMPL_CLASS_NAME = "org.apache.ranger.services.trino.RangerServiceTrino";
public static final String OZONE_IMPL_CLASS_NAME = "org.apache.ranger.services.ozone.RangerServiceOzone";
public static final String KUDU_IMPL_CLASS_NAME = "org.apache.ranger.services.kudu.RangerServiceKudu";
@@ -115,6 +117,7 @@ public class EmbeddedServiceDefsUtil {
private RangerServiceDef abfsServiceDef;
private RangerServiceDef elasticsearchServiceDef;
private RangerServiceDef prestoServiceDef;
+ private RangerServiceDef trinoServiceDef;
private RangerServiceDef ozoneServiceDef;
private RangerServiceDef kuduServiceDef;
@@ -164,6 +167,7 @@ public class EmbeddedServiceDefsUtil {
kylinServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_KYLIN_NAME);
abfsServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_ABFS_NAME);
elasticsearchServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_ELASTICSEARCH_NAME);
+ trinoServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_TRINO_NAME);
prestoServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_PRESTO_NAME);
ozoneServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_OZONE_NAME);
kuduServiceDef = getOrCreateServiceDef(store, EMBEDDED_SERVICEDEF_KUDU_NAME);
@@ -246,6 +250,8 @@ public class EmbeddedServiceDefsUtil {
public long getAbfsServiceDefId() { return getId(abfsServiceDef); }
+ public long getTrinoServiceDefId() { return getId(trinoServiceDef); }
+
public long getPrestoServiceDefId() { return getId(prestoServiceDef); }
public long getOzoneServiceDefId() { return getId(ozoneServiceDef); }
diff --git a/agents-common/src/main/resources/service-defs/ranger-servicedef-trino.json b/agents-common/src/main/resources/service-defs/ranger-servicedef-trino.json
new file mode 100644
index 000000000..88a57e1f0
--- /dev/null
+++ b/agents-common/src/main/resources/service-defs/ranger-servicedef-trino.json
@@ -0,0 +1,473 @@
+{
+ "id": 203,
+ "name": "trino",
+ "displayName": "trino",
+ "implClass": "org.apache.ranger.services.trino.RangerServiceTrino",
+ "label": "Trino",
+ "description": "Trino",
+ "guid": "379a9fe5-1b6e-4091-a584-4890e245e6c1",
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "catalog",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "isValidLeaf": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Trino Catalog",
+ "description": "Trino Catalog"
+ },
+ {
+ "itemId": 2,
+ "name": "schema",
+ "type": "string",
+ "level": 20,
+ "parent": "catalog",
+ "mandatory": true,
+ "isValidLeaf": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Trino Schema",
+ "description": "Trino Schema"
+ },
+ {
+ "itemId": 3,
+ "name": "table",
+ "type": "string",
+ "level": 30,
+ "parent": "schema",
+ "mandatory": true,
+ "isValidLeaf": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Trino Table",
+ "description": "Trino Table"
+ },
+ {
+ "itemId": 4,
+ "name": "column",
+ "type": "string",
+ "level": 40,
+ "parent": "table",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Trino Column",
+ "description": "Trino Column"
+ },
+ {
+ "itemId": 5,
+ "name": "trinouser",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Trino User",
+ "description": "Trino User",
+ "accessTypeRestrictions": ["impersonate"]
+ },
+ {
+ "itemId": 6,
+ "name": "systemproperty",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "System Property",
+ "description": "Trino System Property",
+ "accessTypeRestrictions": ["alter"]
+ },
+ {
+ "itemId": 7,
+ "name": "sessionproperty",
+ "type": "string",
+ "level": 20,
+ "parent": "catalog",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Catalog Session Property",
+ "description": "Trino Catalog Session Property",
+ "accessTypeRestrictions": ["alter"]
+ },
+ {
+ "itemId": 8,
+ "name": "function",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Trino Function",
+ "description": "Trino Function",
+ "accessTypeRestrictions": ["execute", "grant"]
+ },
+ {
+ "itemId": 9,
+ "name": "procedure",
+ "type": "string",
+ "level": 30,
+ "parent": "schema",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Schema Procedure",
+ "description": "Schema Procedure",
+ "accessTypeRestrictions": ["execute", "grant"]
+ }
+ ],
+ "accessTypes": [
+ {
+ "itemId": 1,
+ "name": "select",
+ "label": "Select"
+ },
+ {
+ "itemId": 2,
+ "name": "insert",
+ "label": "Insert"
+ },
+ {
+ "itemId": 3,
+ "name": "create",
+ "label": "Create"
+ },
+ {
+ "itemId": 4,
+ "name": "drop",
+ "label": "Drop"
+ },
+ {
+ "itemId": 5,
+ "name": "delete",
+ "label": "Delete"
+ },
+ {
+ "itemId": 6,
+ "name": "use",
+ "label": "Use"
+ },
+ {
+ "itemId": 7,
+ "name": "alter",
+ "label": "Alter"
+ },
+ {
+ "itemId": 8,
+ "name": "grant",
+ "label": "Grant"
+ },
+ {
+ "itemId": 9,
+ "name": "revoke",
+ "label": "Revoke"
+ },
+ {
+ "itemId": 10,
+ "name": "show",
+ "label": "Show"
+ },
+ {
+ "itemId": 11,
+ "name": "impersonate",
+ "label": "Impersonate"
+ },
+ {
+ "itemId": 12,
+ "name": "all",
+ "label": "All",
+ "impliedGrants": [
+ "select",
+ "insert",
+ "create",
+ "delete",
+ "drop",
+ "use",
+ "alter",
+ "grant",
+ "revoke",
+ "show",
+ "impersonate",
+ "execute"
+ ]
+ },
+ {
+ "itemId": 13,
+ "name": "execute",
+ "label": "execute"
+ }
+ ],
+ "configs": [
+ {
+ "itemId": 1,
+ "name": "username",
+ "type": "string",
+ "mandatory": true,
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Username"
+ },
+ {
+ "itemId": 2,
+ "name": "password",
+ "type": "password",
+ "mandatory": false,
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Password"
+ },
+ {
+ "itemId": 3,
+ "name": "jdbc.driverClassName",
+ "type": "string",
+ "mandatory": true,
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "defaultValue": "io.trino.jdbc.TrinoDriver"
+ },
+ {
+ "itemId": 4,
+ "name": "jdbc.url",
+ "type": "string",
+ "mandatory": true,
+ "defaultValue": "",
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": ""
+ }
+ ],
+ "enums": [
+ ],
+ "contextEnrichers": [
+ ],
+ "policyConditions":
+ [
+ ],
+ "dataMaskDef": {
+ "accessTypes": [
+ {
+ "name": "select"
+ }
+ ],
+ "resources": [
+ {
+ "name": "catalog",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "uiHint":"{ \"singleValue\":true }"
+ },
+ {
+ "name": "schema",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "uiHint":"{ \"singleValue\":true }"
+ },
+ {
+ "name": "table",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "uiHint":"{ \"singleValue\":true }"
+ },
+ {
+ "name": "column",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "uiHint":"{ \"singleValue\":true }"
+ }
+ ],
+ "maskTypes": [
+ {
+ "itemId": 1,
+ "name": "MASK",
+ "label": "Redact",
+ "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'",
+ "transformer": "cast(regexp_replace(regexp_replace(regexp_replace({col},'([A-Z])', 'X'),'([a-z])','x'),'([0-9])','0') as {type})",
+ "dataMaskOptions": {
+ }
+ },
+ {
+ "itemId": 2,
+ "name": "MASK_SHOW_LAST_4",
+ "label": "Partial mask: show last 4",
+ "description": "Show last 4 characters; replace rest with 'X'",
+ "transformer": "cast(regexp_replace({col}, '(.*)(.{4}$)', x -> regexp_replace(x[1], '.', 'X') || x[2]) as {type})"
+ },
+ {
+ "itemId": 3,
+ "name": "MASK_SHOW_FIRST_4",
+ "label": "Partial mask: show first 4",
+ "description": "Show first 4 characters; replace rest with 'x'",
+ "transformer": "cast(regexp_replace({col}, '(^.{4})(.*)', x -> x[1] || regexp_replace(x[2], '.', 'X')) as {type})"
+ },
+ {
+ "itemId": 4,
+ "name": "MASK_HASH",
+ "label": "Hash",
+ "description": "Hash the value of a varchar with sha256",
+ "transformer": "cast(to_hex(sha256(to_utf8({col}))) as {type})"
+ },
+ {
+ "itemId": 5,
+ "name": "MASK_NULL",
+ "label": "Nullify",
+ "description": "Replace with NULL"
+ },
+ {
+ "itemId": 6,
+ "name": "MASK_NONE",
+ "label": "Unmasked (retain original value)",
+ "description": "No masking"
+ },
+ {
+ "itemId": 12,
+ "name": "MASK_DATE_SHOW_YEAR",
+ "label": "Date: show only year",
+ "description": "Date: show only year",
+ "transformer": "date_trunc('year', {col})"
+ },
+ {
+ "itemId": 13,
+ "name": "CUSTOM",
+ "label": "Custom",
+ "description": "Custom"
+ }
+ ]
+ },
+ "rowFilterDef": {
+ "accessTypes": [
+ {
+ "name": "select"
+ }
+ ],
+ "resources": [
+ {
+ "name": "catalog",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "mandatory": true,
+ "uiHint": "{ \"singleValue\":true }"
+ },
+ {
+ "name": "schema",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "mandatory": true,
+ "uiHint": "{ \"singleValue\":true }"
+ },
+ {
+ "name": "table",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "mandatory": true,
+ "uiHint": "{ \"singleValue\":true }"
+ }
+ ]
+ }
+
+}
\ No newline at end of file
diff --git a/distro/pom.xml b/distro/pom.xml
index 201b9562f..45a2164a6 100644
--- a/distro/pom.xml
+++ b/distro/pom.xml
@@ -75,6 +75,7 @@
<descriptor>src/main/assembly/plugin-elasticsearch.xml</descriptor>
<descriptor>src/main/assembly/plugin-schema-registry.xml</descriptor>
<descriptor>src/main/assembly/plugin-presto.xml</descriptor>
+ <descriptor>src/main/assembly/plugin-trino.xml</descriptor>
<descriptor>src/main/assembly/sample-client.xml</descriptor>
</descriptors>
</configuration>
@@ -525,6 +526,35 @@
</plugins>
</build>
</profile>
+ <profile>
+ <id>ranger-trino-plugin</id>
+ <build>
+ <plugins>
+ <plugin>
+ <artifactId>maven-assembly-plugin</artifactId>
+ <version>${assembly.plugin.version}</version>
+ <configuration>
+ <finalName>ranger-${project.version}</finalName>
+ <outputDirectory>../target</outputDirectory>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>single</goal>
+ </goals>
+ <phase>package</phase>
+ <configuration>
+ <skipAssembly>false</skipAssembly>
+ <descriptors>
+ <descriptor>src/main/assembly/plugin-trino.xml</descriptor>
+ </descriptors>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
<profile>
<id>ranger-presto-plugin</id>
<build>
diff --git a/distro/src/main/assembly/admin-web.xml b/distro/src/main/assembly/admin-web.xml
index 9095b3392..388707a73 100644
--- a/distro/src/main/assembly/admin-web.xml
+++ b/distro/src/main/assembly/admin-web.xml
@@ -480,6 +480,25 @@
</binaries>
</moduleSet>
+ <moduleSet>
+ <useAllReactorProjects>true</useAllReactorProjects>
+ <includes>
+ <include>org.apache.ranger:ranger-trino-plugin</include>
+ </includes>
+ <binaries>
+ <outputDirectory>ews/webapp/WEB-INF/classes/ranger-plugins/trino</outputDirectory>
+ <includeDependencies>true</includeDependencies>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <includes>
+ <include>org.apache.ranger:ranger-trino-plugin</include>
+ <include>io.trino:trino-spi:jar:${trino.version}</include>
+ <include>io.trino:trino-jdbc:jar:${trino.version}</include>
+ </includes>
+ </binaries>
+ </moduleSet>
+
<moduleSet>
<useAllReactorProjects>true</useAllReactorProjects>
<includes>
diff --git a/distro/src/main/assembly/plugin-trino.xml b/distro/src/main/assembly/plugin-trino.xml
new file mode 100644
index 000000000..781c86b11
--- /dev/null
+++ b/distro/src/main/assembly/plugin-trino.xml
@@ -0,0 +1,222 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<assembly>
+ <id>trino-plugin</id>
+ <formats>
+ <format>tar.gz</format>
+ </formats>
+ <baseDirectory>${project.parent.name}-${project.version}-trino-plugin</baseDirectory>
+ <includeBaseDirectory>true</includeBaseDirectory>
+ <moduleSets>
+ <moduleSet>
+ <useAllReactorProjects>true</useAllReactorProjects>
+ <includes>
+ <include>org.apache.ranger:ranger-trino-plugin-shim</include>
+ <include>org.apache.ranger:ranger-plugin-classloader</include>
+ </includes>
+ <binaries>
+ <outputDirectory>lib</outputDirectory>
+ <includeDependencies>true</includeDependencies>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <includes>
+ <include>com.google.inject:guice:jar:${trino.guice.version}</include>
+ <include>com.google.guava:guava:jar:${trino.guava.version}</include>
+ <include>io.airlift:bootstrap:jar:${trino.airlift.version}</include>
+ <include>io.airlift:log:jar:${trino.airlift.version}</include>
+ <include>io.airlift:log-manager:jar:${trino.airlift.version}</include>
+ <include>io.airlift:configuration:jar:${trino.airlift.version}</include>
+ <include>javax.validation:validation-api:jar:${trino.validation-api.version}</include>
+ <include>javax.inject:javax.inject:jar:${javax-inject.version}</include>
+ <include>org.apache.bval:bval-jsr:jar:${trino.bval-jsr.version}</include>
+ <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include>
+ <include>org.slf4j:slf4j-simple:jar:${slf4j.version}</include>
+ <include>javax.annotation:javax.annotation-api:jar:${javax.annotation-api}</include>
+ <include>com.fasterxml.jackson.core:jackson-core:jar:${fasterxml.jackson.version}</include>
+ </includes>
+ </binaries>
+ </moduleSet>
+
+ <moduleSet>
+ <useAllReactorProjects>true</useAllReactorProjects>
+ <includes>
+ <include>org.apache.ranger:ranger-plugins-audit</include>
+ <include>org.apache.ranger:ranger-plugins-cred</include>
+ <include>org.apache.ranger:ranger-plugins-common</include>
+ <include>org.apache.ranger:ranger-trino-plugin</include>
+ </includes>
+ <binaries>
+ <outputDirectory>lib/ranger-trino-plugin-impl</outputDirectory>
+ <includeDependencies>true</includeDependencies>
+ <unpack>false</unpack>
+ <directoryMode>755</directoryMode>
+ <fileMode>644</fileMode>
+ <includes>
+ <include>com.google.code.gson:gson*</include>
+ <include>org.eclipse.jetty:jetty-client:jar:${jetty-client.version}</include>
+ <include>org.apache.httpcomponents:httpmime:jar:${httpcomponents.httpmime.version}</include>
+ <include>org.apache.httpcomponents:httpclient:jar:${httpcomponents.httpclient.version}</include>
+ <include>org.apache.httpcomponents:httpcore:jar:${httpcomponents.httpcore.version}</include>
+ <include>org.noggit:noggit:jar:${noggit.version}</include>
+ <include>org.apache.solr:solr-solrj:jar:${solr.version}</include>
+ <include>com.sun.jersey:jersey-core</include>
+ <include>com.sun.jersey:jersey-server</include>
+ <include>commons-cli:commons-cli</include>
+ <include>commons-collections:commons-collections</include>
+ <include>org.apache.commons:commons-configuration2:jar:${commons.configuration.version}</include>
+ <include>commons-codec:commons-codec</include>
+ <include>commons-io:commons-io:jar:${commons.io.version}</include>
+ <include>commons-lang:commons-lang:jar:${commons.lang.version}</include>
+ <include>org.apache.commons:commons-lang3:jar:${commons.lang3.version}</include>
+ <include>org.apache.htrace:htrace-core4:jar:${htrace-core.version}</include>
+ <include>org.apache.commons:commons-compress:jar:${commons.compress.version}</include>
+ <include>org.slf4j:jcl-over-slf4j:jar:${slf4j.version}</include>
+ <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include>
+ <include>ch.qos.logback:logback-classic:jar:${logback.version}</include>
+ <include>ch.qos.logback:logback-core:jar:${logback.version}</include>
+ <include>com.google.guava:guava:jar:${google.guava.version}</include>
+ <include>com.google.protobuf:protobuf-java:jar:${protobuf-java.version}</include>
+ <include>com.google.re2j:re2j:jar:${trino.re2j.version}</include>
+ <include>org.apache.commons:commons-configuration2:jar:${commons.configuration.version}</include>
+ <include>org.apache.hadoop:hadoop-common:jar:${hadoop.version}</include>
+ <include>org.apache.hadoop:hadoop-common-plus:jar:${hadoop.version}</include>
+ <include>org.apache.hadoop:hadoop-auth:jar:${hadoop.version}</include>
+ <include>org.apache.hadoop:hadoop-hdfs:jar:${hadoop.version}</include>
+ <include>org.apache.ranger:ranger-plugins-cred</include>
+ <include>org.apache.ranger:credentialbuilder</include>
+ <include>org.codehaus.woodstox:stax2-api</include>
+ <include>com.fasterxml.woodstox:woodstox-core</include>
+ <include>org.apache.htrace:htrace-core4</include>
+ <include>com.sun.jersey:jersey-bundle</include>
+ <include>com.sun.jersey:jersey-json</include>
+ <include>org.codehaus.jackson:jackson-core-asl</include>
+ <include>org.codehaus.jackson:jackson-jaxrs</include>
+ <include>org.codehaus.jackson:jackson-mapper-asl</include>
+ <include>org.codehaus.jackson:jackson-xc</include>
+ <include>org.apache.zookeeper:zookeeper:jar:${zookeeper.version}</include>
+ <include>net.java.dev.jna:jna</include>
+ <include>net.java.dev.jna:jna-platform</include>
+ <include>com.kstruct:gethostname4j</include>
+ <include>org.elasticsearch:elasticsearch</include>
+ <include>org.elasticsearch:elasticsearch-core</include>
+ <include>org.elasticsearch:elasticsearch-x-content</include>
+ <include>org.elasticsearch.client:elasticsearch-rest-client</include>
+ <include>org.elasticsearch.client:elasticsearch-rest-high-level-client</include>
+ <include>org.elasticsearch.plugin:rank-eval-client</include>
+ <include>org.elasticsearch.plugin:lang-mustache-client</include>
+ <include>org.apache.httpcomponents:httpcore-nio:jar:${httpcomponents.httpcore.version}</include>
+ <include>org.apache.httpcomponents:httpasyncclient:jar:${httpcomponents.httpasyncclient.version}</include>
+ <include>org.apache.lucene:lucene-core</include>
+ <include>joda-time:joda-time</include>
+ <include>com.carrotsearch:hppc</include>
+ </includes>
+ </binaries>
+ </moduleSet>
+
+ <moduleSet>
+ <useAllReactorProjects>true</useAllReactorProjects>
+ <includes>
+ <include>org.apache.ranger:ranger-plugins-installer</include>
+ <include>org.apache.ranger:credentialbuilder</include>
+ </includes>
+ <binaries>
+ <outputDirectory>install/lib</outputDirectory>
+ <includeDependencies>true</includeDependencies>
+ <unpack>false</unpack>
+ <includes>
+ <include>commons-cli:commons-cli</include>
+ <include>commons-collections:commons-collections</include>
+ <include>com.google.guava:guava:jar:${trino.guava.version}</include>
+ <include>org.apache.commons:commons-configuration2:jar:${commons.configuration.version}</include>
+ <include>commons-io:commons-io:jar:${commons.io.version}</include>
+ <include>commons-lang:commons-lang</include>
+ <include>org.apache.commons:commons-lang3:jar:${commons.lang3.version}</include>
+ <include>org.apache.htrace:htrace-core4:jar:${htrace-core.version}</include>
+ <include>org.apache.commons:commons-compress:jar:${commons.compress.version}</include>
+ <include>commons-logging:commons-logging:jar:${commons.logging.version}</include>
+ <include>com.google.guava:guava:jar:${google.guava.version}</include>
+ <include>org.slf4j:slf4j-api:jar:${slf4j-api.version}</include>
+ <include>org.apache.hadoop:hadoop-common:jar:${hadoop.version}</include>
+ <include>org.apache.hadoop:hadoop-auth:jar:${hadoop.version}</include>
+ <include>org.codehaus.woodstox:stax2-api</include>
+ <include>com.fasterxml.woodstox:woodstox-core</include>
+ <include>org.apache.htrace:htrace-core4</include>
+ </includes>
+ </binaries>
+ </moduleSet>
+ </moduleSets>
+
+ <fileSets>
+ <!-- conf.templates for enable -->
+ <fileSet>
+ <outputDirectory>install/conf.templates/enable</outputDirectory>
+ <directory>../plugin-trino/conf</directory>
+ <excludes>
+ <exclude>*.sh</exclude>
+ </excludes>
+ <fileMode>700</fileMode>
+ </fileSet>
+ <fileSet>
+ <outputDirectory>install/conf.templates/disable</outputDirectory>
+ <directory>../plugin-trino/disable-conf</directory>
+ <fileMode>700</fileMode>
+ </fileSet>
+ <fileSet>
+ <outputDirectory>install/conf.templates/default</outputDirectory>
+ <directory>../plugin-trino/template</directory>
+ <fileMode>700</fileMode>
+ </fileSet>
+ <!-- version file -->
+ <fileSet>
+ <outputDirectory></outputDirectory>
+ <directory>${project.build.outputDirectory}</directory>
+ <includes>
+ <include>version</include>
+ </includes>
+ <fileMode>444</fileMode>
+ </fileSet>
+ </fileSets>
+
+ <!-- enable/disable script for Plugin -->
+ <files>
+ <file>
+ <source>${project.parent.basedir}/agents-common/scripts/enable-agent.sh</source>
+ <outputDirectory></outputDirectory>
+ <destName>enable-trino-plugin.sh</destName>
+ <fileMode>755</fileMode>
+ </file>
+ <file>
+ <source>${project.parent.basedir}/agents-common/scripts/enable-agent.sh</source>
+ <outputDirectory></outputDirectory>
+ <destName>disable-trino-plugin.sh</destName>
+ <fileMode>755</fileMode>
+ </file>
+ <file>
+ <source>${project.parent.basedir}/plugin-trino/scripts/install.properties</source>
+ <outputDirectory></outputDirectory>
+ <destName>install.properties</destName>
+ <fileMode>755</fileMode>
+ </file>
+ <file>
+ <source>${project.parent.basedir}/security-admin/scripts/ranger_credential_helper.py</source>
+ <outputDirectory></outputDirectory>
+ <fileMode>755</fileMode>
+ </file>
+ </files>
+</assembly>
diff --git a/plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java b/plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java
index 87d35af41..ee536ed32 100644
--- a/plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java
+++ b/plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java
@@ -23,6 +23,7 @@ import org.apache.commons.lang.StringEscapeUtils;
import org.apache.ranger.plugin.client.BaseClient;
import org.apache.ranger.plugin.client.HadoopConfigHolder;
import org.apache.ranger.plugin.client.HadoopException;
+import org.apache.ranger.plugin.util.PasswordUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -79,6 +80,17 @@ public class PrestoClient extends BaseClient implements Closeable {
String url = prop.getProperty("jdbc.url");
Properties prestoProperties = new Properties();
+ String decryptedPwd = null;
+ try {
+ decryptedPwd=PasswordUtils.decryptPassword(getConfigHolder().getPassword());
+ } catch (Exception ex) {
+ LOG.info("Password decryption failed");
+ decryptedPwd = null;
+ } finally {
+ if (decryptedPwd == null) {
+ decryptedPwd = prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_PASSWORD);
+ }
+ }
prestoProperties.put(PRESTO_USER_NAME_PROP, prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_USER_NAME_PROP));
if (prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_PASSWORD) != null) {
prestoProperties.put(PRESTO_PASSWORD_PROP, prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_PASSWORD));
diff --git a/plugin-trino/.gitignore b/plugin-trino/.gitignore
new file mode 100644
index 000000000..b83d22266
--- /dev/null
+++ b/plugin-trino/.gitignore
@@ -0,0 +1 @@
+/target/
diff --git a/plugin-trino/conf/ranger-policymgr-ssl-changes.cfg b/plugin-trino/conf/ranger-policymgr-ssl-changes.cfg
new file mode 100644
index 000000000..ae347e845
--- /dev/null
+++ b/plugin-trino/conf/ranger-policymgr-ssl-changes.cfg
@@ -0,0 +1,21 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SSL Params
+#
+xasecure.policymgr.clientssl.keystore %SSL_KEYSTORE_FILE_PATH% mod create-if-not-exists
+xasecure.policymgr.clientssl.keystore.credential.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists
+xasecure.policymgr.clientssl.truststore %SSL_TRUSTSTORE_FILE_PATH% mod create-if-not-exists
+xasecure.policymgr.clientssl.truststore.credential.file jceks://file%CREDENTIAL_PROVIDER_FILE% mod create-if-not-exists
diff --git a/plugin-trino/conf/ranger-policymgr-ssl.xml b/plugin-trino/conf/ranger-policymgr-ssl.xml
new file mode 100644
index 000000000..21cea432a
--- /dev/null
+++ b/plugin-trino/conf/ranger-policymgr-ssl.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+ <!-- The following properties are used for 2-way SSL client server validation -->
+ <property>
+ <name>xasecure.policymgr.clientssl.keystore</name>
+ <value>trinoservice-clientcert.jks</value>
+ <description>
+ Java Keystore files
+ </description>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.truststore</name>
+ <value>cacerts-xasecure.jks</value>
+ <description>
+ java truststore file
+ </description>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.keystore.credential.file</name>
+ <value>jceks://file/tmp/keystore-trinoservice-ssl.jceks</value>
+ <description>
+ java keystore credential file
+ </description>
+ </property>
+ <property>
+ <name>xasecure.policymgr.clientssl.truststore.credential.file</name>
+ <value>jceks://file/tmp/truststore-trinoservice-ssl.jceks</value>
+ <description>
+ java truststore credential file
+ </description>
+ </property>
+</configuration>
diff --git a/plugin-trino/conf/ranger-trino-audit-changes.cfg b/plugin-trino/conf/ranger-trino-audit-changes.cfg
new file mode 100644
index 000000000..94c2d24ca
--- /dev/null
+++ b/plugin-trino/conf/ranger-trino-audit-changes.cfg
@@ -0,0 +1,74 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+xasecure.audit.hdfs.is.enabled %XAAUDIT.HDFS.IS_ENABLED% mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.directory %XAAUDIT.HDFS.DESTINATION_DIRECTORY% mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.file %XAAUDIT.HDFS.DESTINTATION_FILE% mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.flush.interval.seconds %XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.rollover.interval.seconds %XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists
+xasecure.audit.hdfs.config.destination.open.retry.interval.seconds %XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.directory %XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.file %XAAUDIT.HDFS.LOCAL_BUFFER_FILE% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds %XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.archive.directory %XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY% mod create-if-not-exists
+xasecure.audit.hdfs.config.local.archive.max.file.count %XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT% mod create-if-not-exists
+
+xasecure.audit.solr.is.enabled %XAAUDIT.SOLR.IS_ENABLED% mod create-if-not-exists
+xasecure.audit.solr.solr_url %XAAUDIT.SOLR.SOLR_URL% mod create-if-not-exists
+
+#V3 configuration
+xasecure.audit.provider.summary.enabled %XAAUDIT.SUMMARY.ENABLE% mod create-if-not-exists
+
+xasecure.audit.destination.solr %XAAUDIT.SOLR.ENABLE% mod create-if-not-exists
+xasecure.audit.destination.solr.urls %XAAUDIT.SOLR.URL% mod create-if-not-exists
+xasecure.audit.destination.solr.user %XAAUDIT.SOLR.USER% mod create-if-not-exists
+xasecure.audit.destination.solr.password %XAAUDIT.SOLR.PASSWORD% mod create-if-not-exists
+xasecure.audit.destination.solr.zookeepers %XAAUDIT.SOLR.ZOOKEEPER% mod create-if-not-exists
+xasecure.audit.destination.solr.batch.filespool.dir %XAAUDIT.SOLR.FILE_SPOOL_DIR% mod create-if-not-exists
+
+xasecure.audit.destination.elasticsearch %XAAUDIT.ELASTICSEARCH.ENABLE% mod create-if-not-exists
+xasecure.audit.destination.elasticsearch.urls %XAAUDIT.ELASTICSEARCH.URL% mod create-if-not-exists
+xasecure.audit.destination.elasticsearch.user %XAAUDIT.ELASTICSEARCH.USER% mod create-if-not-exists
+xasecure.audit.destination.elasticsearch.password %XAAUDIT.ELASTICSEARCH.PASSWORD% mod create-if-not-exists
+xasecure.audit.destination.elasticsearch.index %XAAUDIT.ELASTICSEARCH.INDEX% mod create-if-not-exists
+xasecure.audit.destination.elasticsearch.port %XAAUDIT.ELASTICSEARCH.PORT% mod create-if-not-exists
+xasecure.audit.destination.elasticsearch.protocol %XAAUDIT.ELASTICSEARCH.PROTOCOL% mod create-if-not-exists
+
+xasecure.audit.destination.amazon_cloudwatch %XAAUDIT.AMAZON_CLOUDWATCH.ENABLE% mod create-if-not-exists
+xasecure.audit.destination.amazon_cloudwatch.log_group %XAAUDIT.AMAZON_CLOUDWATCH.LOG_GROUP% mod create-if-not-exists
+xasecure.audit.destination.amazon_cloudwatch.log_stream_prefix %XAAUDIT.AMAZON_CLOUDWATCH.LOG_STREAM_PREFIX% mod create-if-not-exists
+xasecure.audit.destination.amazon_cloudwatch.batch.filespool.dir %XAAUDIT.AMAZON_CLOUDWATCH.FILE_SPOOL_DIR% mod create-if-not-exists
+xasecure.audit.destination.amazon_cloudwatch.region %XAAUDIT.AMAZON_CLOUDWATCH.REGION% mod create-if-not-exists
+
+xasecure.audit.destination.hdfs %XAAUDIT.HDFS.ENABLE% mod create-if-not-exists
+xasecure.audit.destination.hdfs.batch.filespool.dir %XAAUDIT.HDFS.FILE_SPOOL_DIR% mod create-if-not-exists
+xasecure.audit.destination.hdfs.dir %XAAUDIT.HDFS.HDFS_DIR% mod create-if-not-exists
+
+AZURE.ACCOUNTNAME %XAAUDIT.HDFS.AZURE_ACCOUNTNAME% var
+xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script %XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.key.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY% mod create-if-not-exists
+xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.%AZURE.ACCOUNTNAME%.blob.core.windows.net %XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER% mod create-if-not-exists
+
+#xasecure.audit.destination.file %XAAUDIT.FILE.ENABLE% mod create-if-not-exists
+#xasecure.audit.destination.file.dir %XAAUDIT.FILE.DIR% mod create-if-not-exists
+
+#log4j configuration
+xasecure.audit.log4j.is.enabled %XAAUDIT.LOG4J.ENABLE% mod create-if-not-exists
+xasecure.audit.log4j.is.async %XAAUDIT.LOG4J.IS_ASYNC% mod create-if-not-exists
+xasecure.audit.log4j.async.max.queue.size %XAAUDIT.LOG4J.ASYNC.MAX.QUEUE.SIZE% mod create-if-not-exists
+xasecure.audit.log4j.async.max.flush.interval.ms %XAAUDIT.LOG4J.ASYNC.MAX.FLUSH.INTERVAL.MS% mod create-if-not-exists
+xasecure.audit.destination.log4j %XAAUDIT.LOG4J.DESTINATION.LOG4J% mod create-if-not-exists
+xasecure.audit.destination.log4j.logger %XAAUDIT.LOG4J.DESTINATION.LOG4J.LOGGER% mod create-if-not-exists
diff --git a/plugin-trino/conf/ranger-trino-audit.xml b/plugin-trino/conf/ranger-trino-audit.xml
new file mode 100644
index 000000000..cd5711851
--- /dev/null
+++ b/plugin-trino/conf/ranger-trino-audit.xml
@@ -0,0 +1,216 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+ <property>
+ <name>xasecure.audit.is.enabled</name>
+ <value>true</value>
+ </property>
+
+ <!-- HDFS audit provider configuration -->
+ <property>
+ <name>xasecure.audit.hdfs.is.enabled</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.is.async</name>
+ <value>true</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.async.max.queue.size</name>
+ <value>1048576</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.async.max.flush.interval.ms</name>
+ <value>30000</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.encoding</name>
+ <value></value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.destination.directory</name>
+ <value>hdfs://NAMENODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.destination.file</name>
+ <value>%hostname%-audit.log</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.destination.flush.interval.seconds</name>
+ <value>900</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.destination.rollover.interval.seconds</name>
+ <value>86400</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.destination.open.retry.interval.seconds</name>
+ <value>60</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.buffer.directory</name>
+ <value>/var/log/trino/audit</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.buffer.file</name>
+ <value>%time:yyyyMMdd-HHmm.ss%.log</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.buffer.file.buffer.size.bytes</name>
+ <value>8192</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.buffer.flush.interval.seconds</name>
+ <value>60</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.buffer.rollover.interval.seconds</name>
+ <value>600</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.archive.directory</name>
+ <value>/var/log/trino/audit/archive</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.hdfs.config.local.archive.max.file.count</name>
+ <value>10</value>
+ </property>
+
+ <!-- Audit to HDFS on Azure Datastore (WASB) requires v3 style settings. Comment the above and uncomment only the
+ following to audit to Azure Blob Datastore via hdfs' WASB schema.
+
+ NOTE: If you specify one audit destination in v3 style then other destinations, if any, must also be specified in v3 style
+ ====
+
+ <property>
+ <name>xasecure.audit.destination.hdfs</name>
+ <value>enabled</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.dir</name>
+ <value>wasb://ranger-audit1@youraccount.blob.core.windows.net</value>
+ </property>
+
+ the following 3 correspond to the properties with similar name in core-site.xml, i.e.
+ - fs.azure.account.key.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net and
+ - fs.azure.account.keyprovider.youraccount.blob.core.windows.net => xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net,
+ - fs.azure.shellkeyprovider.script => xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script,
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.key.youraccount.blob.core.windows.net</name>
+ <value>YOUR ENCRYPTED ACCESS KEY</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.account.keyprovider.youraccount.blob.core.windows.net</name>
+ <value>org.apache.hadoop.fs.azure.ShellDecryptionKeyProvider</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.destination.hdfs.config.fs.azure.shellkeyprovider.script</name>
+ <value>/usr/lib/python2.7/dist-packages/hdinsight_common/decrypt.sh</value>
+ </property>
+ -->
+
+ <!-- Log4j audit provider configuration -->
+ <property>
+ <name>xasecure.audit.log4j.is.enabled</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.log4j.is.async</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.log4j.async.max.queue.size</name>
+ <value>10240</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.log4j.async.max.flush.interval.ms</name>
+ <value>30000</value>
+ </property>
+
+
+ <!-- trino audit provider configuration -->
+ <property>
+ <name>xasecure.audit.trino.is.enabled</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.trino.async.max.queue.size</name>
+ <value>1</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.trino.async.max.flush.interval.ms</name>
+ <value>1000</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.trino.broker_list</name>
+ <value>localhost:9092</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.trino.topic_name</name>
+ <value>ranger_audits</value>
+ </property>
+
+ <!-- Ranger audit provider configuration -->
+ <property>
+ <name>xasecure.audit.solr.is.enabled</name>
+ <value>false</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.solr.async.max.queue.size</name>
+ <value>1</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.solr.async.max.flush.interval.ms</name>
+ <value>1000</value>
+ </property>
+
+ <property>
+ <name>xasecure.audit.solr.solr_url</name>
+ <value>http://localhost:6083/solr/ranger_audits</value>
+ </property>
+</configuration>
diff --git a/plugin-trino/conf/ranger-trino-security-changes.cfg b/plugin-trino/conf/ranger-trino-security-changes.cfg
new file mode 100644
index 000000000..07e8faab3
--- /dev/null
+++ b/plugin-trino/conf/ranger-trino-security-changes.cfg
@@ -0,0 +1,28 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Change the original policy parameter to work with policy manager based.
+#
+#
+ranger.plugin.trino.service.name %REPOSITORY_NAME% mod create-if-not-exists
+
+ranger.plugin.trino.policy.source.impl org.apache.ranger.admin.client.RangerAdminRESTClient mod create-if-not-exists
+
+ranger.plugin.trino.policy.rest.url %POLICY_MGR_URL% mod create-if-not-exists
+ranger.plugin.trino.policy.rest.ssl.config.file %COMPONENT_INSTALL_DIR_NAME%/etc/ranger-policymgr-ssl.xml mod create-if-not-exists
+ranger.plugin.trino.policy.pollIntervalMs 30000 mod create-if-not-exists
+ranger.plugin.trino.policy.cache.dir %POLICY_CACHE_FILE_PATH% mod create-if-not-exists
+ranger.plugin.trino.policy.rest.client.connection.timeoutMs 120000 mod create-if-not-exists
+ranger.plugin.trino.policy.rest.client.read.timeoutMs 30000 mod create-if-not-exists
diff --git a/plugin-trino/conf/ranger-trino-security.xml b/plugin-trino/conf/ranger-trino-security.xml
new file mode 100644
index 000000000..1b2995a99
--- /dev/null
+++ b/plugin-trino/conf/ranger-trino-security.xml
@@ -0,0 +1,74 @@
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<configuration>
+ <property>
+ <name>ranger.plugin.trino.service.name</name>
+ <value>trinoservice</value>
+ <description>
+ Name of the Ranger service containing policies for this Trino instance
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.trino.policy.source.impl</name>
+ <value>org.apache.ranger.admin.client.RangerAdminRESTClient</value>
+ <description>
+ Class to retrieve policies from the source
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.trino.policy.rest.url</name>
+ <value>http://localhost:6080</value>
+ <description>
+ URL to Ranger Admin
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.trino.policy.rest.ssl.config.file</name>
+ <value>/etc/hadoop/conf/ranger-policymgr-ssl.xml</value>
+ <description>
+ Path to the file containing SSL details to contact Ranger Admin
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.trino.policy.pollIntervalMs</name>
+ <value>30000</value>
+ <description>
+ How often to poll for changes in policies?
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.trino.policy.rest.client.connection.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ S3 Plugin RangerRestClient Connection Timeout in Milli Seconds
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.trino.policy.rest.client.read.timeoutMs</name>
+ <value>30000</value>
+ <description>
+ S3 Plugin RangerRestClient read Timeout in Milli Seconds
+ </description>
+ </property>
+</configuration>
diff --git a/plugin-trino/pom.xml b/plugin-trino/pom.xml
new file mode 100644
index 000000000..741ef337e
--- /dev/null
+++ b/plugin-trino/pom.xml
@@ -0,0 +1,136 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>ranger-trino-plugin</artifactId>
+ <name>Trino Security Plugin</name>
+ <description>Trino Security Plugin</description>
+ <packaging>jar</packaging>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+ <parent>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger</artifactId>
+ <version>2.3.0-SNAPSHOT</version>
+ <relativePath>..</relativePath>
+ </parent>
+ <dependencies>
+ <dependency>
+ <groupId>io.trino</groupId>
+ <artifactId>trino-spi</artifactId>
+ <version>${trino.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.trino</groupId>
+ <artifactId>trino-jdbc</artifactId>
+ <version>${trino.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpcore</artifactId>
+ <version>${httpcomponents.httpcore.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.zookeeper</groupId>
+ <artifactId>zookeeper</artifactId>
+ <version>${zookeeper.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>log4j</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>log4j-over-slf4j</artifactId>
+ <version>${slf4j.version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-audit</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-lang3</artifactId>
+ <version>${commons.lang3.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-compress</artifactId>
+ <version>${commons.compress.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.htrace</groupId>
+ <artifactId>htrace-core4</artifactId>
+ <version>${htrace-core.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <version>${slf4j.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>jcl-over-slf4j</artifactId>
+ <version>${slf4j.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
+ <version>${logback.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-core</artifactId>
+ <version>${logback.version}</version>
+ </dependency>
+ </dependencies>
+ <build>
+ <testResources>
+ <testResource>
+ <directory>src/test/resources</directory>
+ <includes>
+ <include>**/*</include>
+ </includes>
+ <filtering>true</filtering>
+ </testResource>
+ </testResources>
+ </build>
+</project>
diff --git a/plugin-trino/scripts/install.properties b/plugin-trino/scripts/install.properties
new file mode 100644
index 000000000..3685ed6b4
--- /dev/null
+++ b/plugin-trino/scripts/install.properties
@@ -0,0 +1,177 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# Location of Policy Manager URL
+#
+# Example:
+# POLICY_MGR_URL=http://policymanager.xasecure.net:6080
+#
+POLICY_MGR_URL=
+
+#
+# This is the repository name created within policy manager
+#
+# Example:
+# REPOSITORY_NAME=trinodev
+#
+REPOSITORY_NAME=
+
+#
+# Name of the directory where the component's lib and conf directory exist.
+# This location should be relative to the parent of the directory containing
+# the plugin installation files.
+#
+COMPONENT_INSTALL_DIR_NAME=../trino
+
+# Enable audit logs to Solr
+#Example
+#XAAUDIT.SOLR.ENABLE=true
+#XAAUDIT.SOLR.URL=http://localhost:6083/solr/ranger_audits
+#XAAUDIT.SOLR.ZOOKEEPER=
+#XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/trino/audit/solr/spool
+
+XAAUDIT.SOLR.ENABLE=false
+XAAUDIT.SOLR.URL=NONE
+XAAUDIT.SOLR.USER=NONE
+XAAUDIT.SOLR.PASSWORD=NONE
+XAAUDIT.SOLR.ZOOKEEPER=NONE
+XAAUDIT.SOLR.FILE_SPOOL_DIR=/var/log/trino/audit/solr/spool
+
+# Enable audit logs to ElasticSearch
+#Example
+#XAAUDIT.ELASTICSEARCH.ENABLE=true
+#XAAUDIT.ELASTICSEARCH.URL=localhost
+#XAAUDIT.ELASTICSEARCH.INDEX=audit
+
+XAAUDIT.ELASTICSEARCH.ENABLE=false
+XAAUDIT.ELASTICSEARCH.URL=NONE
+XAAUDIT.ELASTICSEARCH.USER=NONE
+XAAUDIT.ELASTICSEARCH.PASSWORD=NONE
+XAAUDIT.ELASTICSEARCH.INDEX=NONE
+XAAUDIT.ELASTICSEARCH.PORT=NONE
+XAAUDIT.ELASTICSEARCH.PROTOCOL=NONE
+
+# Enable audit logs to HDFS
+#Example
+#XAAUDIT.HDFS.ENABLE=true
+#XAAUDIT.HDFS.HDFS_DIR=hdfs://node-1.example.com:8020/ranger/audit
+# If using Azure Blob Storage
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+#XAAUDIT.HDFS.HDFS_DIR=wasb://ranger_audit_container@my-azure-account.blob.core.windows.net/ranger/audit
+#XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/trino/audit/hdfs/spool
+
+XAAUDIT.HDFS.ENABLE=false
+XAAUDIT.HDFS.HDFS_DIR=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit
+XAAUDIT.HDFS.FILE_SPOOL_DIR=/var/log/trino/audit/hdfs/spool
+
+# Following additional propertis are needed When auditing to Azure Blob Storage via HDFS
+# Get these values from your /etc/hadoop/conf/core-site.xml
+#XAAUDIT.HDFS.HDFS_DIR=wasb[s]://<containername>@<accountname>.blob.core.windows.net/<path>
+XAAUDIT.HDFS.AZURE_ACCOUNTNAME=__REPLACE_AZURE_ACCOUNT_NAME
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY=__REPLACE_AZURE_ACCOUNT_KEY
+XAAUDIT.HDFS.AZURE_SHELL_KEY_PROVIDER=__REPLACE_AZURE_SHELL_KEY_PROVIDER
+XAAUDIT.HDFS.AZURE_ACCOUNTKEY_PROVIDER=__REPLACE_AZURE_ACCOUNT_KEY_PROVIDER
+
+#Log4j Audit Provider
+XAAUDIT.LOG4J.ENABLE=false
+XAAUDIT.LOG4J.IS_ASYNC=false
+XAAUDIT.LOG4J.ASYNC.MAX.QUEUE.SIZE=10240
+XAAUDIT.LOG4J.ASYNC.MAX.FLUSH.INTERVAL.MS=30000
+XAAUDIT.LOG4J.DESTINATION.LOG4J=true
+XAAUDIT.LOG4J.DESTINATION.LOG4J.LOGGER=xaaudit
+
+# Enable audit logs to Amazon CloudWatch Logs
+#Example
+#XAAUDIT.AMAZON_CLOUDWATCH.ENABLE=true
+#XAAUDIT.AMAZON_CLOUDWATCH.LOG_GROUP=ranger_audits
+#XAAUDIT.AMAZON_CLOUDWATCH.LOG_STREAM={instance_id}
+#XAAUDIT.AMAZON_CLOUDWATCH.FILE_SPOOL_DIR=/var/log/hive/audit/amazon_cloudwatch/spool
+
+XAAUDIT.AMAZON_CLOUDWATCH.ENABLE=false
+XAAUDIT.AMAZON_CLOUDWATCH.LOG_GROUP=NONE
+XAAUDIT.AMAZON_CLOUDWATCH.LOG_STREAM_PREFIX=NONE
+XAAUDIT.AMAZON_CLOUDWATCH.FILE_SPOOL_DIR=NONE
+XAAUDIT.AMAZON_CLOUDWATCH.REGION=NONE
+
+# End of V3 properties
+
+
+#
+# Audit to HDFS Configuration
+#
+# If XAAUDIT.HDFS.IS_ENABLED is set to true, please replace tokens
+# that start with __REPLACE__ with appropriate values
+# XAAUDIT.HDFS.IS_ENABLED=true
+# XAAUDIT.HDFS.DESTINATION_DIRECTORY=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
+# XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=__REPLACE__LOG_DIR/trino/audit
+# XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=__REPLACE__LOG_DIR/trino/audit/archive
+#
+# Example:
+# XAAUDIT.HDFS.IS_ENABLED=true
+# XAAUDIT.HDFS.DESTINATION_DIRECTORY=hdfs://namenode.example.com:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
+# XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=/var/log/trino/audit
+# XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=/var/log/trino/audit/archive
+#
+XAAUDIT.HDFS.IS_ENABLED=false
+XAAUDIT.HDFS.DESTINATION_DIRECTORY=hdfs://__REPLACE__NAME_NODE_HOST:8020/ranger/audit/%app-type%/%time:yyyyMMdd%
+XAAUDIT.HDFS.LOCAL_BUFFER_DIRECTORY=__REPLACE__LOG_DIR/trino/audit
+XAAUDIT.HDFS.LOCAL_ARCHIVE_DIRECTORY=__REPLACE__LOG_DIR/trino/audit/archive
+
+XAAUDIT.HDFS.DESTINTATION_FILE=%hostname%-audit.log
+XAAUDIT.HDFS.DESTINTATION_FLUSH_INTERVAL_SECONDS=900
+XAAUDIT.HDFS.DESTINTATION_ROLLOVER_INTERVAL_SECONDS=86400
+XAAUDIT.HDFS.DESTINTATION_OPEN_RETRY_INTERVAL_SECONDS=60
+XAAUDIT.HDFS.LOCAL_BUFFER_FILE=%time:yyyyMMdd-HHmm.ss%.log
+XAAUDIT.HDFS.LOCAL_BUFFER_FLUSH_INTERVAL_SECONDS=60
+XAAUDIT.HDFS.LOCAL_BUFFER_ROLLOVER_INTERVAL_SECONDS=600
+XAAUDIT.HDFS.LOCAL_ARCHIVE_MAX_FILE_COUNT=10
+
+#Solr Audit Provider
+XAAUDIT.SOLR.IS_ENABLED=false
+XAAUDIT.SOLR.MAX_QUEUE_SIZE=1
+XAAUDIT.SOLR.MAX_FLUSH_INTERVAL_MS=1000
+XAAUDIT.SOLR.SOLR_URL=http://localhost:6083/solr/ranger_audits
+
+# End of V2 properties
+
+#
+# SSL Client Certificate Information
+#
+# Example:
+# SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
+# SSL_KEYSTORE_PASSWORD=none
+# SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
+# SSL_TRUSTSTORE_PASSWORD=none
+#
+# You do not need use SSL between agent and security admin tool, please leave these sample value as it is.
+#
+SSL_KEYSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-keystore.jks
+SSL_KEYSTORE_PASSWORD=myKeyFilePassword
+SSL_TRUSTSTORE_FILE_PATH=/etc/hadoop/conf/ranger-plugin-truststore.jks
+SSL_TRUSTSTORE_PASSWORD=changeit
+
+#
+# Custom component user
+# CUSTOM_COMPONENT_USER=<custom-user>
+# keep blank if component user is default
+CUSTOM_USER=trino
+
+
+#
+# Custom component group
+# CUSTOM_COMPONENT_GROUP=<custom-group>
+# keep blank if component group is default
+CUSTOM_GROUP=hadoop
diff --git a/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
new file mode 100644
index 000000000..cc06187f4
--- /dev/null
+++ b/plugin-trino/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
@@ -0,0 +1,902 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.authorization.trino.authorizer;
+
+import io.trino.spi.connector.CatalogSchemaName;
+import io.trino.spi.connector.CatalogSchemaRoutineName;
+import io.trino.spi.connector.CatalogSchemaTableName;
+import io.trino.spi.connector.SchemaTableName;
+import io.trino.spi.security.AccessDeniedException;
+import io.trino.spi.security.TrinoPrincipal;
+import io.trino.spi.security.Privilege;
+import io.trino.spi.security.SystemAccessControl;
+import io.trino.spi.security.SystemSecurityContext;
+import io.trino.spi.security.ViewExpression;
+import io.trino.spi.type.Type;
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerServiceDef;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResult;
+import org.apache.ranger.plugin.service.RangerBasePlugin;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URL;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+
+import static java.util.Locale.ENGLISH;
+
+public class RangerSystemAccessControl
+ implements SystemAccessControl {
+ private static Logger LOG = LoggerFactory.getLogger(RangerSystemAccessControl.class);
+
+ final public static String RANGER_CONFIG_KEYTAB = "ranger.keytab";
+ final public static String RANGER_CONFIG_PRINCIPAL = "ranger.principal";
+ final public static String RANGER_CONFIG_USE_UGI = "ranger.use_ugi";
+ final public static String RANGER_CONFIG_HADOOP_CONFIG = "ranger.hadoop_config";
+ final public static String RANGER_TRINO_DEFAULT_HADOOP_CONF = "trino-ranger-site.xml";
+ final public static String RANGER_TRINO_SERVICETYPE = "trino";
+ final public static String RANGER_TRINO_APPID = "trino";
+
+ final private RangerBasePlugin rangerPlugin;
+
+ private boolean useUgi = false;
+
+ public RangerSystemAccessControl(Map<String, String> config) {
+ super();
+
+ Configuration hadoopConf = new Configuration();
+ if (config.get(RANGER_CONFIG_HADOOP_CONFIG) != null) {
+ URL url = hadoopConf.getResource(config.get(RANGER_CONFIG_HADOOP_CONFIG));
+ if (url == null) {
+ LOG.warn("Hadoop config " + config.get(RANGER_CONFIG_HADOOP_CONFIG) + " not found");
+ } else {
+ hadoopConf.addResource(url);
+ }
+ } else {
+ URL url = hadoopConf.getResource(RANGER_TRINO_DEFAULT_HADOOP_CONF);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Trying to load Hadoop config from " + url + " (can be null)");
+ }
+ if (url != null) {
+ hadoopConf.addResource(url);
+ }
+ }
+ UserGroupInformation.setConfiguration(hadoopConf);
+
+ if (config.get(RANGER_CONFIG_KEYTAB) != null && config.get(RANGER_CONFIG_PRINCIPAL) != null) {
+ String keytab = config.get(RANGER_CONFIG_KEYTAB);
+ String principal = config.get(RANGER_CONFIG_PRINCIPAL);
+
+ LOG.info("Performing kerberos login with principal " + principal + " and keytab " + keytab);
+
+ try {
+ UserGroupInformation.loginUserFromKeytab(principal, keytab);
+ } catch (IOException ioe) {
+ LOG.error("Kerberos login failed", ioe);
+ throw new RuntimeException(ioe);
+ }
+ }
+
+ if (config.getOrDefault(RANGER_CONFIG_USE_UGI, "false").equalsIgnoreCase("true")) {
+ useUgi = true;
+ }
+
+ rangerPlugin = new RangerBasePlugin(RANGER_TRINO_SERVICETYPE, RANGER_TRINO_APPID);
+ rangerPlugin.init();
+ rangerPlugin.setResultProcessor(new RangerDefaultAuditHandler());
+ }
+
+
+ /** FILTERING AND DATA MASKING **/
+
+ private RangerAccessResult getDataMaskResult(RangerTrinoAccessRequest request) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> getDataMaskResult(request=" + request + ")");
+ }
+
+ RangerAccessResult ret = rangerPlugin.evalDataMaskPolicies(request, null);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== getDataMaskResult(request=" + request + "): ret=" + ret);
+ }
+
+ return ret;
+ }
+
+ private RangerAccessResult getRowFilterResult(RangerTrinoAccessRequest request) {
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> getRowFilterResult(request=" + request + ")");
+ }
+
+ RangerAccessResult ret = rangerPlugin.evalRowFilterPolicies(request, null);
+
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== getRowFilterResult(request=" + request + "): ret=" + ret);
+ }
+
+ return ret;
+ }
+
+ private boolean isDataMaskEnabled(RangerAccessResult result) {
+ return result != null && result.isMaskEnabled();
+ }
+
+ private boolean isRowFilterEnabled(RangerAccessResult result) {
+ return result != null && result.isRowFilterEnabled();
+ }
+
+ @Override
+ public Optional<ViewExpression> getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) {
+ RangerTrinoAccessRequest request = createAccessRequest(createResource(tableName), context, TrinoAccessType.SELECT);
+ RangerAccessResult result = getRowFilterResult(request);
+
+ ViewExpression viewExpression = null;
+ if (isRowFilterEnabled(result)) {
+ String filter = result.getFilterExpr();
+ viewExpression = new ViewExpression(
+ context.getIdentity().getUser(),
+ Optional.of(tableName.getCatalogName()),
+ Optional.of(tableName.getSchemaTableName().getSchemaName()),
+ filter
+ );
+ }
+ return Optional.ofNullable(viewExpression);
+ }
+
+ @Override
+ public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) {
+ RangerTrinoAccessRequest request = createAccessRequest(
+ createResource(tableName.getCatalogName(), tableName.getSchemaTableName().getSchemaName(),
+ tableName.getSchemaTableName().getTableName(), Optional.of(columnName)),
+ context, TrinoAccessType.SELECT);
+ RangerAccessResult result = getDataMaskResult(request);
+
+ ViewExpression viewExpression = null;
+ if (isDataMaskEnabled(result)) {
+ String maskType = result.getMaskType();
+ RangerServiceDef.RangerDataMaskTypeDef maskTypeDef = result.getMaskTypeDef();
+ String transformer = null;
+
+ if (maskTypeDef != null) {
+ transformer = maskTypeDef.getTransformer();
+ }
+
+ if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) {
+ transformer = "NULL";
+ } else if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) {
+ String maskedValue = result.getMaskedValue();
+
+ if(maskedValue == null) {
+ transformer = "NULL";
+ } else {
+ transformer = maskedValue;
+ }
+ }
+
+ if(StringUtils.isNotEmpty(transformer)) {
+ transformer = transformer.replace("{col}", columnName).replace("{type}", type.getDisplayName());
+ }
+
+ viewExpression = new ViewExpression(
+ context.getIdentity().getUser(),
+ Optional.of(tableName.getCatalogName()),
+ Optional.of(tableName.getSchemaTableName().getSchemaName()),
+ transformer
+ );
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("getColumnMask: user: %s, catalog: %s, schema: %s, transformer: %s");
+ }
+
+ }
+
+ return Optional.ofNullable(viewExpression);
+ }
+
+ @Override
+ public Set<String> filterCatalogs(SystemSecurityContext context, Set<String> catalogs) {
+ LOG.debug("==> RangerSystemAccessControl.filterCatalogs("+ catalogs + ")");
+ Set<String> filteredCatalogs = new HashSet<>(catalogs.size());
+ for (String catalog: catalogs) {
+ if (hasPermission(createResource(catalog), context, TrinoAccessType.SELECT)) {
+ filteredCatalogs.add(catalog);
+ }
+ }
+ return filteredCatalogs;
+ }
+
+ @Override
+ public Set<String> filterSchemas(SystemSecurityContext context, String catalogName, Set<String> schemaNames) {
+ LOG.debug("==> RangerSystemAccessControl.filterSchemas(" + catalogName + ")");
+ Set<String> filteredSchemaNames = new HashSet<>(schemaNames.size());
+ for (String schemaName: schemaNames) {
+ if (hasPermission(createResource(catalogName, schemaName), context, TrinoAccessType.SELECT)) {
+ filteredSchemaNames.add(schemaName);
+ }
+ }
+ return filteredSchemaNames;
+ }
+
+ @Override
+ public Set<SchemaTableName> filterTables(SystemSecurityContext context, String catalogName, Set<SchemaTableName> tableNames) {
+ LOG.debug("==> RangerSystemAccessControl.filterTables(" + catalogName + ")");
+ Set<SchemaTableName> filteredTableNames = new HashSet<>(tableNames.size());
+ for (SchemaTableName tableName : tableNames) {
+ RangerTrinoResource res = createResource(catalogName, tableName.getSchemaName(), tableName.getTableName());
+ if (hasPermission(res, context, TrinoAccessType.SELECT)) {
+ filteredTableNames.add(tableName);
+ }
+ }
+ return filteredTableNames;
+ }
+
+ /** PERMISSION CHECKS ORDERED BY SYSTEM, CATALOG, SCHEMA, TABLE, VIEW, COLUMN, QUERY, FUNCTIONS, PROCEDURES **/
+
+ /** SYSTEM **/
+
+ @Override
+ public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
+ if (!hasPermission(createSystemPropertyResource(propertyName), context, TrinoAccessType.ALTER)) {
+ LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty denied");
+ AccessDeniedException.denySetSystemSessionProperty(propertyName);
+ }
+ }
+
+ @Override
+ public void checkCanImpersonateUser(SystemSecurityContext context, String userName) {
+ if (!hasPermission(createUserResource(userName), context, TrinoAccessType.IMPERSONATE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanImpersonateUser(" + userName + ") denied");
+ AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), userName);
+ }
+ }
+
+ @Override
+ public void checkCanSetUser(Optional<Principal> principal, String userName) {
+ // pass as it is deprecated
+ }
+
+ /** CATALOG **/
+ @Override
+ public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, String catalogName, String propertyName) {
+ if (!hasPermission(createCatalogSessionResource(catalogName, propertyName), context, TrinoAccessType.ALTER)) {
+ LOG.debug("RangerSystemAccessControl.checkCanSetSystemSessionProperty(" + catalogName + ") denied");
+ AccessDeniedException.denySetCatalogSessionProperty(catalogName, propertyName);
+ }
+ }
+
+ @Override
+ public void checkCanShowRoles(SystemSecurityContext context) {
+ //allow
+ }
+
+ @Override
+ public void checkCanShowCurrentRoles(SystemSecurityContext context) {
+ //allow
+ }
+
+ @Override
+ public void checkCanShowRoleGrants(SystemSecurityContext context) {
+ //allow
+ }
+
+ @Override
+ public void checkCanAccessCatalog(SystemSecurityContext context, String catalogName) {
+ if (!hasPermission(createResource(catalogName), context, TrinoAccessType.USE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanAccessCatalog(" + catalogName + ") denied");
+ AccessDeniedException.denyCatalogAccess(catalogName);
+ }
+ }
+
+ @Override
+ public void checkCanShowSchemas(SystemSecurityContext context, String catalogName) {
+ if (!hasPermission(createResource(catalogName), context, TrinoAccessType.SHOW)) {
+ LOG.debug("RangerSystemAccessControl.checkCanShowSchemas(" + catalogName + ") denied");
+ AccessDeniedException.denyShowSchemas(catalogName);
+ }
+ }
+
+ /** SCHEMA **/
+
+ @Override
+ public void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, TrinoPrincipal principal) {
+ if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, TrinoAccessType.GRANT)) {
+ LOG.debug("RangerSystemAccessControl.checkCanSetSchemaAuthorization(" + schema.getSchemaName() + ") denied");
+ AccessDeniedException.denySetSchemaAuthorization(schema.getSchemaName(), principal);
+ }
+ }
+
+ @Override
+ public void checkCanShowCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) {
+ if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, TrinoAccessType.SHOW)) {
+ LOG.debug("RangerSystemAccessControl.checkCanShowCreateSchema(" + schema.getSchemaName() + ") denied");
+ AccessDeniedException.denyShowCreateSchema(schema.getSchemaName());
+ }
+ }
+
+ /**
+ * Create schema is evaluated on the level of the Catalog. This means that it is assumed you have permission
+ * to create a schema when you have create rights on the catalog level
+ */
+ @Override
+ public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) {
+ if (!hasPermission(createResource(schema.getCatalogName()), context, TrinoAccessType.CREATE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanCreateSchema(" + schema.getSchemaName() + ") denied");
+ AccessDeniedException.denyCreateSchema(schema.getSchemaName());
+ }
+ }
+
+ /**
+ * This is evaluated against the schema name as ownership information is not available
+ */
+ @Override
+ public void checkCanDropSchema(SystemSecurityContext context, CatalogSchemaName schema) {
+ if (!hasPermission(createResource(schema.getCatalogName(), schema.getSchemaName()), context, TrinoAccessType.DROP)) {
+ LOG.debug("RangerSystemAccessControl.checkCanDropSchema(" + schema.getSchemaName() + ") denied");
+ AccessDeniedException.denyDropSchema(schema.getSchemaName());
+ }
+ }
+
+ /**
+ * This is evaluated against the schema name as ownership information is not available
+ */
+ @Override
+ public void checkCanRenameSchema(SystemSecurityContext context, CatalogSchemaName schema, String newSchemaName) {
+ RangerTrinoResource res = createResource(schema.getCatalogName(), schema.getSchemaName());
+ if (!hasPermission(res, context, TrinoAccessType.ALTER)) {
+ LOG.debug("RangerSystemAccessControl.checkCanRenameSchema(" + schema.getSchemaName() + ") denied");
+ AccessDeniedException.denyRenameSchema(schema.getSchemaName(), newSchemaName);
+ }
+ }
+
+ /** TABLE **/
+
+ @Override
+ public void checkCanShowTables(SystemSecurityContext context, CatalogSchemaName schema) {
+ if (!hasPermission(createResource(schema), context, TrinoAccessType.SHOW)) {
+ LOG.debug("RangerSystemAccessControl.checkCanShowTables(" + schema.toString() + ") denied");
+ AccessDeniedException.denyShowTables(schema.toString());
+ }
+ }
+
+
+ @Override
+ public void checkCanShowCreateTable(SystemSecurityContext context, CatalogSchemaTableName table) {
+ if (!hasPermission(createResource(table), context, TrinoAccessType.SHOW)) {
+ LOG.debug("RangerSystemAccessControl.checkCanShowTables(" + table.toString() + ") denied");
+ AccessDeniedException.denyShowCreateTable(table.toString());
+ }
+ }
+
+ /**
+ * Create table is verified on schema level
+ */
+ @Override
+ public void checkCanCreateTable(SystemSecurityContext context, CatalogSchemaTableName table, Map<String, Object> properties) {
+ if (!hasPermission(createResource(table.getCatalogName(), table.getSchemaTableName().getSchemaName()), context, TrinoAccessType.CREATE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanCreateTable(" + table.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyCreateTable(table.getSchemaTableName().getTableName());
+ }
+ }
+
+ /**
+ * This is evaluated against the table name as ownership information is not available
+ */
+ @Override
+ public void checkCanDropTable(SystemSecurityContext context, CatalogSchemaTableName table) {
+ if (!hasPermission(createResource(table), context, TrinoAccessType.DROP)) {
+ LOG.debug("RangerSystemAccessControl.checkCanDropTable(" + table.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyDropTable(table.getSchemaTableName().getTableName());
+ }
+ }
+
+ /**
+ * This is evaluated against the table name as ownership information is not available
+ */
+ @Override
+ public void checkCanRenameTable(SystemSecurityContext context, CatalogSchemaTableName table, CatalogSchemaTableName newTable) {
+ RangerTrinoResource res = createResource(table);
+ if (!hasPermission(res, context, TrinoAccessType.ALTER)) {
+ LOG.debug("RangerSystemAccessControl.checkCanRenameTable(" + table.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyRenameTable(table.getSchemaTableName().getTableName(), newTable.getSchemaTableName().getTableName());
+ }
+ }
+
+ @Override
+ public void checkCanInsertIntoTable(SystemSecurityContext context, CatalogSchemaTableName table) {
+ RangerTrinoResource res = createResource(table);
+ if (!hasPermission(res, context, TrinoAccessType.INSERT)) {
+ LOG.debug("RangerSystemAccessControl.checkCanInsertIntoTable(" + table.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyInsertTable(table.getSchemaTableName().getTableName());
+ }
+ }
+
+ @Override
+ public void checkCanDeleteFromTable(SystemSecurityContext context, CatalogSchemaTableName table) {
+ if (!hasPermission(createResource(table), context, TrinoAccessType.DELETE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanDeleteFromTable(" + table.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyDeleteTable(table.getSchemaTableName().getTableName());
+ }
+ }
+
+@Override
+ public void checkCanTruncateTable(SystemSecurityContext context, CatalogSchemaTableName table) {
+ if (!hasPermission(createResource(table), context, TrinoAccessType.DELETE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanTruncateTable(" + table.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyTruncateTable(table.getSchemaTableName().getTableName());
+ }
+ }
+
+ @Override
+ public void checkCanGrantTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, TrinoPrincipal grantee, boolean withGrantOption) {
+ if (!hasPermission(createResource(table), context, TrinoAccessType.GRANT)) {
+ LOG.debug("RangerSystemAccessControl.checkCanGrantTablePrivilege(" + table + ") denied");
+ AccessDeniedException.denyGrantTablePrivilege(privilege.toString(), table.toString());
+ }
+ }
+
+ @Override
+ public void checkCanRevokeTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, TrinoPrincipal revokee, boolean grantOptionFor) {
+ if (!hasPermission(createResource(table), context, TrinoAccessType.REVOKE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanRevokeTablePrivilege(" + table + ") denied");
+ AccessDeniedException.denyRevokeTablePrivilege(privilege.toString(), table.toString());
+ }
+ }
+
+ @Override
+ public void checkCanSetTableComment(SystemSecurityContext context, CatalogSchemaTableName table) {
+ if (!hasPermission(createResource(table), context, TrinoAccessType.ALTER)) {
+ LOG.debug("RangerSystemAccessControl.checkCanSetTableComment(" + table.toString() + ") denied");
+ AccessDeniedException.denyCommentTable(table.toString());
+ }
+ }
+
+ @Override
+ public void checkCanSetColumnComment(SystemSecurityContext context, CatalogSchemaTableName table) {
+ if (!hasPermission(createResource(table), context, TrinoAccessType.ALTER)) {
+ LOG.debug("RangerSystemAccessControl.checkCanSetColumnComment(" + table.toString() + ") denied");
+ AccessDeniedException.denyCommentColumn(table.toString());
+ }
+ }
+
+ /**
+ * Create view is verified on schema level
+ */
+ @Override
+ public void checkCanCreateView(SystemSecurityContext context, CatalogSchemaTableName view) {
+ if (!hasPermission(createResource(view.getCatalogName(), view.getSchemaTableName().getSchemaName()), context, TrinoAccessType.CREATE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanCreateView(" + view.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyCreateView(view.getSchemaTableName().getTableName());
+ }
+ }
+
+ /**
+ * This is evaluated against the table name as ownership information is not available
+ */
+ @Override
+ public void checkCanDropView(SystemSecurityContext context, CatalogSchemaTableName view) {
+ if (!hasPermission(createResource(view), context, TrinoAccessType.DROP)) {
+ LOG.debug("RangerSystemAccessControl.checkCanDropView(" + view.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyDropView(view.getSchemaTableName().getTableName());
+ }
+ }
+
+ @Override
+ public void checkCanSetViewAuthorization(SystemSecurityContext context, CatalogSchemaTableName view, TrinoPrincipal principal){
+ if (!hasPermission(createResource(view), context, TrinoAccessType.ALTER)) {
+ LOG.debug("RangerSystemAccessControl.checkCanSetViewAuthorization(" + view.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denySetViewAuthorization(view.toString(), principal);
+ }
+ }
+
+ /**
+ * This check equals the check for checkCanCreateView
+ */
+ @Override
+ public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
+ try {
+ checkCanCreateView(context, table);
+ } catch (AccessDeniedException ade) {
+ LOG.debug("RangerSystemAccessControl.checkCanCreateViewWithSelectFromColumns(" + table.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyCreateViewWithSelect(table.getSchemaTableName().getTableName(), context.getIdentity());
+ }
+ }
+
+ /**
+ *
+ * check if materialized view can be created
+ */
+ @Override
+ public void checkCanCreateMaterializedView(SystemSecurityContext context, CatalogSchemaTableName materializedView, Map<String, Object> properties) {
+ if (!hasPermission(createResource(materializedView), context, TrinoAccessType.CREATE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanCreateMaterializedView( " + materializedView.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyCreateMaterializedView(materializedView.getSchemaTableName().getTableName());
+ }
+
+ }
+
+ @Override
+ public void checkCanDropMaterializedView(SystemSecurityContext context, CatalogSchemaTableName materializedView) {
+ if(!hasPermission(createResource(materializedView),context,TrinoAccessType.DROP)){
+ LOG.debug("RangerSystemAccessControl.checkCanDropMaterializedView(" + materializedView.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyCreateView(materializedView.getSchemaTableName().getTableName());
+ }
+ }
+
+ /**
+ * This is evaluated against the table name as ownership information is not available
+ */
+ @Override
+ public void checkCanRenameView(SystemSecurityContext context, CatalogSchemaTableName view, CatalogSchemaTableName newView) {
+ if (!hasPermission(createResource(view), context, TrinoAccessType.ALTER)) {
+ LOG.debug("RangerSystemAccessControl.checkCanRenameView(" + view.toString() + ") denied");
+ AccessDeniedException.denyRenameView(view.toString(), newView.toString());
+ }
+ }
+
+ /** COLUMN **/
+
+ /**
+ * This is evaluated on table level
+ */
+ @Override
+ public void checkCanAddColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
+ RangerTrinoResource res = createResource(table);
+ if (!hasPermission(res, context, TrinoAccessType.ALTER)) {
+ AccessDeniedException.denyAddColumn(table.getSchemaTableName().getTableName());
+ }
+ }
+
+ /**
+ * This is evaluated on table level
+ */
+ @Override
+ public void checkCanDropColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
+ RangerTrinoResource res = createResource(table);
+ if (!hasPermission(res, context, TrinoAccessType.DROP)) {
+ LOG.debug("RangerSystemAccessControl.checkCanDropColumn(" + table.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyDropColumn(table.getSchemaTableName().getTableName());
+ }
+ }
+
+ /**
+ * This is evaluated on table level
+ */
+ @Override
+ public void checkCanRenameColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
+ RangerTrinoResource res = createResource(table);
+ if (!hasPermission(res, context, TrinoAccessType.ALTER)) {
+ LOG.debug("RangerSystemAccessControl.checkCanRenameColumn(" + table.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denyRenameColumn(table.getSchemaTableName().getTableName());
+ }
+ }
+
+ /**
+ * This is evaluated on table level
+ */
+ @Override
+ public void checkCanShowColumns(SystemSecurityContext context, CatalogSchemaTableName table) {
+ if (!hasPermission(createResource(table), context, TrinoAccessType.SHOW)) {
+ LOG.debug("RangerSystemAccessControl.checkCanShowTables(" + table.toString() + ") denied");
+ AccessDeniedException.denyShowColumns(table.toString());
+ }
+ }
+
+ @Override
+ public void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
+ for (RangerTrinoResource res : createResource(table, columns)) {
+ if (!hasPermission(res, context, TrinoAccessType.SELECT)) {
+ LOG.debug("RangerSystemAccessControl.checkCanSelectFromColumns(" + table.getSchemaTableName().getTableName() + ") denied");
+ AccessDeniedException.denySelectColumns(table.getSchemaTableName().getTableName(), columns);
+ }
+ }
+ }
+
+ /**
+ * This is a NOOP, no filtering is applied
+ */
+ @Override
+ public Set<String> filterColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
+ return columns;
+ }
+
+ /** QUERY **/
+
+ /**
+ * This is a NOOP. Everyone can execute a query
+ * @param context
+ */
+ @Override
+ public void checkCanExecuteQuery(SystemSecurityContext context) {
+ }
+
+ @Override
+ public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
+ if (!hasPermission(createUserResource(queryOwner), context, TrinoAccessType.IMPERSONATE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanViewQueryOwnedBy(" + queryOwner + ") denied");
+ AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner);
+ }
+ }
+
+ /**
+ * This is a NOOP, no filtering is applied
+ */
+ @Override
+ public Set<String> filterViewQueryOwnedBy(SystemSecurityContext context, Set<String> queryOwners) {
+ return queryOwners;
+ }
+
+ @Override
+ public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
+ if (!hasPermission(createUserResource(queryOwner), context, TrinoAccessType.IMPERSONATE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanKillQueryOwnedBy(" + queryOwner + ") denied");
+ AccessDeniedException.denyImpersonateUser(context.getIdentity().getUser(), queryOwner);
+ }
+ }
+
+ /** FUNCTIONS **/
+ @Override
+ public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String function, TrinoPrincipal grantee, boolean grantOption) {
+ if (!hasPermission(createFunctionResource(function), context, TrinoAccessType.GRANT)) {
+ LOG.debug("RangerSystemAccessControl.checkCanGrantExecuteFunctionPrivilege(" + function + ") denied");
+ AccessDeniedException.denyGrantExecuteFunctionPrivilege(function, context.getIdentity(), grantee.getName());
+ }
+ }
+
+ @Override
+ public void checkCanExecuteFunction(SystemSecurityContext context, String function) {
+ if (!hasPermission(createFunctionResource(function), context, TrinoAccessType.EXECUTE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + function + ") denied");
+ AccessDeniedException.denyExecuteFunction(function);
+ }
+ }
+
+ /** PROCEDURES **/
+ @Override
+ public void checkCanExecuteProcedure(SystemSecurityContext context, CatalogSchemaRoutineName procedure) {
+ if (!hasPermission(createProcedureResource(procedure), context, TrinoAccessType.EXECUTE)) {
+ LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + procedure.getSchemaRoutineName().getRoutineName() + ") denied");
+ AccessDeniedException.denyExecuteProcedure(procedure.getSchemaRoutineName().getRoutineName());
+ }
+ }
+
+ @Override
+ public void checkCanExecuteTableProcedure(SystemSecurityContext context, CatalogSchemaTableName catalogSchemaTableName, String procedure)
+ {
+ if (!hasPermission(createResource(catalogSchemaTableName), context, TrinoAccessType.ALTER)) {
+ LOG.debug("RangerSystemAccessControl.checkCanExecuteFunction(" + procedure + ") denied");
+ AccessDeniedException.denyExecuteTableProcedure(catalogSchemaTableName.toString(),procedure);
+ }
+ }
+
+ /** HELPER FUNCTIONS **/
+
+ private RangerTrinoAccessRequest createAccessRequest(RangerTrinoResource resource, SystemSecurityContext context, TrinoAccessType accessType) {
+ Set<String> userGroups = null;
+
+ if (useUgi) {
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser(context.getIdentity().getUser());
+
+ String[] groups = ugi != null ? ugi.getGroupNames() : null;
+
+ if (groups != null && groups.length > 0) {
+ userGroups = new HashSet<>(Arrays.asList(groups));
+ }
+ } else {
+ userGroups = context.getIdentity().getGroups();
+ }
+
+ RangerTrinoAccessRequest request = new RangerTrinoAccessRequest(
+ resource,
+ context.getIdentity().getUser(),
+ userGroups,
+ accessType
+ );
+
+ return request;
+ }
+
+ private boolean hasPermission(RangerTrinoResource resource, SystemSecurityContext context, TrinoAccessType accessType) {
+ boolean ret = false;
+
+ RangerTrinoAccessRequest request = createAccessRequest(resource, context, accessType);
+
+ RangerAccessResult result = rangerPlugin.isAccessAllowed(request);
+ if (result != null && result.getIsAllowed()) {
+ ret = true;
+ }
+
+ return ret;
+ }
+
+ private static RangerTrinoResource createUserResource(String userName) {
+ RangerTrinoResource res = new RangerTrinoResource();
+ res.setValue(RangerTrinoResource.KEY_USER, userName);
+
+ return res;
+ }
+
+ private static RangerTrinoResource createFunctionResource(String function) {
+ RangerTrinoResource res = new RangerTrinoResource();
+ res.setValue(RangerTrinoResource.KEY_FUNCTION, function);
+
+ return res;
+ }
+
+ private static RangerTrinoResource createProcedureResource(CatalogSchemaRoutineName procedure) {
+ RangerTrinoResource res = new RangerTrinoResource();
+ res.setValue(RangerTrinoResource.KEY_CATALOG, procedure.getCatalogName());
+ res.setValue(RangerTrinoResource.KEY_SCHEMA, procedure.getSchemaRoutineName().getSchemaName());
+ res.setValue(RangerTrinoResource.KEY_PROCEDURE, procedure.getSchemaRoutineName().getRoutineName());
+
+ return res;
+ }
+
+ private static RangerTrinoResource createCatalogSessionResource(String catalogName, String propertyName) {
+ RangerTrinoResource res = new RangerTrinoResource();
+ res.setValue(RangerTrinoResource.KEY_CATALOG, catalogName);
+ res.setValue(RangerTrinoResource.KEY_SESSION_PROPERTY, propertyName);
+
+ return res;
+ }
+
+ private static RangerTrinoResource createSystemPropertyResource(String property) {
+ RangerTrinoResource res = new RangerTrinoResource();
+ res.setValue(RangerTrinoResource.KEY_SYSTEM_PROPERTY, property);
+
+ return res;
+ }
+
+ private static RangerTrinoResource createResource(CatalogSchemaName catalogSchemaName) {
+ return createResource(catalogSchemaName.getCatalogName(), catalogSchemaName.getSchemaName());
+ }
+
+ private static RangerTrinoResource createResource(CatalogSchemaTableName catalogSchemaTableName) {
+ return createResource(catalogSchemaTableName.getCatalogName(),
+ catalogSchemaTableName.getSchemaTableName().getSchemaName(),
+ catalogSchemaTableName.getSchemaTableName().getTableName());
+ }
+
+ private static RangerTrinoResource createResource(String catalogName) {
+ return new RangerTrinoResource(catalogName, Optional.empty(), Optional.empty());
+ }
+
+ private static RangerTrinoResource createResource(String catalogName, String schemaName) {
+ return new RangerTrinoResource(catalogName, Optional.of(schemaName), Optional.empty());
+ }
+
+ private static RangerTrinoResource createResource(String catalogName, String schemaName, final String tableName) {
+ return new RangerTrinoResource(catalogName, Optional.of(schemaName), Optional.of(tableName));
+ }
+
+ private static RangerTrinoResource createResource(String catalogName, String schemaName, final String tableName, final Optional<String> column) {
+ return new RangerTrinoResource(catalogName, Optional.of(schemaName), Optional.of(tableName), column);
+ }
+
+ private static List<RangerTrinoResource> createResource(CatalogSchemaTableName table, Set<String> columns) {
+ List<RangerTrinoResource> colRequests = new ArrayList<>();
+
+ if (columns.size() > 0) {
+ for (String column : columns) {
+ RangerTrinoResource rangerTrinoResource = createResource(table.getCatalogName(),
+ table.getSchemaTableName().getSchemaName(),
+ table.getSchemaTableName().getTableName(), Optional.of(column));
+ colRequests.add(rangerTrinoResource);
+ }
+ } else {
+ colRequests.add(createResource(table.getCatalogName(),
+ table.getSchemaTableName().getSchemaName(),
+ table.getSchemaTableName().getTableName(), Optional.empty()));
+ }
+ return colRequests;
+ }
+}
+
+class RangerTrinoResource
+ extends RangerAccessResourceImpl {
+
+
+ public static final String KEY_CATALOG = "catalog";
+ public static final String KEY_SCHEMA = "schema";
+ public static final String KEY_TABLE = "table";
+ public static final String KEY_COLUMN = "column";
+ public static final String KEY_USER = "trinouser";
+ public static final String KEY_FUNCTION = "function";
+ public static final String KEY_PROCEDURE = "procedure";
+ public static final String KEY_SYSTEM_PROPERTY = "systemproperty";
+ public static final String KEY_SESSION_PROPERTY = "sessionproperty";
+
+ public RangerTrinoResource() {
+ }
+
+ public RangerTrinoResource(String catalogName, Optional<String> schema, Optional<String> table) {
+ setValue(KEY_CATALOG, catalogName);
+ if (schema.isPresent()) {
+ setValue(KEY_SCHEMA, schema.get());
+ }
+ if (table.isPresent()) {
+ setValue(KEY_TABLE, table.get());
+ }
+ }
+
+ public RangerTrinoResource(String catalogName, Optional<String> schema, Optional<String> table, Optional<String> column) {
+ setValue(KEY_CATALOG, catalogName);
+ if (schema.isPresent()) {
+ setValue(KEY_SCHEMA, schema.get());
+ }
+ if (table.isPresent()) {
+ setValue(KEY_TABLE, table.get());
+ }
+ if (column.isPresent()) {
+ setValue(KEY_COLUMN, column.get());
+ }
+ }
+
+ public String getCatalogName() {
+ return (String) getValue(KEY_CATALOG);
+ }
+
+ public String getTable() {
+ return (String) getValue(KEY_TABLE);
+ }
+
+ public String getCatalog() {
+ return (String) getValue(KEY_CATALOG);
+ }
+
+ public String getSchema() {
+ return (String) getValue(KEY_SCHEMA);
+ }
+
+ public Optional<SchemaTableName> getSchemaTable() {
+ final String schema = getSchema();
+ if (StringUtils.isNotEmpty(schema)) {
+ return Optional.of(new SchemaTableName(schema, Optional.ofNullable(getTable()).orElse("*")));
+ }
+ return Optional.empty();
+ }
+}
+
+class RangerTrinoAccessRequest
+ extends RangerAccessRequestImpl {
+ public RangerTrinoAccessRequest(RangerTrinoResource resource,
+ String user,
+ Set<String> userGroups,
+ TrinoAccessType trinoAccessType) {
+ super(resource, trinoAccessType.name().toLowerCase(ENGLISH), user, userGroups, null);
+ setAccessTime(new Date());
+ }
+}
+
+enum TrinoAccessType {
+ CREATE, DROP, SELECT, INSERT, DELETE, USE, ALTER, ALL, GRANT, REVOKE, SHOW, IMPERSONATE, EXECUTE;
+}
diff --git a/plugin-trino/src/main/java/org/apache/ranger/services/trino/RangerServiceTrino.java b/plugin-trino/src/main/java/org/apache/ranger/services/trino/RangerServiceTrino.java
new file mode 100644
index 000000000..936fb7ac8
--- /dev/null
+++ b/plugin-trino/src/main/java/org/apache/ranger/services/trino/RangerServiceTrino.java
@@ -0,0 +1,125 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.services.trino;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.ranger.plugin.client.HadoopConfigHolder;
+import org.apache.ranger.plugin.client.HadoopException;
+import org.apache.ranger.plugin.model.RangerPolicy;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItem;
+import org.apache.ranger.plugin.model.RangerPolicy.RangerPolicyItemAccess;
+import org.apache.ranger.plugin.service.RangerBaseService;
+import org.apache.ranger.plugin.service.ResourceLookupContext;
+import org.apache.ranger.services.trino.client.TrinoResourceManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+public class RangerServiceTrino extends RangerBaseService {
+ private static final Logger LOG = LoggerFactory.getLogger(RangerServiceTrino.class);
+
+ public static final String ACCESS_TYPE_SELECT = "select";
+
+ @Override
+ public List<RangerPolicy> getDefaultRangerPolicies() throws Exception {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceTrino.getDefaultRangerPolicies()");
+ }
+
+ List<RangerPolicy> ret = super.getDefaultRangerPolicies();
+ for (RangerPolicy defaultPolicy : ret) {
+ if (defaultPolicy.getName().contains("all") && StringUtils.isNotBlank(lookUpUser)) {
+ List<RangerPolicyItemAccess> accessListForLookupUser = new ArrayList<RangerPolicyItemAccess>();
+ accessListForLookupUser.add(new RangerPolicyItemAccess(ACCESS_TYPE_SELECT));
+ RangerPolicyItem policyItemForLookupUser = new RangerPolicyItem();
+ policyItemForLookupUser.setUsers(Collections.singletonList(lookUpUser));
+ policyItemForLookupUser.setAccesses(accessListForLookupUser);
+ policyItemForLookupUser.setDelegateAdmin(false);
+ defaultPolicy.getPolicyItems().add(policyItemForLookupUser);
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceTrino.getDefaultRangerPolicies()");
+ }
+ return ret;
+ }
+
+ @Override
+ public Map<String, Object> validateConfig() throws Exception {
+ Map<String, Object> ret = new HashMap<String, Object>();
+ String serviceName = getServiceName();
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerServiceTrino.validateConfig(): Service: " +
+ serviceName);
+ }
+
+ if (configs != null) {
+ try {
+ if (!configs.containsKey(HadoopConfigHolder.RANGER_LOGIN_PASSWORD)) {
+ configs.put(HadoopConfigHolder.RANGER_LOGIN_PASSWORD, null);
+ }
+ ret = TrinoResourceManager.connectionTest(serviceName, configs);
+ } catch (HadoopException he) {
+ LOG.error("<== RangerServiceTrino.validateConfig() Error:" + he);
+ throw he;
+ }
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("RangerServiceTrino.validateConfig(): Response: " +
+ ret);
+ }
+ return ret;
+ }
+
+ @Override
+ public List<String> lookupResource(ResourceLookupContext context) throws Exception {
+
+ List<String> ret = new ArrayList<String>();
+ String serviceName = getServiceName();
+ String serviceType = getServiceType();
+ Map<String,String> configs = getConfigs();
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("==> RangerServiceTrino.lookupResource() Context: (" + context + ")");
+ }
+ if (context != null) {
+ try {
+ if (!configs.containsKey(HadoopConfigHolder.RANGER_LOGIN_PASSWORD)) {
+ configs.put(HadoopConfigHolder.RANGER_LOGIN_PASSWORD, null);
+ }
+ ret = TrinoResourceManager.getTrinoResources(serviceName, serviceType, configs,context);
+ } catch (Exception e) {
+ LOG.error( "<==RangerServiceTrino.lookupResource() Error : " + e);
+ throw e;
+ }
+ }
+ if(LOG.isDebugEnabled()) {
+ LOG.debug("<== RangerServiceTrino.lookupResource() Response: (" + ret + ")");
+ }
+ return ret;
+ }
+
+}
diff --git a/plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java b/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoClient.java
similarity index 87%
copy from plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java
copy to plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoClient.java
index 87d35af41..1567b2d1d 100644
--- a/plugin-presto/src/main/java/org/apache/ranger/services/presto/client/PrestoClient.java
+++ b/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoClient.java
@@ -16,13 +16,14 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.ranger.services.presto.client;
+package org.apache.ranger.services.trino.client;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang.StringEscapeUtils;
import org.apache.ranger.plugin.client.BaseClient;
import org.apache.ranger.plugin.client.HadoopConfigHolder;
import org.apache.ranger.plugin.client.HadoopException;
+import org.apache.ranger.plugin.util.PasswordUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -42,11 +43,11 @@ import java.util.List;
import java.util.Map;
import java.util.Properties;
-public class PrestoClient extends BaseClient implements Closeable {
- public static final String PRESTO_USER_NAME_PROP = "user";
- public static final String PRESTO_PASSWORD_PROP = "password";
+public class TrinoClient extends BaseClient implements Closeable {
+ public static final String TRINO_USER_NAME_PROP = "user";
+ public static final String TRINO_PASSWORD_PROP = "password";
- private static final Logger LOG = LoggerFactory.getLogger(PrestoClient.class);
+ private static final Logger LOG = LoggerFactory.getLogger(TrinoClient.class);
private static final String ERR_MSG = "You can still save the repository and start creating "
+ "policies, but you would not be able to use autocomplete for "
@@ -54,12 +55,12 @@ public class PrestoClient extends BaseClient implements Closeable {
private Connection con;
- public PrestoClient(String serviceName) throws Exception {
+ public TrinoClient(String serviceName) throws Exception {
super(serviceName, null);
init();
}
- public PrestoClient(String serviceName, Map<String, String> properties) throws Exception {
+ public TrinoClient(String serviceName, Map<String, String> properties) throws Exception {
super(serviceName, properties);
init();
}
@@ -78,10 +79,21 @@ public class PrestoClient extends BaseClient implements Closeable {
String driverClassName = prop.getProperty("jdbc.driverClassName");
String url = prop.getProperty("jdbc.url");
- Properties prestoProperties = new Properties();
- prestoProperties.put(PRESTO_USER_NAME_PROP, prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_USER_NAME_PROP));
+ Properties trinoProperties = new Properties();
+ String decryptedPwd = null;
+ try {
+ decryptedPwd=PasswordUtils.decryptPassword(getConfigHolder().getPassword());
+ } catch (Exception ex) {
+ LOG.info("Password decryption failed");
+ decryptedPwd = null;
+ } finally {
+ if (decryptedPwd == null) {
+ decryptedPwd = prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_PASSWORD);
+ }
+ }
+ trinoProperties.put(TRINO_USER_NAME_PROP, prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_USER_NAME_PROP));
if (prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_PASSWORD) != null) {
- prestoProperties.put(PRESTO_PASSWORD_PROP, prop.getProperty(HadoopConfigHolder.RANGER_LOGIN_PASSWORD));
+ trinoProperties.put(TRINO_PASSWORD_PROP, decryptedPwd);
}
if (driverClassName != null) {
@@ -90,7 +102,7 @@ public class PrestoClient extends BaseClient implements Closeable {
DriverManager.registerDriver(driver);
} catch (SQLException e) {
String msgDesc = "initConnection: Caught SQLException while registering"
- + " the Presto driver.";
+ + " the Trino driver.";
HadoopException hdpException = new HadoopException(msgDesc, e);
hdpException.generateResponseDataMap(false, getMessage(e),
msgDesc + ERR_MSG, null, null);
@@ -117,7 +129,7 @@ public class PrestoClient extends BaseClient implements Closeable {
msgDesc + ERR_MSG, null, null);
throw hdpException;
} catch (SecurityException se) {
- String msgDesc = "initConnection: unable to initiate connection to Presto instance,"
+ String msgDesc = "initConnection: unable to initiate connection to Trino instance,"
+ " The caller's class loader is not the same as or an ancestor "
+ "of the class loader for the current class and invocation of "
+ "s.checkPackageAccess() denies access to the package of this class.";
@@ -126,7 +138,7 @@ public class PrestoClient extends BaseClient implements Closeable {
msgDesc + ERR_MSG, null, null);
throw hdpException;
} catch (Throwable t) {
- String msgDesc = "initConnection: Unable to connect to Presto instance, "
+ String msgDesc = "initConnection: Unable to connect to Trino instance, "
+ "please provide valid value of field : {jdbc.driverClassName}.";
HadoopException hdpException = new HadoopException(msgDesc, t);
hdpException.generateResponseDataMap(false, getMessage(t),
@@ -136,21 +148,21 @@ public class PrestoClient extends BaseClient implements Closeable {
}
try {
- con = DriverManager.getConnection(url, prestoProperties);
+ con = DriverManager.getConnection(url, trinoProperties);
} catch (SQLException e) {
- String msgDesc = "Unable to connect to Presto instance.";
+ String msgDesc = "Unable to connect to Trino instance.";
HadoopException hdpException = new HadoopException(msgDesc, e);
hdpException.generateResponseDataMap(false, getMessage(e),
msgDesc + ERR_MSG, null, null);
throw hdpException;
} catch (SecurityException se) {
- String msgDesc = "Unable to connect to Presto instance.";
+ String msgDesc = "Unable to connect to Trino instance.";
HadoopException hdpException = new HadoopException(msgDesc, se);
hdpException.generateResponseDataMap(false, getMessage(se),
msgDesc + ERR_MSG, null, null);
throw hdpException;
} catch (Throwable t) {
- String msgDesc = "initConnection: Unable to connect to Presto instance, ";
+ String msgDesc = "initConnection: Unable to connect to Trino instance, ";
HadoopException hdpException = new HadoopException(msgDesc, t);
hdpException.generateResponseDataMap(false, getMessage(t),
msgDesc + ERR_MSG, null, null);
@@ -168,7 +180,7 @@ public class PrestoClient extends BaseClient implements Closeable {
try {
if (needle != null && !needle.isEmpty() && !needle.equals("*")) {
- // Cannot use a prepared statement for this as presto does not support that
+ // Cannot use a prepared statement for this as trino does not support that
sql += " LIKE '" + StringEscapeUtils.escapeSql(needle) + "%'";
}
stat = con.createStatement();
@@ -212,7 +224,7 @@ public class PrestoClient extends BaseClient implements Closeable {
try {
ret = getCatalogs(ndl, catList);
} catch (HadoopException he) {
- LOG.error("<== PrestoClient.getCatalogList() :Unable to get the Database List", he);
+ LOG.error("<== TrinoClient.getCatalogList() :Unable to get the Database List", he);
throw he;
}
return ret;
@@ -263,7 +275,7 @@ public class PrestoClient extends BaseClient implements Closeable {
hdpException.generateResponseDataMap(false, getMessage(sqlt),
msgDesc + ERR_MSG, null, null);
if (LOG.isDebugEnabled()) {
- LOG.debug("<== PrestoClient.getSchemas() Error : ", sqlt);
+ LOG.debug("<== TrinoClient.getSchemas() Error : ", sqlt);
}
throw hdpException;
} catch (SQLException sqle) {
@@ -273,7 +285,7 @@ public class PrestoClient extends BaseClient implements Closeable {
hdpException.generateResponseDataMap(false, getMessage(sqle),
msgDesc + ERR_MSG, null, null);
if (LOG.isDebugEnabled()) {
- LOG.debug("<== PrestoClient.getSchemas() Error : ", sqle);
+ LOG.debug("<== TrinoClient.getSchemas() Error : ", sqle);
}
throw hdpException;
}
@@ -294,7 +306,7 @@ public class PrestoClient extends BaseClient implements Closeable {
try {
ret = getSchemas(ndl, cats, shms);
} catch (HadoopException he) {
- LOG.error("<== PrestoClient.getSchemaList() :Unable to get the Schema List", he);
+ LOG.error("<== TrinoClient.getSchemaList() :Unable to get the Schema List", he);
}
return ret;
}
@@ -345,7 +357,7 @@ public class PrestoClient extends BaseClient implements Closeable {
hdpException.generateResponseDataMap(false, getMessage(sqlt),
msgDesc + ERR_MSG, null, null);
if (LOG.isDebugEnabled()) {
- LOG.debug("<== PrestoClient.getTables() Error : ", sqlt);
+ LOG.debug("<== TrinoClient.getTables() Error : ", sqlt);
}
throw hdpException;
} catch (SQLException sqle) {
@@ -355,7 +367,7 @@ public class PrestoClient extends BaseClient implements Closeable {
hdpException.generateResponseDataMap(false, getMessage(sqle),
msgDesc + ERR_MSG, null, null);
if (LOG.isDebugEnabled()) {
- LOG.debug("<== PrestoClient.getTables() Error : ", sqle);
+ LOG.debug("<== TrinoClient.getTables() Error : ", sqle);
}
throw hdpException;
}
@@ -377,7 +389,7 @@ public class PrestoClient extends BaseClient implements Closeable {
try {
ret = getTables(ndl, cats, shms, tbls);
} catch (HadoopException he) {
- LOG.error("<== PrestoClient.getTableList() :Unable to get the Column List", he);
+ LOG.error("<== TrinoClient.getTableList() :Unable to get the Column List", he);
throw he;
}
return ret;
@@ -441,7 +453,7 @@ public class PrestoClient extends BaseClient implements Closeable {
hdpException.generateResponseDataMap(false, getMessage(sqlt),
msgDesc + ERR_MSG, null, null);
if (LOG.isDebugEnabled()) {
- LOG.debug("<== PrestoClient.getColumns() Error : ", sqlt);
+ LOG.debug("<== TrinoClient.getColumns() Error : ", sqlt);
}
throw hdpException;
} catch (SQLException sqle) {
@@ -451,7 +463,7 @@ public class PrestoClient extends BaseClient implements Closeable {
hdpException.generateResponseDataMap(false, getMessage(sqle),
msgDesc + ERR_MSG, null, null);
if (LOG.isDebugEnabled()) {
- LOG.debug("<== PrestoClient.getColumns() Error : ", sqle);
+ LOG.debug("<== TrinoClient.getColumns() Error : ", sqle);
}
throw hdpException;
}
@@ -474,7 +486,7 @@ public class PrestoClient extends BaseClient implements Closeable {
try {
ret = getColumns(ndl, cats, shms, tbls, cols);
} catch (HadoopException he) {
- LOG.error("<== PrestoClient.getColumnList() :Unable to get the Column List", he);
+ LOG.error("<== TrinoClient.getColumnList() :Unable to get the Column List", he);
throw he;
}
return ret;
@@ -486,7 +498,7 @@ public class PrestoClient extends BaseClient implements Closeable {
public static Map<String, Object> connectionTest(String serviceName,
Map<String, String> connectionProperties)
throws Exception {
- PrestoClient client = null;
+ TrinoClient client = null;
Map<String, Object> resp = new HashMap<String, Object>();
boolean status = false;
@@ -494,7 +506,7 @@ public class PrestoClient extends BaseClient implements Closeable {
List<String> testResult = null;
try {
- client = new PrestoClient(serviceName, connectionProperties);
+ client = new TrinoClient(serviceName, connectionProperties);
if (client != null) {
testResult = client.getCatalogList("*", null);
if (testResult != null && testResult.size() != 0) {
@@ -532,7 +544,7 @@ public class PrestoClient extends BaseClient implements Closeable {
con.close();
}
} catch (SQLException e) {
- LOG.error("Unable to close Presto SQL connection", e);
+ LOG.error("Unable to close Trino SQL connection", e);
}
}
diff --git a/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoConnectionManager.java b/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoConnectionManager.java
new file mode 100644
index 000000000..6afd8f417
--- /dev/null
+++ b/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoConnectionManager.java
@@ -0,0 +1,94 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.services.trino.client;
+
+import org.apache.ranger.plugin.util.TimedEventUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Map;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.ConcurrentMap;
+import java.util.concurrent.TimeUnit;
+
+public class TrinoConnectionManager {
+ private static final Logger LOG = LoggerFactory.getLogger(TrinoConnectionManager.class);
+
+ protected ConcurrentMap<String, TrinoClient> trinoConnectionCache;
+ protected ConcurrentMap<String, Boolean> repoConnectStatusMap;
+
+ public TrinoConnectionManager() {
+ trinoConnectionCache = new ConcurrentHashMap<>();
+ repoConnectStatusMap = new ConcurrentHashMap<>();
+ }
+
+ public TrinoClient getTrinoConnection(final String serviceName, final String serviceType, final Map<String, String> configs) {
+ TrinoClient trinoClient = null;
+
+ if (serviceType != null) {
+ trinoClient = trinoConnectionCache.get(serviceName);
+ if (trinoClient == null) {
+ if (configs != null) {
+ final Callable<TrinoClient> connectTrino = new Callable<TrinoClient>() {
+ @Override
+ public TrinoClient call() throws Exception {
+ return new TrinoClient(serviceName, configs);
+ }
+ };
+ try {
+ trinoClient = TimedEventUtil.timedTask(connectTrino, 5, TimeUnit.SECONDS);
+ } catch (Exception e) {
+ LOG.error("Error connecting to Trino repository: " +
+ serviceName + " using config: " + configs, e);
+ }
+
+ TrinoClient oldClient = null;
+ if (trinoClient != null) {
+ oldClient = trinoConnectionCache.putIfAbsent(serviceName, trinoClient);
+ } else {
+ oldClient = trinoConnectionCache.get(serviceName);
+ }
+
+ if (oldClient != null) {
+ if (trinoClient != null) {
+ trinoClient.close();
+ }
+ trinoClient = oldClient;
+ }
+ repoConnectStatusMap.put(serviceName, true);
+ } else {
+ LOG.error("Connection Config not defined for asset :"
+ + serviceName, new Throwable());
+ }
+ } else {
+ try {
+ trinoClient.getCatalogList("*", null);
+ } catch (Exception e) {
+ trinoConnectionCache.remove(serviceName);
+ trinoClient.close();
+ trinoClient = getTrinoConnection(serviceName, serviceType, configs);
+ }
+ }
+ } else {
+ LOG.error("Asset not found with name " + serviceName, new Throwable());
+ }
+ return trinoClient;
+ }
+}
diff --git a/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoResourceManager.java b/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoResourceManager.java
new file mode 100644
index 000000000..2d32068a6
--- /dev/null
+++ b/plugin-trino/src/main/java/org/apache/ranger/services/trino/client/TrinoResourceManager.java
@@ -0,0 +1,178 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.services.trino.client;
+
+import org.apache.ranger.plugin.service.ResourceLookupContext;
+import org.apache.ranger.plugin.util.TimedEventUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.Callable;
+import java.util.concurrent.TimeUnit;
+
+public class TrinoResourceManager {
+ private static final Logger LOG = LoggerFactory.getLogger(TrinoResourceManager.class);
+
+ private static final String CATALOG = "catalog";
+ private static final String SCHEMA = "schema";
+ private static final String TABLE = "table";
+ private static final String COLUMN = "column";
+
+
+ public static Map<String, Object> connectionTest(String serviceName, Map<String, String> configs) throws Exception {
+ Map<String, Object> ret = null;
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> TrinoResourceManager.connectionTest() ServiceName: " + serviceName + " Configs: " + configs);
+ }
+
+ try {
+ ret = TrinoClient.connectionTest(serviceName, configs);
+ } catch (Exception e) {
+ LOG.error("<== TrinoResourceManager.connectionTest() Error: " + e);
+ throw e;
+ }
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== TrinoResourceManager.connectionTest() Result : " + ret);
+ }
+
+ return ret;
+ }
+
+ public static List<String> getTrinoResources(String serviceName, String serviceType, Map<String, String> configs, ResourceLookupContext context) throws Exception {
+
+ String userInput = context.getUserInput();
+ String resource = context.getResourceName();
+ Map<String, List<String>> resourceMap = context.getResources();
+ List<String> resultList = null;
+ List<String> catalogList = null;
+ List<String> schemaList = null;
+ List<String> tableList = null;
+ List<String> columnList = null;
+ String catalogName = null;
+ String schemaName = null;
+ String tableName = null;
+ String columnName = null;
+
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("<== TrinoResourceMgr.getTrinoResources() UserInput: \"" + userInput + "\" resource : " + resource + " resourceMap: " + resourceMap);
+ }
+
+ if (userInput != null && resource != null) {
+ if (resourceMap != null && !resourceMap.isEmpty()) {
+ catalogList = resourceMap.get(CATALOG);
+ schemaList = resourceMap.get(SCHEMA);
+ tableList = resourceMap.get(TABLE);
+ columnList = resourceMap.get(COLUMN);
+ }
+ switch (resource.trim().toLowerCase()) {
+ case CATALOG:
+ catalogName = userInput;
+ break;
+ case SCHEMA:
+ schemaName = userInput;
+ case TABLE:
+ tableName = userInput;
+ break;
+ case COLUMN:
+ columnName = userInput;
+ break;
+ default:
+ break;
+ }
+ }
+
+ if (serviceName != null && userInput != null) {
+ try {
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("==> TrinoResourceManager.getTrinoResources() UserInput: \"" + userInput + "\" configs: " + configs + " catalogList: " + catalogList + " tableList: "
+ + tableList + " columnList: " + columnList);
+ }
+
+ final TrinoClient trinoClient = new TrinoConnectionManager().getTrinoConnection(serviceName, serviceType, configs);
+
+ Callable<List<String>> callableObj = null;
+
+ final String finalCatalogName;
+ final String finalSchemaName;
+ final String finalTableName;
+ final String finalColumnName;
+
+ final List<String> finalCatalogList = catalogList;
+ final List<String> finalSchemaList = schemaList;
+ final List<String> finalTableList = tableList;
+ final List<String> finalColumnList = columnList;
+
+ if (trinoClient != null) {
+ if (catalogName != null && !catalogName.isEmpty()) {
+ finalCatalogName = catalogName;
+ callableObj = new Callable<List<String>>() {
+ @Override
+ public List<String> call() throws Exception {
+ return trinoClient.getCatalogList(finalCatalogName, finalCatalogList);
+ }
+ };
+ } else if (schemaName != null && !schemaName.isEmpty()) {
+ finalSchemaName = schemaName;
+ callableObj = new Callable<List<String>>() {
+ @Override
+ public List<String> call() throws Exception {
+ return trinoClient.getSchemaList(finalSchemaName, finalCatalogList, finalSchemaList);
+ }
+ };
+ } else if (tableName != null && !tableName.isEmpty()) {
+ finalTableName = tableName;
+ callableObj = new Callable<List<String>>() {
+ @Override
+ public List<String> call() throws Exception {
+ return trinoClient.getTableList(finalTableName, finalCatalogList, finalSchemaList, finalTableList);
+ }
+ };
+ } else if (columnName != null && !columnName.isEmpty()) {
+ // Column names are matched by the wildcardmatcher
+ columnName += "*";
+ finalColumnName = columnName;
+ callableObj = new Callable<List<String>>() {
+ @Override
+ public List<String> call() throws Exception {
+ return trinoClient.getColumnList(finalColumnName, finalCatalogList, finalSchemaList, finalTableList, finalColumnList);
+ }
+ };
+ }
+ if (callableObj != null) {
+ synchronized (trinoClient) {
+ resultList = TimedEventUtil.timedTask(callableObj, 5, TimeUnit.SECONDS);
+ }
+ } else {
+ LOG.error("Could not initiate a TrinoClient timedTask");
+ }
+ }
+ } catch (Exception e) {
+ LOG.error("Unable to get Trino resource", e);
+ throw e;
+ }
+ }
+ return resultList;
+ }
+}
diff --git a/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerAdminClientImpl.java b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerAdminClientImpl.java
new file mode 100644
index 000000000..af74fc642
--- /dev/null
+++ b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerAdminClientImpl.java
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.authorization.trino.authorizer;
+
+import org.apache.ranger.admin.client.AbstractRangerAdminClient;
+import org.apache.ranger.plugin.util.ServicePolicies;
+
+import java.io.File;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+
+public class RangerAdminClientImpl extends AbstractRangerAdminClient {
+ private final static String cacheFilename = "trino-policies.json";
+
+ public ServicePolicies getServicePoliciesIfUpdated(long lastKnownVersion, long lastActivationTimeInMillis) throws Exception {
+
+ String basedir = System.getProperty("basedir");
+ if (basedir == null) {
+ basedir = new File(".").getCanonicalPath();
+ }
+
+ java.nio.file.Path cachePath = FileSystems.getDefault().getPath(basedir, "/src/test/resources/" + cacheFilename);
+ byte[] cacheBytes = Files.readAllBytes(cachePath);
+
+ return gson.fromJson(new String(cacheBytes), ServicePolicies.class);
+ }
+
+}
\ No newline at end of file
diff --git a/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java
new file mode 100644
index 000000000..d6c637e5a
--- /dev/null
+++ b/plugin-trino/src/test/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlTest.java
@@ -0,0 +1,195 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ranger.authorization.trino.authorizer;
+
+import com.google.common.collect.ImmutableSet;
+import io.trino.spi.connector.CatalogSchemaName;
+import io.trino.spi.connector.CatalogSchemaRoutineName;
+import io.trino.spi.connector.CatalogSchemaTableName;
+import io.trino.spi.connector.SchemaTableName;
+import io.trino.spi.security.AccessDeniedException;
+import io.trino.spi.security.Identity;
+import io.trino.spi.security.TrinoPrincipal;
+import io.trino.spi.security.SystemSecurityContext;
+
+import static io.trino.spi.security.PrincipalType.USER;
+import static io.trino.spi.security.Privilege.SELECT;
+import static org.junit.Assert.*;
+
+import io.trino.spi.security.ViewExpression;
+import io.trino.spi.type.VarcharType;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import javax.security.auth.kerberos.KerberosPrincipal;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+
+public class RangerSystemAccessControlTest {
+ static RangerSystemAccessControl accessControlManager = null;
+
+ private static final Identity alice = Identity.ofUser("alice");
+ private static final Identity admin = Identity.ofUser("admin");
+ //private static final Identity aliceWithGroups = Identity.from(alice).withGroups(new HashSet(Arrays.asList("users", "friends"))).build();
+ //private static final Identity kerberosValidAlice = Identity.from(alice).withPrincipal(new KerberosPrincipal("alice/example.com@EXAMPLE.COM")).build();
+ //private static final Identity kerberosValidNonAsciiUser = Identity.forUser("\u0194\u0194\u0194").withPrincipal(new KerberosPrincipal("\u0194\u0194\u0194/example.com@EXAMPLE.COM")).build();
+ private static final Identity kerberosInvalidAlice = Identity.from(alice).withPrincipal(new KerberosPrincipal("mallory/example.com@EXAMPLE.COM")).build();
+ private static final Identity bob = Identity.ofUser("bob");
+ //private static final Identity nonAsciiUser = Identity.ofUser("\u0194\u0194\u0194");
+
+ private static final Set<String> allCatalogs = ImmutableSet.of("open-to-all", "all-allowed", "alice-catalog");
+ private static final Set<String> queryOwners = ImmutableSet.of("bob", "alice", "frank");
+ private static final String aliceCatalog = "alice-catalog";
+ private static final CatalogSchemaName aliceSchema = new CatalogSchemaName("alice-catalog", "schema");
+ private static final CatalogSchemaTableName aliceTable = new CatalogSchemaTableName("alice-catalog", "schema","table");
+ private static final CatalogSchemaTableName aliceView = new CatalogSchemaTableName("alice-catalog", "schema","view");
+
+ private static final CatalogSchemaRoutineName aliceProcedure = new CatalogSchemaRoutineName("alice-catalog", "schema", "procedure");
+ private static final String functionName = new String("function");
+
+ @BeforeClass
+ public static void setUpBeforeClass() throws Exception {
+ Map<String, String> config = new HashMap<>();
+ accessControlManager = new RangerSystemAccessControl(config);
+ }
+
+ @Test
+ @SuppressWarnings("PMD")
+ public void testCanSetUserOperations() {
+ try {
+ accessControlManager.checkCanImpersonateUser(context(alice), bob.getUser());
+ throw new AssertionError("expected AccessDeniedExeption");
+ }
+ catch (AccessDeniedException expected) {
+ }
+
+ accessControlManager.checkCanImpersonateUser(context(admin), bob.getUser());
+
+ try {
+ accessControlManager.checkCanImpersonateUser(context(kerberosInvalidAlice), bob.getUser());
+ throw new AssertionError("expected AccessDeniedExeption");
+ }
+ catch (AccessDeniedException expected) {
+ }
+
+ }
+
+ @Test
+ public void testCatalogOperations()
+ {
+ assertEquals(accessControlManager.filterCatalogs(context(alice), allCatalogs), allCatalogs);
+ Set<String> bobCatalogs = ImmutableSet.of("open-to-all", "all-allowed");
+ assertEquals(accessControlManager.filterCatalogs(context(bob), allCatalogs), bobCatalogs);
+ //Set<String> nonAsciiUserCatalogs = ImmutableSet.of("open-to-all", "all-allowed", "\u0200\u0200\u0200");
+ //assertEquals(accessControlManager.filterCatalogs(context(nonAsciiUser), allCatalogs), nonAsciiUserCatalogs);
+ }
+
+ @Test
+ @SuppressWarnings("PMD")
+ public void testSchemaOperations()
+ {
+
+ Set<String> aliceSchemas = ImmutableSet.of("schema");
+ assertEquals(accessControlManager.filterSchemas(context(alice), aliceCatalog, aliceSchemas), aliceSchemas);
+ assertEquals(accessControlManager.filterSchemas(context(bob), "alice-catalog", aliceSchemas), ImmutableSet.of());
+
+ accessControlManager.checkCanCreateSchema(context(alice), aliceSchema);
+ accessControlManager.checkCanDropSchema(context(alice), aliceSchema);
+ accessControlManager.checkCanRenameSchema(context(alice), aliceSchema, "new-schema");
+ accessControlManager.checkCanShowSchemas(context(alice), aliceCatalog);
+
+ try {
+ accessControlManager.checkCanCreateSchema(context(bob), aliceSchema);
+ } catch (AccessDeniedException expected) {
+ }
+
+ accessControlManager.checkCanSetSchemaAuthorization(context(alice), aliceSchema, new TrinoPrincipal(USER, "principal"));
+ accessControlManager.checkCanShowCreateSchema(context(alice), aliceSchema);
+ }
+
+ @Test
+ @SuppressWarnings("PMD")
+ public void testTableOperations()
+ {
+ Set<SchemaTableName> aliceTables = ImmutableSet.of(new SchemaTableName("schema", "table"));
+ assertEquals(accessControlManager.filterTables(context(alice), aliceCatalog, aliceTables), aliceTables);
+ assertEquals(accessControlManager.filterTables(context(bob), "alice-catalog", aliceTables), ImmutableSet.of());
+
+ accessControlManager.checkCanCreateTable(context(alice), aliceTable,Map.of());
+ accessControlManager.checkCanDropTable(context(alice), aliceTable);
+ accessControlManager.checkCanSelectFromColumns(context(alice), aliceTable, ImmutableSet.of());
+ accessControlManager.checkCanInsertIntoTable(context(alice), aliceTable);
+ accessControlManager.checkCanDeleteFromTable(context(alice), aliceTable);
+ accessControlManager.checkCanRenameColumn(context(alice), aliceTable);
+
+
+ try {
+ accessControlManager.checkCanCreateTable(context(bob), aliceTable,Map.of());
+ } catch (AccessDeniedException expected) {
+ }
+ }
+
+ @Test
+ @SuppressWarnings("PMD")
+ public void testViewOperations()
+ {
+ accessControlManager.checkCanCreateView(context(alice), aliceView);
+ accessControlManager.checkCanDropView(context(alice), aliceView);
+ accessControlManager.checkCanSelectFromColumns(context(alice), aliceView, ImmutableSet.of());
+ accessControlManager.checkCanCreateViewWithSelectFromColumns(context(alice), aliceTable, ImmutableSet.of());
+ accessControlManager.checkCanCreateViewWithSelectFromColumns(context(alice), aliceView, ImmutableSet.of());
+ accessControlManager.checkCanSetCatalogSessionProperty(context(alice), aliceCatalog, "property");
+ accessControlManager.checkCanGrantTablePrivilege(context(alice), SELECT, aliceTable, new TrinoPrincipal(USER, "grantee"), true);
+ accessControlManager.checkCanRevokeTablePrivilege(context(alice), SELECT, aliceTable, new TrinoPrincipal(USER, "revokee"), true);
+
+ try {
+ accessControlManager.checkCanCreateView(context(bob), aliceView);
+ } catch (AccessDeniedException expected) {
+ }
+ }
+
+ @Test
+ @SuppressWarnings("PMD")
+ public void testMisc()
+ {
+ assertEquals(accessControlManager.filterViewQueryOwnedBy(context(alice), queryOwners), queryOwners);
+
+ // check {type} / {col} replacement
+ final VarcharType varcharType = VarcharType.createVarcharType(20);
+
+ Optional<ViewExpression> ret = accessControlManager.getColumnMask(context(alice), aliceTable, "cast_me", varcharType);
+ assertNotNull(ret.get());
+ assertEquals(ret.get().getExpression(), "cast cast_me as varchar(20)");
+
+ ret = accessControlManager.getColumnMask(context(alice), aliceTable,"do-not-cast-me", varcharType);
+ assertFalse(ret.isPresent());
+
+ ret = accessControlManager.getRowFilter(context(alice), aliceTable);
+ assertFalse(ret.isPresent());
+
+ accessControlManager.checkCanExecuteFunction(context(alice), functionName);
+ accessControlManager.checkCanGrantExecuteFunctionPrivilege(context(alice), functionName, new TrinoPrincipal(USER, "grantee"), true);
+ accessControlManager.checkCanExecuteProcedure(context(alice), aliceProcedure);
+ }
+
+ private SystemSecurityContext context(Identity id) {
+ return new SystemSecurityContext(id, Optional.empty());
+ }
+}
\ No newline at end of file
diff --git a/plugin-trino/src/test/resources/logback.xml b/plugin-trino/src/test/resources/logback.xml
new file mode 100644
index 000000000..4e991c3f2
--- /dev/null
+++ b/plugin-trino/src/test/resources/logback.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<configuration>
+ <appender name="console" class="ch.qos.logback.core.ConsoleAppender">
+ <Target>System.out</Target>
+ <encoder>
+ <pattern>%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p - %m%n</pattern>
+ </encoder>
+ <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
+ <level>INFO</level>
+ </filter>
+ </appender>
+ <root level="INFO">
+ <appender-ref ref="console"/>
+ </root>
+</configuration>
diff --git a/plugin-trino/src/test/resources/ranger-trino-security.xml b/plugin-trino/src/test/resources/ranger-trino-security.xml
new file mode 100644
index 000000000..ecc467b32
--- /dev/null
+++ b/plugin-trino/src/test/resources/ranger-trino-security.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<?xml-stylesheet type="text/xsl" href="configuration.xsl"?>
+<configuration xmlns:xi="http://www.w3.org/2001/XInclude">
+ <property>
+ <name>ranger.plugin.trino.service.name</name>
+ <value>cl1_trino</value>
+ <description>
+ Name of the Ranger service containing policies for this SampleApp instance
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.trino.policy.source.impl</name>
+ <value>org.apache.ranger.authorization.trino.authorizer.RangerAdminClientImpl</value>
+ <description>
+ Policy source.
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.trino.policy.pollIntervalMs</name>
+ <value>30000</value>
+ <description>
+ How often to poll for changes in policies?
+ </description>
+ </property>
+
+ <property>
+ <name>ranger.plugin.trino.policy.cache.dir</name>
+ <value>${project.build.directory}</value>
+ <description>
+ Directory where Ranger policies are cached after successful retrieval from the source
+ </description>
+ </property>
+
+</configuration>
diff --git a/plugin-trino/src/test/resources/trino-policies.json b/plugin-trino/src/test/resources/trino-policies.json
new file mode 100644
index 000000000..14f16887d
--- /dev/null
+++ b/plugin-trino/src/test/resources/trino-policies.json
@@ -0,0 +1,1214 @@
+{
+ "serviceName": "cl1_trino",
+ "serviceId": 203,
+ "policyUpdateTime": "20180304-09:49:38.000-+0000",
+ "policies": [
+ {
+ "service": "cl1_trino",
+ "name": "checkCanImpersonateUser",
+ "policyType": 0,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "trinouser": {
+ "values": [
+ "bob"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "impersonate",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "admin"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "serviceType": "trino",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 51,
+ "guid": "7ab96b62-6fd3-4193-bf49-af462c25784d",
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "cl1_trino",
+ "name": "checkFunction",
+ "policyType": 0,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "function": {
+ "values": [
+ "function"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "execute",
+ "isAllowed": true
+ },
+ {
+ "type": "grant",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "alice"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "serviceType": "trino",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 51,
+ "guid": "7ab96b62-6fd3-4193-bf49-af462c25784d",
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "cl1_trino",
+ "name": "alice-schema",
+ "policyType": 0,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "schema": {
+ "values": [
+ "schema"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "catalog": {
+ "values": [
+ "alice-catalog"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "insert",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "show",
+ "isAllowed": true
+ },
+ {
+ "type": "grant",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "alice"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "serviceType": "trino",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 52,
+ "guid": "11b10138-34c3-4e11-8beb-56a10334a375",
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "cl1_trino",
+ "name": "alice-catalog",
+ "policyType": 0,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "catalog": {
+ "values": [
+ "alice-catalog"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "insert",
+ "isAllowed": true
+ },
+ {
+ "type": "create",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "use",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "show",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "alice"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "serviceType": "trino",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 53,
+ "guid": "60207d91-7fd7-424e-8e6f-88d803297b6a",
+ "isEnabled": true,
+ "version": 2
+ },
+ {
+ "service": "cl1_trino",
+ "name": "alice-table",
+ "policyType": 0,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "schema": {
+ "values": [
+ "schema"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "catalog": {
+ "values": [
+ "alice-catalog"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "table",
+ "alice"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "insert",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ },
+ {
+ "type": "delete",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ },
+ {
+ "type": "grant",
+ "isAllowed": true
+ },
+ {
+ "type": "revoke",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "alice"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "serviceType": "trino",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 55,
+ "guid": "b47e1c19-a05f-41f8-94ef-f86c14076ad9",
+ "isEnabled": true,
+ "version": 2
+ },
+ {
+ "service": "cl1_trino",
+ "name": "alice-procedure",
+ "policyType": 0,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "schema": {
+ "values": [
+ "schema"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "catalog": {
+ "values": [
+ "alice-catalog"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "procedure": {
+ "values": [
+ "procedure"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "execute",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "alice"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "serviceType": "trino",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 55,
+ "guid": "b47e1c19-a05f-41f8-94ef-f86c14076ad9",
+ "isEnabled": true,
+ "version": 2
+ },
+ {
+ "service": "cl1_trino",
+ "name": "alice-view",
+ "policyType": 0,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "schema": {
+ "values": [
+ "schema"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "catalog": {
+ "values": [
+ "alice-catalog"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "view"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ },
+ {
+ "type": "drop",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "alice"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "serviceType": "trino",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 56,
+ "guid": "91335d40-0bcf-4515-89ed-74531df970c7",
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "cl1_trino",
+ "name": "alice-session-property",
+ "policyType": 0,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "sessionproperty": {
+ "values": [
+ "property"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "catalog": {
+ "values": [
+ "alice-catalog"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "show",
+ "isAllowed": true
+ },
+ {
+ "type": "alter",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "alice"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "serviceType": "trino",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 57,
+ "guid": "b5a30229-89b2-456a-83d4-7d64e8b8b6bf",
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "cl1_trino",
+ "name": "open-to-all",
+ "policyType": 0,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "catalog": {
+ "values": [
+ "open-to-all",
+ "all-allowed"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [
+ {
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "{USER}"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [],
+ "rowFilterPolicyItems": [],
+ "serviceType": "trino",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 67,
+ "guid": "370d3e54-0428-4fcb-b0b5-ad1f5dfdd7db",
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "cl1_trino",
+ "name": "test-mask",
+ "policyType": 1,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "schema": {
+ "values": [
+ "schema"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "catalog": {
+ "values": [
+ "alice-catalog"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "only_first_4"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "table"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [
+ {
+ "dataMaskInfo": {
+ "dataMaskType": "MASK_SHOW_FIRST_4"
+ },
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "{USER}"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "rowFilterPolicyItems": [],
+ "serviceType": "trino",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 68,
+ "guid": "6ec12d33-4d5d-46f0-9a05-b31d78281b02",
+ "isEnabled": true,
+ "version": 1
+ },
+ {
+ "service": "cl1_trino",
+ "name": "test-mask-cast",
+ "policyType": 1,
+ "policyPriority": 0,
+ "description": "",
+ "isAuditEnabled": true,
+ "resources": {
+ "schema": {
+ "values": [
+ "schema"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "catalog": {
+ "values": [
+ "alice-catalog"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "column": {
+ "values": [
+ "cast_me"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ },
+ "table": {
+ "values": [
+ "table"
+ ],
+ "isExcludes": false,
+ "isRecursive": false
+ }
+ },
+ "policyItems": [],
+ "denyPolicyItems": [],
+ "allowExceptions": [],
+ "denyExceptions": [],
+ "dataMaskPolicyItems": [
+ {
+ "dataMaskInfo": {
+ "dataMaskType": "CUSTOM",
+ "valueExpr": "cast {col} as {type}"
+ },
+ "accesses": [
+ {
+ "type": "select",
+ "isAllowed": true
+ }
+ ],
+ "users": [
+ "{USER}"
+ ],
+ "groups": [],
+ "roles": [],
+ "conditions": [],
+ "delegateAdmin": false
+ }
+ ],
+ "rowFilterPolicyItems": [],
+ "serviceType": "trino",
+ "options": {},
+ "validitySchedules": [],
+ "policyLabels": [],
+ "zoneName": "",
+ "isDenyAllElse": false,
+ "id": 69,
+ "guid": "50e855fb-8dc2-42cd-99d3-16e8df8de774",
+ "isEnabled": true,
+ "version": 1
+ }
+ ],
+ "startIndex": 0,
+ "pageSize": 0,
+ "totalCount": 0,
+ "resultSize": 0,
+ "queryTimeMS": 1585212824007,
+ "serviceDef": {
+ "id": 17,
+ "name": "trino",
+ "displayName": "trino",
+ "implClass": "org.apache.ranger.services.trino.RangerServiceTrino",
+ "label": "Trino",
+ "description": "Trino",
+ "guid": "379a9fe5-1b6e-4091-a584-4890e245e6c1",
+ "resources": [
+ {
+ "itemId": 1,
+ "name": "catalog",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "isValidLeaf": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Trino Catalog",
+ "description": "Trino Catalog"
+ },
+ {
+ "itemId": 2,
+ "name": "schema",
+ "type": "string",
+ "level": 20,
+ "parent": "catalog",
+ "mandatory": true,
+ "isValidLeaf": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Trino Schema",
+ "description": "Trino Schema"
+ },
+ {
+ "itemId": 3,
+ "name": "table",
+ "type": "string",
+ "level": 30,
+ "parent": "schema",
+ "mandatory": true,
+ "isValidLeaf": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Trino Table",
+ "description": "Trino Table"
+ },
+ {
+ "itemId": 4,
+ "name": "column",
+ "type": "string",
+ "level": 40,
+ "parent": "table",
+ "mandatory": true,
+ "lookupSupported": true,
+ "recursiveSupported": false,
+ "excludesSupported": true,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Trino Column",
+ "description": "Trino Column"
+ },
+ {
+ "itemId": 5,
+ "name": "trinouser",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Trino User",
+ "description": "Trino User",
+ "accessTypeRestrictions": ["impersonate"]
+ },
+ {
+ "itemId": 6,
+ "name": "systemproperty",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "System Property",
+ "description": "Trino System Property",
+ "accessTypeRestrictions": ["alter"]
+ },
+ {
+ "itemId": 7,
+ "name": "sessionproperty",
+ "type": "string",
+ "level": 20,
+ "parent": "catalog",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Catalog Session Property",
+ "description": "Trino Catalog Session Property",
+ "accessTypeRestrictions": ["alter"]
+ },
+ {
+ "itemId": 8,
+ "name": "function",
+ "type": "string",
+ "level": 10,
+ "parent": "",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Trino Function",
+ "description": "Trino Function",
+ "accessTypeRestrictions": ["execute", "grant"]
+ },
+ {
+ "itemId": 9,
+ "name": "procedure",
+ "type": "string",
+ "level": 30,
+ "parent": "schema",
+ "mandatory": true,
+ "lookupSupported": false,
+ "recursiveSupported": false,
+ "excludesSupported": false,
+ "matcher": "org.apache.ranger.plugin.resourcematcher.RangerDefaultResourceMatcher",
+ "matcherOptions": {
+ "wildCard": true,
+ "ignoreCase": true
+ },
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Schema Procedure",
+ "description": "Schema Procedure",
+ "accessTypeRestrictions": ["execute", "grant"]
+ }
+ ],
+ "accessTypes": [
+ {
+ "itemId": 1,
+ "name": "select",
+ "label": "Select"
+ },
+ {
+ "itemId": 2,
+ "name": "insert",
+ "label": "Insert"
+ },
+ {
+ "itemId": 3,
+ "name": "create",
+ "label": "Create"
+ },
+ {
+ "itemId": 4,
+ "name": "drop",
+ "label": "Drop"
+ },
+ {
+ "itemId": 5,
+ "name": "delete",
+ "label": "Delete"
+ },
+ {
+ "itemId": 6,
+ "name": "use",
+ "label": "Use"
+ },
+ {
+ "itemId": 7,
+ "name": "alter",
+ "label": "Alter"
+ },
+ {
+ "itemId": 8,
+ "name": "grant",
+ "label": "Grant"
+ },
+ {
+ "itemId": 9,
+ "name": "revoke",
+ "label": "Revoke"
+ },
+ {
+ "itemId": 10,
+ "name": "show",
+ "label": "Show"
+ },
+ {
+ "itemId": 11,
+ "name": "impersonate",
+ "label": "Impersonate"
+ },
+ {
+ "itemId": 12,
+ "name": "execute",
+ "label": "execute"
+ },
+ {
+ "itemId": 13,
+ "name": "all",
+ "label": "All",
+ "impliedGrants": [
+ "select",
+ "insert",
+ "create",
+ "delete",
+ "drop",
+ "use",
+ "alter",
+ "grant",
+ "revoke",
+ "show",
+ "impersonate",
+ "execute"
+ ]
+ }
+ ],
+ "configs": [
+ {
+ "itemId": 1,
+ "name": "username",
+ "type": "string",
+ "mandatory": true,
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Username"
+ },
+ {
+ "itemId": 2,
+ "name": "password",
+ "type": "password",
+ "mandatory": false,
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "label": "Password"
+ },
+ {
+ "itemId": 3,
+ "name": "jdbc.driverClassName",
+ "type": "string",
+ "mandatory": true,
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": "",
+ "defaultValue": "io.trino.jdbc.TrinoDriver"
+ },
+ {
+ "itemId": 4,
+ "name": "jdbc.url",
+ "type": "string",
+ "mandatory": true,
+ "defaultValue": "",
+ "validationRegEx": "",
+ "validationMessage": "",
+ "uiHint": ""
+ }
+ ],
+ "enums": [
+ ],
+ "contextEnrichers": [
+ ],
+ "policyConditions":
+ [
+ ],
+ "dataMaskDef": {
+ "accessTypes": [
+ {
+ "name": "select"
+ }
+ ],
+ "resources": [
+ {
+ "name": "catalog",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "uiHint":"{ \"singleValue\":true }"
+ },
+ {
+ "name": "schema",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "uiHint":"{ \"singleValue\":true }"
+ },
+ {
+ "name": "table",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "uiHint":"{ \"singleValue\":true }"
+ },
+ {
+ "name": "column",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "uiHint":"{ \"singleValue\":true }"
+ }
+ ],
+ "maskTypes": [
+ {
+ "itemId": 1,
+ "name": "MASK",
+ "label": "Redact",
+ "description": "Replace lowercase with 'x', uppercase with 'X', digits with '0'",
+ "transformer": "cast(regexp_replace(regexp_replace(regexp_replace({col},'([A-Z])', 'X'),'([a-z])','x'),'([0-9])','0') as {type})",
+ "dataMaskOptions": {
+ }
+ },
+ {
+ "itemId": 2,
+ "name": "MASK_SHOW_LAST_4",
+ "label": "Partial mask: show last 4",
+ "description": "Show last 4 characters; replace rest with 'X'",
+ "transformer": "cast(regexp_replace({col}, '(.*)(.{4}$)', x -> regexp_replace(x[1], '.', 'X') || x[2]) as {type})"
+ },
+ {
+ "itemId": 3,
+ "name": "MASK_SHOW_FIRST_4",
+ "label": "Partial mask: show first 4",
+ "description": "Show first 4 characters; replace rest with 'x'",
+ "transformer": "cast(regexp_replace({col}, '(^.{4})(.*)', x -> x[1] || regexp_replace(x[2], '.', 'X')) as {type})"
+ },
+ {
+ "itemId": 4,
+ "name": "MASK_HASH",
+ "label": "Hash",
+ "description": "Hash the value of a varchar with sha256",
+ "transformer": "cast(to_hex(sha256(to_utf8({col}))) as {type})"
+ },
+ {
+ "itemId": 5,
+ "name": "MASK_NULL",
+ "label": "Nullify",
+ "description": "Replace with NULL"
+ },
+ {
+ "itemId": 6,
+ "name": "MASK_NONE",
+ "label": "Unmasked (retain original value)",
+ "description": "No masking"
+ },
+ {
+ "itemId": 12,
+ "name": "MASK_DATE_SHOW_YEAR",
+ "label": "Date: show only year",
+ "description": "Date: show only year",
+ "transformer": "date_trunc('year', {col})"
+ },
+ {
+ "itemId": 13,
+ "name": "CUSTOM",
+ "label": "Custom",
+ "description": "Custom"
+ }
+ ]
+ },
+ "rowFilterDef": {
+ "accessTypes": [
+ {
+ "name": "select"
+ }
+ ],
+ "resources": [
+ {
+ "name": "catalog",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "mandatory": true,
+ "uiHint": "{ \"singleValue\":true }"
+ },
+ {
+ "name": "schema",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "mandatory": true,
+ "uiHint": "{ \"singleValue\":true }"
+ },
+ {
+ "name": "table",
+ "matcherOptions": {
+ "wildCard": "true"
+ },
+ "lookupSupported": true,
+ "mandatory": true,
+ "uiHint": "{ \"singleValue\":true }"
+ }
+ ]
+ }
+ }
+}
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index dfca1b455..cc62a6fa4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -177,6 +177,7 @@
<owasp-java-html-sanitizer.version>r239</owasp-java-html-sanitizer.version>
<paranamer.version>2.3</paranamer.version>
<presto.version>333</presto.version>
+ <trino.version>377</trino.version>
<poi.version>5.2.2</poi.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<protobuf-java.version>3.19.3</protobuf-java.version>
@@ -215,6 +216,14 @@
<presto.validation-api.version>2.0.1.Final</presto.validation-api.version>
<presto.re2j.version>1.1</presto.re2j.version>
+ <!-- trino plugin deps -->
+ <trino.airlift.version>0.192</trino.airlift.version>
+ <trino.bval-jsr.version>2.0.0</trino.bval-jsr.version>
+ <trino.guice.version>4.2.2</trino.guice.version>
+ <trino.guava.version>26.0-jre</trino.guava.version>
+ <trino.validation-api.version>2.0.1.Final</trino.validation-api.version>
+ <trino.re2j.version>1.1</trino.re2j.version>
+
<!-- Azure Key Vault dependencies -->
<com.microsoft.azure.version>1.22.0</com.microsoft.azure.version>
<com.microsoft.azure.azure-keyvault.version>1.2.1</com.microsoft.azure.azure-keyvault.version>
@@ -274,6 +283,7 @@
<module>plugin-nifi</module>
<module>plugin-nifi-registry</module>
<module>plugin-presto</module>
+ <module>plugin-trino</module>
<module>plugin-kudu</module>
<module>ugsync-util</module>
<module>ugsync</module>
@@ -296,6 +306,7 @@
<module>ranger-atlas-plugin-shim</module>
<module>ranger-kms-plugin-shim</module>
<module>ranger-presto-plugin-shim</module>
+ <module>ranger-trino-plugin-shim</module>
<module>ranger-examples</module>
<module>ranger-tools</module>
<module>plugin-atlas</module>
@@ -540,6 +551,20 @@
<module>ranger-presto-plugin-shim</module>
</modules>
</profile>
+ <profile>
+ <id>ranger-trino-plugin</id>
+ <modules>
+ <module>agents-audit</module>
+ <module>agents-common</module>
+ <module>agents-cred</module>
+ <module>agents-installer</module>
+ <module>credentialbuilder</module>
+ <module>ranger-plugin-classloader</module>
+ <module>ranger-util</module>
+ <module>plugin-trino</module>
+ <module>ranger-trino-plugin-shim</module>
+ </modules>
+ </profile>
<profile>
<id>linux</id>
<activation>
@@ -601,6 +626,8 @@
<module>ranger-kylin-plugin-shim</module>
<module>plugin-presto</module>
<module>ranger-presto-plugin-shim</module>
+ <module>plugin-trino</module>
+ <module>ranger-trino-plugin-shim</module>
<module>plugin-elasticsearch</module>
<module>ranger-elasticsearch-plugin-shim</module>
<!--
@@ -655,6 +682,7 @@
<module>plugin-nifi</module>
<module>plugin-nifi-registry</module>
<module>plugin-presto</module>
+ <module>plugin-trino</module>
<module>ugsync-util</module>
<module>ugsync</module>
<module>ugsync/ldapconfigchecktool/ldapconfigcheck</module>
@@ -676,6 +704,7 @@
<module>ranger-atlas-plugin-shim</module>
<module>ranger-kms-plugin-shim</module>
<module>ranger-presto-plugin-shim</module>
+ <module>ranger-trino-plugin-shim</module>
<module>ranger-examples</module>
<module>ranger-tools</module>
<module>plugin-atlas</module>
diff --git a/ranger-trino-plugin-shim/.gitignore b/ranger-trino-plugin-shim/.gitignore
new file mode 100644
index 000000000..b83d22266
--- /dev/null
+++ b/ranger-trino-plugin-shim/.gitignore
@@ -0,0 +1 @@
+/target/
diff --git a/ranger-trino-plugin-shim/pom.xml b/ranger-trino-plugin-shim/pom.xml
new file mode 100644
index 000000000..1689ff5a2
--- /dev/null
+++ b/ranger-trino-plugin-shim/pom.xml
@@ -0,0 +1,198 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>ranger-trino-plugin-shim</artifactId>
+ <name>Trino Security Plugin Shim</name>
+ <description>Trino Security Plugin Shim</description>
+ <packaging>jar</packaging>
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+ <parent>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger</artifactId>
+ <version>2.3.0-SNAPSHOT</version>
+ <relativePath>..</relativePath>
+ </parent>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugins-common</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.trino</groupId>
+ <artifactId>trino-spi</artifactId>
+ <version>${trino.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.ranger</groupId>
+ <artifactId>ranger-plugin-classloader</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.airlift</groupId>
+ <artifactId>bootstrap</artifactId>
+ <version>${trino.airlift.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>io.airlift</groupId>
+ <artifactId>log</artifactId>
+ <version>${trino.airlift.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>io.airlift</groupId>
+ <artifactId>configuration</artifactId>
+ <version>${trino.airlift.version}</version>
+ </dependency>
+
+ <!-- for the assembly -->
+ <dependency>
+ <groupId>com.google.guava</groupId>
+ <artifactId>guava</artifactId>
+ <version>${trino.guava.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>com.google.inject</groupId>
+ <artifactId>guice</artifactId>
+ <version>${trino.guice.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>javax.validation</groupId>
+ <artifactId>validation-api</artifactId>
+ <version>${trino.validation-api.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.bval</groupId>
+ <artifactId>bval-jsr</artifactId>
+ <version>${trino.bval-jsr.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.hadoop</groupId>
+ <artifactId>hadoop-hdfs</artifactId>
+ <version>${hadoop.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-all</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>log4j</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.httpcomponents</groupId>
+ <artifactId>httpcore</artifactId>
+ <version>${httpcomponents.httpcore.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.zookeeper</groupId>
+ <artifactId>zookeeper</artifactId>
+ <version>${zookeeper.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>io.netty</groupId>
+ <artifactId>netty</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>log4j</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>*</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+
+ <dependency>
+ <groupId>net.java.dev.jna</groupId>
+ <artifactId>jna</artifactId>
+ <version>${jna.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>net.java.dev.jna</groupId>
+ <artifactId>jna-platform</artifactId>
+ <version>${jna-platform.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>commons-codec</groupId>
+ <artifactId>commons-codec</artifactId>
+ <version>${commons.codec.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>com.kstruct</groupId>
+ <artifactId>gethostname4j</artifactId>
+ <version>${kstruct.gethostname4j.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>com.google.protobuf</groupId>
+ <artifactId>protobuf-java</artifactId>
+ <version>${protobuf-java.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>javax.annotation</groupId>
+ <artifactId>javax.annotation-api</artifactId>
+ <version>${javax.annotation-api}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>log4j-over-slf4j</artifactId>
+ <version>${slf4j.version}</version>
+ <scope>test</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-simple</artifactId>
+ <version>${slf4j.version}</version>
+ </dependency>
+
+ <dependency>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-core</artifactId>
+ <version>${fasterxml.jackson.version}</version>
+ </dependency>
+
+ </dependencies>
+</project>
diff --git a/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerConfig.java b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerConfig.java
new file mode 100644
index 000000000..8fc6d5c1b
--- /dev/null
+++ b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerConfig.java
@@ -0,0 +1,69 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.ranger.authorization.trino.authorizer;
+
+import io.airlift.configuration.Config;
+import io.airlift.configuration.ConfigDescription;
+
+public class RangerConfig {
+ private String keytab;
+ private String principal;
+ private boolean useUgi = false;
+ private String hadoopConfigPath;
+
+ public String getKeytab() { return keytab; }
+
+ @Config("ranger.keytab")
+ @ConfigDescription("Keytab for authentication against Ranger")
+ @SuppressWarnings("unused")
+ public RangerConfig setKeytab(String keytab) {
+ this.keytab = keytab;
+ return this;
+ }
+
+ public String getPrincipal() { return principal; }
+
+ @Config("ranger.principal")
+ @ConfigDescription("Principal for authentication against Ranger with keytab")
+ @SuppressWarnings("unused")
+ public RangerConfig setPrincipal(String principal) {
+ this.principal = principal;
+ return this;
+ }
+
+ public boolean isUseUgi() { return useUgi; }
+
+ @Config("ranger.use_ugi")
+ @ConfigDescription("Use Hadoop User Group Information instead of Trino groups")
+ @SuppressWarnings("unused")
+ public RangerConfig setUseUgi(boolean useUgi) {
+ this.useUgi = useUgi;
+ return this;
+ }
+
+ @Config("ranger.hadoop_config")
+ @ConfigDescription("Path to hadoop configuration. Defaults to trino-ranger-site.xml in classpath")
+ @SuppressWarnings("unused")
+ public RangerConfig setHadoopConfigPath(String hadoopConfigPath) {
+ this.hadoopConfigPath = hadoopConfigPath;
+ return this;
+ }
+
+ public String getHadoopConfigPath() { return hadoopConfigPath; }
+}
diff --git a/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
new file mode 100644
index 000000000..c6b234dc2
--- /dev/null
+++ b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControl.java
@@ -0,0 +1,625 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ranger.authorization.trino.authorizer;
+
+import io.trino.spi.connector.CatalogSchemaName;
+import io.trino.spi.connector.CatalogSchemaRoutineName;
+import io.trino.spi.connector.CatalogSchemaTableName;
+import io.trino.spi.connector.SchemaTableName;
+import io.trino.spi.security.TrinoPrincipal;
+import io.trino.spi.security.Privilege;
+import io.trino.spi.security.SystemAccessControl;
+import io.trino.spi.security.SystemSecurityContext;
+import io.trino.spi.security.ViewExpression;
+import io.trino.spi.type.Type;
+import org.apache.ranger.plugin.classloader.RangerPluginClassLoader;
+
+import javax.inject.Inject;
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Set;
+
+public class RangerSystemAccessControl
+ implements SystemAccessControl {
+ private static final String RANGER_PLUGIN_TYPE = "trino";
+ private static final String RANGER_TRINO_AUTHORIZER_IMPL_CLASSNAME = "org.apache.ranger.authorization.trino.authorizer.RangerSystemAccessControl";
+
+ final private RangerPluginClassLoader rangerPluginClassLoader;
+ final private SystemAccessControl systemAccessControlImpl;
+
+ @Inject
+ public RangerSystemAccessControl(RangerConfig config) {
+ try {
+ rangerPluginClassLoader = RangerPluginClassLoader.getInstance(RANGER_PLUGIN_TYPE, this.getClass());
+
+ @SuppressWarnings("unchecked")
+ Class<SystemAccessControl> cls = (Class<SystemAccessControl>) Class.forName(RANGER_TRINO_AUTHORIZER_IMPL_CLASSNAME, true, rangerPluginClassLoader);
+
+ activatePluginClassLoader();
+
+ Map<String, String> configMap = new HashMap<>();
+ if (config.getKeytab() != null && config.getPrincipal() != null) {
+ configMap.put("ranger.keytab", config.getKeytab());
+ configMap.put("ranger.principal", config.getPrincipal());
+ }
+
+ configMap.put("ranger.use_ugi", Boolean.toString(config.isUseUgi()));
+
+ if (config.getHadoopConfigPath() != null) {
+ configMap.put("ranger.hadoop_config", config.getHadoopConfigPath());
+ }
+
+ systemAccessControlImpl = cls.getDeclaredConstructor(Map.class).newInstance(configMap);
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanSetSystemSessionProperty(SystemSecurityContext context, String propertyName) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanSetSystemSessionProperty(context, propertyName);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanAccessCatalog(SystemSecurityContext context, String catalogName) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanAccessCatalog(context, catalogName);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public Set<String> filterCatalogs(SystemSecurityContext context, Set<String> catalogs) {
+ Set<String> filteredCatalogs;
+ try {
+ activatePluginClassLoader();
+ filteredCatalogs = systemAccessControlImpl.filterCatalogs(context, catalogs);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ return filteredCatalogs;
+ }
+
+ @Override
+ public void checkCanCreateSchema(SystemSecurityContext context, CatalogSchemaName schema) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanCreateSchema(context, schema);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanDropSchema(SystemSecurityContext context, CatalogSchemaName schema) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanDropSchema(context, schema);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanRenameSchema(SystemSecurityContext context, CatalogSchemaName schema, String newSchemaName) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanRenameSchema(context, schema, newSchemaName);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanShowSchemas(SystemSecurityContext context, String catalogName) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanShowSchemas(context, catalogName);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public Set<String> filterSchemas(SystemSecurityContext context, String catalogName, Set<String> schemaNames) {
+ Set<String> filteredSchemas;
+ try {
+ activatePluginClassLoader();
+ filteredSchemas = systemAccessControlImpl.filterSchemas(context, catalogName, schemaNames);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ return filteredSchemas;
+ }
+
+ @Override
+ public void checkCanCreateTable(SystemSecurityContext context, CatalogSchemaTableName table, Map<String, Object> properties) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanCreateTable(context, table, properties);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanDropTable(SystemSecurityContext context, CatalogSchemaTableName table) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanDropTable(context, table);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanRenameTable(SystemSecurityContext context, CatalogSchemaTableName table, CatalogSchemaTableName newTable) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanRenameTable(context, table, newTable);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public Set<SchemaTableName> filterTables(SystemSecurityContext context, String catalogName, Set<SchemaTableName> tableNames) {
+ Set<SchemaTableName> filteredTableNames;
+ try {
+ activatePluginClassLoader();
+ filteredTableNames = systemAccessControlImpl.filterTables(context, catalogName, tableNames);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ return filteredTableNames;
+ }
+
+ @Override
+ public void checkCanAddColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanAddColumn(context, table);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanDropColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanDropColumn(context, table);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanRenameColumn(SystemSecurityContext context, CatalogSchemaTableName table) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanRenameColumn(context, table);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanSelectFromColumns(context, table, columns);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanInsertIntoTable(SystemSecurityContext context, CatalogSchemaTableName table) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanInsertIntoTable(context, table);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanDeleteFromTable(SystemSecurityContext context, CatalogSchemaTableName table) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanDeleteFromTable(context, table);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+@Override
+ public void checkCanTruncateTable(SystemSecurityContext context, CatalogSchemaTableName table)
+ {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanTruncateTable(context, table);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanCreateView(SystemSecurityContext context, CatalogSchemaTableName view) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanCreateView(context, view);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanCreateMaterializedView(SystemSecurityContext context, CatalogSchemaTableName materializedView, Map<String, Object> properties) {
+ try{
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanCreateMaterializedView(context,materializedView,properties);
+ }
+ finally {
+ deactivatePluginClassLoader();
+ }
+
+ }
+
+ @Override
+ public void checkCanDropMaterializedView(SystemSecurityContext context, CatalogSchemaTableName materializedView) {
+ try{
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanDropMaterializedView(context,materializedView);
+ }
+ finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanDropView(SystemSecurityContext context, CatalogSchemaTableName view) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanDropView(context, view);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanSetViewAuthorization(SystemSecurityContext context, CatalogSchemaTableName view, TrinoPrincipal principal)
+ {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanSetViewAuthorization(context, view, principal);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanCreateViewWithSelectFromColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanCreateViewWithSelectFromColumns(context, table, columns);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanSetCatalogSessionProperty(SystemSecurityContext context, String catalogName, String propertyName) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanSetCatalogSessionProperty(context, catalogName, propertyName);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanImpersonateUser(SystemSecurityContext context, String userName) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanImpersonateUser(context, userName);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanExecuteQuery(SystemSecurityContext context) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanExecuteQuery(context);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanViewQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanViewQueryOwnedBy(context, queryOwner);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public Set<String> filterViewQueryOwnedBy(SystemSecurityContext context, Set<String> queryOwners) {
+ Set<String> filteredQueryOwners;
+ try {
+ activatePluginClassLoader();
+ filteredQueryOwners = systemAccessControlImpl.filterViewQueryOwnedBy(context, queryOwners);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ return filteredQueryOwners;
+ }
+
+ @Override
+ public void checkCanKillQueryOwnedBy(SystemSecurityContext context, String queryOwner) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanKillQueryOwnedBy(context, queryOwner);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanShowCreateTable(SystemSecurityContext context, CatalogSchemaTableName table) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanShowCreateTable(context, table);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanSetTableComment(SystemSecurityContext context, CatalogSchemaTableName table) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanSetTableComment(context, table);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanSetColumnComment(SystemSecurityContext context, CatalogSchemaTableName table)
+ {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanSetColumnComment(context, table);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanShowTables(SystemSecurityContext context, CatalogSchemaName schema) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanShowTables(context, schema);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanShowColumns(SystemSecurityContext context, CatalogSchemaTableName table) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanShowColumns(context, table);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public Set<String> filterColumns(SystemSecurityContext context, CatalogSchemaTableName table, Set<String> columns) {
+ Set<String> filteredColumns;
+ try {
+ activatePluginClassLoader();
+ filteredColumns = systemAccessControlImpl.filterColumns(context, table, columns);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ return filteredColumns;
+ }
+
+ @Override
+ public void checkCanRenameView(SystemSecurityContext context, CatalogSchemaTableName view, CatalogSchemaTableName newView) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanRenameView(context, view, newView);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanGrantTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, TrinoPrincipal grantee, boolean withGrantOption) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanGrantTablePrivilege(context, privilege, table, grantee, withGrantOption);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanRevokeTablePrivilege(SystemSecurityContext context, Privilege privilege, CatalogSchemaTableName table, TrinoPrincipal revokee, boolean grantOptionFor) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanRevokeTablePrivilege(context, privilege, table, revokee, grantOptionFor);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanShowRoles(SystemSecurityContext context) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanShowRoles(context);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanShowCurrentRoles(SystemSecurityContext context) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanShowCurrentRoles(context);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanShowRoleGrants(SystemSecurityContext context) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanShowRoleGrants(context);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public Optional<ViewExpression> getRowFilter(SystemSecurityContext context, CatalogSchemaTableName tableName) {
+ Optional<ViewExpression> viewExpression;
+ try {
+ activatePluginClassLoader();
+ viewExpression = systemAccessControlImpl.getRowFilter(context, tableName);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ return viewExpression;
+ }
+
+ @Override
+ public Optional<ViewExpression> getColumnMask(SystemSecurityContext context, CatalogSchemaTableName tableName, String columnName, Type type) {
+ Optional<ViewExpression> viewExpression;
+ try {
+ activatePluginClassLoader();
+ viewExpression = systemAccessControlImpl.getColumnMask(context, tableName, columnName, type);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ return viewExpression;
+ }
+
+ @Override
+ public void checkCanSetUser(Optional<Principal> principal, String userName) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanSetUser(principal, userName);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanGrantExecuteFunctionPrivilege(SystemSecurityContext context, String functionName, TrinoPrincipal grantee, boolean grantOption) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanGrantExecuteFunctionPrivilege(context, functionName, grantee, grantOption);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanSetSchemaAuthorization(SystemSecurityContext context, CatalogSchemaName schema, TrinoPrincipal principal) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanSetSchemaAuthorization(context, schema, principal);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanShowCreateSchema(SystemSecurityContext context, CatalogSchemaName schemaName) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanShowCreateSchema(context, schemaName);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanExecuteProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaRoutineName procedure) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanExecuteProcedure(systemSecurityContext, procedure);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanExecuteTableProcedure(SystemSecurityContext systemSecurityContext, CatalogSchemaTableName catalogSchemaTableName, String procedure)
+ {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanExecuteTableProcedure(systemSecurityContext, catalogSchemaTableName, procedure);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ @Override
+ public void checkCanExecuteFunction(SystemSecurityContext systemSecurityContext, String functionName) {
+ try {
+ activatePluginClassLoader();
+ systemAccessControlImpl.checkCanExecuteFunction(systemSecurityContext, functionName);
+ } finally {
+ deactivatePluginClassLoader();
+ }
+ }
+
+ private void activatePluginClassLoader() {
+ if (rangerPluginClassLoader != null) {
+ rangerPluginClassLoader.activate();
+ }
+ }
+
+ private void deactivatePluginClassLoader() {
+ if (rangerPluginClassLoader != null) {
+ rangerPluginClassLoader.deactivate();
+ }
+ }
+}
diff --git a/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlFactory.java b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlFactory.java
new file mode 100644
index 000000000..2d694ac17
--- /dev/null
+++ b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/RangerSystemAccessControlFactory.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ranger.authorization.trino.authorizer;
+
+import com.google.inject.Injector;
+import com.google.inject.Scopes;
+import io.airlift.bootstrap.Bootstrap;
+import io.trino.spi.security.SystemAccessControl;
+import io.trino.spi.security.SystemAccessControlFactory;
+
+import java.util.Map;
+
+import static com.google.common.base.Throwables.throwIfUnchecked;
+import static io.airlift.configuration.ConfigBinder.configBinder;
+import static java.util.Objects.requireNonNull;
+
+public class RangerSystemAccessControlFactory
+ implements SystemAccessControlFactory {
+ private static final String NAME = "ranger";
+
+ @Override
+ public String getName() {
+ return NAME;
+ }
+
+ @Override
+ public SystemAccessControl create(Map<String, String> config) {
+ requireNonNull(config, "config is null");
+
+ try {
+ Bootstrap app = new Bootstrap(
+ binder -> {
+ configBinder(binder).bindConfig(RangerConfig.class);
+ binder.bind(RangerSystemAccessControl.class).in(Scopes.SINGLETON);
+ }
+ );
+
+ Injector injector = app
+ .strictConfig()
+ .doNotInitializeLogging()
+ .setRequiredConfigurationProperties(config)
+ .initialize();
+
+ return injector.getInstance(RangerSystemAccessControl.class);
+ } catch (Exception e) {
+ throwIfUnchecked(e);
+ throw new RuntimeException(e);
+ }
+ }
+}
diff --git a/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/TrinoRangerPlugin.java b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/TrinoRangerPlugin.java
new file mode 100644
index 000000000..aa6ce8620
--- /dev/null
+++ b/ranger-trino-plugin-shim/src/main/java/org/apache/ranger/authorization/trino/authorizer/TrinoRangerPlugin.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.ranger.authorization.trino.authorizer;
+
+import io.trino.spi.Plugin;
+import io.trino.spi.security.SystemAccessControlFactory;
+
+import java.util.ArrayList;
+
+public class TrinoRangerPlugin
+ implements Plugin
+{
+ @Override
+ public Iterable<SystemAccessControlFactory> getSystemAccessControlFactories()
+ {
+ ArrayList<SystemAccessControlFactory> list = new ArrayList<>();
+ SystemAccessControlFactory factory = new RangerSystemAccessControlFactory();
+ list.add(factory);
+ return list;
+ }
+}
diff --git a/ranger-trino-plugin-shim/src/main/resources/META-INF/services/io.trino.spi.Plugin b/ranger-trino-plugin-shim/src/main/resources/META-INF/services/io.trino.spi.Plugin
new file mode 100644
index 000000000..c5ebc146a
--- /dev/null
+++ b/ranger-trino-plugin-shim/src/main/resources/META-INF/services/io.trino.spi.Plugin
@@ -0,0 +1,15 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+org.apache.ranger.authorization.trino.authorizer.TrinoRangerPlugin