Address review comments

trinodb · Oct 23, 2024 · cda0fe6 · cda0fe6
1 parent caddf66
commit cda0fe6
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 55 deletions.
diff --git a/plugin/trino-apache-ranger/src/main/java/io/trino/plugin/ranger/RangerConfig.java b/plugin/trino-apache-ranger/src/main/java/io/trino/plugin/ranger/RangerConfig.java
@@ -22,14 +22,10 @@
 public class RangerConfig
 {
     public static final String RANGER_TRINO_DEFAULT_SERVICE_NAME = "dev_trino";
-    public static final String RANGER_TRINO_DEFAULT_SECURITY_CONF = "ranger-trino-security.xml";
-    public static final String RANGER_TRINO_DEFAULT_AUDIT_CONF = "ranger-trino-audit.xml";
-    public static final String RANGER_TRINO_DEFAULT_POLICYMGR_SSL_CONF = "ranger-policymgr-ssl.xml";
-    public static final String RANGER_TRINO_DEFAULT_HADOOP_CONF = "trino-ranger-site.xml";
 
     private String serviceName = RANGER_TRINO_DEFAULT_SERVICE_NAME;
-    private List<String> pluginConfigResource = ImmutableList.of(RANGER_TRINO_DEFAULT_SECURITY_CONF, RANGER_TRINO_DEFAULT_AUDIT_CONF, RANGER_TRINO_DEFAULT_POLICYMGR_SSL_CONF);
-    private List<String> hadoopConfigResource = ImmutableList.of(RANGER_TRINO_DEFAULT_HADOOP_CONF);
+    private List<String> pluginConfigResource = ImmutableList.of();
+    private List<String> hadoopConfigResource = ImmutableList.of();
 
     public String getServiceName()
     {

diff --git a/...n/trino-apache-ranger/src/main/java/io/trino/plugin/ranger/RangerSystemAccessControl.java b/...n/trino-apache-ranger/src/main/java/io/trino/plugin/ranger/RangerSystemAccessControl.java
@@ -151,6 +151,7 @@ public class RangerSystemAccessControl
 
     @Inject
     public RangerSystemAccessControl(RangerConfig config)
+            throws Exception
     {
         Configuration hadoopConf = new Configuration();
 
@@ -160,11 +161,10 @@ public RangerSystemAccessControl(RangerConfig config)
             LOG.info("Loading Hadoop config %s from url %s", configPath, url);
 
             if (url == null) {
-                LOG.warn("Hadoop config %s not found", configPath);
-            }
-            else {
-                hadoopConf.addResource(url);
+                throw new Exception("Hadoop config " + configPath + " not found");
             }
+
+            hadoopConf.addResource(url);
         }
 
         UserGroupInformation.setConfiguration(hadoopConf);

diff --git a/...er/trino-product-tests/conf/environment/multinode-apache-ranger/ranger-trino-security.xml b/...er/trino-product-tests/conf/environment/multinode-apache-ranger/ranger-trino-security.xml
@@ -25,6 +25,12 @@
         </description>
     </property>
 
+    <property>
+        <name>ranger.plugin.trino.super.users</name>
+        <value>trino,hive</value>
+        <description>List of users with superuser privileges</description>
+    </property>
+
     <property>
         <name>ranger.plugin.trino.policy.rest.url</name>
         <value>http://host.docker.internal:6080</value>

diff --git a/...s/docker/trino-product-tests/conf/environment/multinode-apache-ranger/trino-policies.json b/...s/docker/trino-product-tests/conf/environment/multinode-apache-ranger/trino-policies.json
@@ -184,40 +184,6 @@
       "policyItems": [
         { "accesses": [ { "type": "execute" } ], "users": [ "{USER}" ] }
       ]
-    },
-    {
-      "id":             12,
-      "service":        "dev_trino",
-      "serviceType":    "trino",
-      "name":           "memory.default.*.*",
-      "policyType":     0,
-      "policyPriority": 0,
-      "resources": {
-        "catalog": { "values": [ "memory" ] },
-        "schema":  { "values": [ "default" ] },
-        "table":   { "values": [ "*" ] },
-        "column":  { "values": [ "*" ] }
-      },
-      "policyItems": [
-        { "accesses": [ { "type": "select" }, { "type": "insert" }, { "type": "create" }, { "type": "drop" }, { "type": "delete" }, { "type": "alter" }, { "type": "grant" }, { "type": "revoke" }, { "type":  "show" } ], "groups": [ "public" ] }
-      ]
-    },
-    {
-      "id":             13,
-      "service":        "dev_trino",
-      "serviceType":    "trino",
-      "name":           "tpch.tiny.*.*",
-      "policyType":     0,
-      "policyPriority": 0,
-      "resources": {
-        "catalog": { "values": [ "tpch" ] },
-        "schema":  { "values": [ "tiny" ] },
-        "table":   { "values": [ "*" ] },
-        "column":  { "values": [ "*" ] }
-      },
-      "policyItems": [
-        { "accesses": [ { "type": "select" }, { "type": "insert" }, { "type": "create" }, { "type": "drop" }, { "type": "delete" }, { "type": "alter" }, { "type": "grant" }, { "type": "revoke" }, { "type":  "show" } ], "groups": [ "public" ] }
-      ]
     }
   ]
 }
diff --git a/...ing/trino-product-tests/src/main/java/io/trino/tests/product/ranger/TestApacheRanger.java b/...ing/trino-product-tests/src/main/java/io/trino/tests/product/ranger/TestApacheRanger.java
@@ -14,38 +14,48 @@
 package io.trino.tests.product.ranger;
 
 import io.trino.tempto.ProductTest;
+import io.trino.tempto.query.QueryExecutionException;
 import io.trino.tempto.query.QueryExecutor;
 import org.testng.annotations.Test;
 
 import static io.trino.tempto.assertions.QueryAssert.Row.row;
 import static io.trino.testing.TestingNames.randomNameSuffix;
 import static io.trino.tests.product.TestGroups.APACHE_RANGER;
 import static io.trino.tests.product.TestGroups.PROFILE_SPECIFIC_TESTS;
-import static io.trino.tests.product.utils.QueryExecutors.onTrino;
+import static io.trino.tests.product.utils.QueryExecutors.connectToTrino;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 public class TestApacheRanger
         extends ProductTest
 {
     @Test(groups = {APACHE_RANGER, PROFILE_SPECIFIC_TESTS})
     public void testCreateTableAsSelect()
     {
-        String tableName = "memory.default.nation_" + randomNameSuffix();
+        final String tableName = "memory.default.nation_" + randomNameSuffix();
 
-        try (QueryExecutor trino = onTrino()) {
+        // config 'presto' is mapped to user hive. Ranger plugin is configured with hive as a superuser, so all queries from hive should succeed.
+        try (QueryExecutor userPresto = connectToTrino("presto")) {
             try {
-                trino.executeQuery("DROP TABLE IF EXISTS " + tableName);
-                assertThat(trino.executeQuery("CREATE TABLE " + tableName + " AS SELECT * FROM tpch.tiny.nation")).updatedRowsCountIsEqualTo(25);
-                assertThat(trino.executeQuery("SELECT COUNT(*) FROM " + tableName)).containsOnly(row(25));
-                assertThat(trino.executeQuery("TRUNCATE TABLE " + tableName)).updatedRowsCountIsEqualTo(0);
-                assertThat(trino.executeQuery("INSERT INTO " + tableName + " SELECT * FROM tpch.tiny.nation")).updatedRowsCountIsEqualTo(25);
+                userPresto.executeQuery("DROP TABLE IF EXISTS " + tableName);
+                assertThat(userPresto.executeQuery("CREATE TABLE " + tableName + " AS SELECT * FROM tpch.tiny.nation")).updatedRowsCountIsEqualTo(25);
+                assertThat(userPresto.executeQuery("SELECT COUNT(*) FROM " + tableName)).containsOnly(row(25));
+                assertThat(userPresto.executeQuery("TRUNCATE TABLE " + tableName)).updatedRowsCountIsEqualTo(0);
+                assertThat(userPresto.executeQuery("INSERT INTO " + tableName + " SELECT * FROM tpch.tiny.nation")).updatedRowsCountIsEqualTo(25);
                 /* memory catalog does not support UPDATE and DELETE
-                assertThat(trino.executeQuery("UPDATE " + tableName + " SET comment = name")).updatedRowsCountIsEqualTo(25);
-                assertThat(trino.executeQuery("DELETE FROM " + tableName)).updatedRowsCountIsEqualTo(25);
+                assertThat(userPresto.executeQuery("UPDATE " + tableName + " SET comment = name")).updatedRowsCountIsEqualTo(25);
+                assertThat(userPresto.executeQuery("DELETE FROM " + tableName)).updatedRowsCountIsEqualTo(25);
                 */
+
+                // config 'alice@presto' is mapped to user alice. This user doesn't have any permissions in Ranger, so all queries should fail.
+                try (QueryExecutor userAlice = connectToTrino("alice@presto")) {
+                    assertThatThrownBy(() -> userAlice.executeQuery("SELECT COUNT(*) FROM " + tableName)).isInstanceOf(QueryExecutionException.class);
+                    assertThatThrownBy(() -> userAlice.executeQuery("TRUNCATE TABLE " + tableName)).isInstanceOf(QueryExecutionException.class);
+                    assertThatThrownBy(() -> userAlice.executeQuery("INSERT INTO " + tableName + " SELECT * FROM tpch.tiny.nation")).isInstanceOf(QueryExecutionException.class);
+                }
             }
             finally {
-                trino.executeQuery("DROP TABLE " + tableName);
+                userPresto.executeQuery("DROP TABLE IF EXISTS " + tableName);
             }
         }
     }