From cda0fe6d8df79bd4c0c03682b6f436f2e0da33f1 Mon Sep 17 00:00:00 2001 From: Madhan Neethiraj Date: Tue, 22 Oct 2024 18:22:13 -0700 Subject: [PATCH] Address review comments --- .../io/trino/plugin/ranger/RangerConfig.java | 8 ++--- .../ranger/RangerSystemAccessControl.java | 8 ++--- .../ranger-trino-security.xml | 6 ++++ .../trino-policies.json | 34 ------------------- .../product/ranger/TestApacheRanger.java | 32 +++++++++++------ 5 files changed, 33 insertions(+), 55 deletions(-) diff --git a/plugin/trino-apache-ranger/src/main/java/io/trino/plugin/ranger/RangerConfig.java b/plugin/trino-apache-ranger/src/main/java/io/trino/plugin/ranger/RangerConfig.java index 39c45dd159caf..f1ed11960cb23 100644 --- a/plugin/trino-apache-ranger/src/main/java/io/trino/plugin/ranger/RangerConfig.java +++ b/plugin/trino-apache-ranger/src/main/java/io/trino/plugin/ranger/RangerConfig.java @@ -22,14 +22,10 @@ public class RangerConfig { public static final String RANGER_TRINO_DEFAULT_SERVICE_NAME = "dev_trino"; - public static final String RANGER_TRINO_DEFAULT_SECURITY_CONF = "ranger-trino-security.xml"; - public static final String RANGER_TRINO_DEFAULT_AUDIT_CONF = "ranger-trino-audit.xml"; - public static final String RANGER_TRINO_DEFAULT_POLICYMGR_SSL_CONF = "ranger-policymgr-ssl.xml"; - public static final String RANGER_TRINO_DEFAULT_HADOOP_CONF = "trino-ranger-site.xml"; private String serviceName = RANGER_TRINO_DEFAULT_SERVICE_NAME; - private List pluginConfigResource = ImmutableList.of(RANGER_TRINO_DEFAULT_SECURITY_CONF, RANGER_TRINO_DEFAULT_AUDIT_CONF, RANGER_TRINO_DEFAULT_POLICYMGR_SSL_CONF); - private List hadoopConfigResource = ImmutableList.of(RANGER_TRINO_DEFAULT_HADOOP_CONF); + private List pluginConfigResource = ImmutableList.of(); + private List hadoopConfigResource = ImmutableList.of(); public String getServiceName() { diff --git a/plugin/trino-apache-ranger/src/main/java/io/trino/plugin/ranger/RangerSystemAccessControl.java b/plugin/trino-apache-ranger/src/main/java/io/trino/plugin/ranger/RangerSystemAccessControl.java index d3f2448b836c6..9ca1da80ca0ec 100644 --- a/plugin/trino-apache-ranger/src/main/java/io/trino/plugin/ranger/RangerSystemAccessControl.java +++ b/plugin/trino-apache-ranger/src/main/java/io/trino/plugin/ranger/RangerSystemAccessControl.java @@ -151,6 +151,7 @@ public class RangerSystemAccessControl @Inject public RangerSystemAccessControl(RangerConfig config) + throws Exception { Configuration hadoopConf = new Configuration(); @@ -160,11 +161,10 @@ public RangerSystemAccessControl(RangerConfig config) LOG.info("Loading Hadoop config %s from url %s", configPath, url); if (url == null) { - LOG.warn("Hadoop config %s not found", configPath); - } - else { - hadoopConf.addResource(url); + throw new Exception("Hadoop config " + configPath + " not found"); } + + hadoopConf.addResource(url); } UserGroupInformation.setConfiguration(hadoopConf); diff --git a/testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/multinode-apache-ranger/ranger-trino-security.xml b/testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/multinode-apache-ranger/ranger-trino-security.xml index a0606632c3870..2e47cb035136b 100644 --- a/testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/multinode-apache-ranger/ranger-trino-security.xml +++ b/testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/multinode-apache-ranger/ranger-trino-security.xml @@ -25,6 +25,12 @@ + + ranger.plugin.trino.super.users + trino,hive + List of users with superuser privileges + + ranger.plugin.trino.policy.rest.url http://host.docker.internal:6080 diff --git a/testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/multinode-apache-ranger/trino-policies.json b/testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/multinode-apache-ranger/trino-policies.json index 62f6c9d8d1ffb..134e4af5b324f 100644 --- a/testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/multinode-apache-ranger/trino-policies.json +++ b/testing/trino-product-tests-launcher/src/main/resources/docker/trino-product-tests/conf/environment/multinode-apache-ranger/trino-policies.json @@ -184,40 +184,6 @@ "policyItems": [ { "accesses": [ { "type": "execute" } ], "users": [ "{USER}" ] } ] - }, - { - "id": 12, - "service": "dev_trino", - "serviceType": "trino", - "name": "memory.default.*.*", - "policyType": 0, - "policyPriority": 0, - "resources": { - "catalog": { "values": [ "memory" ] }, - "schema": { "values": [ "default" ] }, - "table": { "values": [ "*" ] }, - "column": { "values": [ "*" ] } - }, - "policyItems": [ - { "accesses": [ { "type": "select" }, { "type": "insert" }, { "type": "create" }, { "type": "drop" }, { "type": "delete" }, { "type": "alter" }, { "type": "grant" }, { "type": "revoke" }, { "type": "show" } ], "groups": [ "public" ] } - ] - }, - { - "id": 13, - "service": "dev_trino", - "serviceType": "trino", - "name": "tpch.tiny.*.*", - "policyType": 0, - "policyPriority": 0, - "resources": { - "catalog": { "values": [ "tpch" ] }, - "schema": { "values": [ "tiny" ] }, - "table": { "values": [ "*" ] }, - "column": { "values": [ "*" ] } - }, - "policyItems": [ - { "accesses": [ { "type": "select" }, { "type": "insert" }, { "type": "create" }, { "type": "drop" }, { "type": "delete" }, { "type": "alter" }, { "type": "grant" }, { "type": "revoke" }, { "type": "show" } ], "groups": [ "public" ] } - ] } ] } diff --git a/testing/trino-product-tests/src/main/java/io/trino/tests/product/ranger/TestApacheRanger.java b/testing/trino-product-tests/src/main/java/io/trino/tests/product/ranger/TestApacheRanger.java index 259353f7fb38c..9f867e09706ee 100644 --- a/testing/trino-product-tests/src/main/java/io/trino/tests/product/ranger/TestApacheRanger.java +++ b/testing/trino-product-tests/src/main/java/io/trino/tests/product/ranger/TestApacheRanger.java @@ -14,6 +14,7 @@ package io.trino.tests.product.ranger; import io.trino.tempto.ProductTest; +import io.trino.tempto.query.QueryExecutionException; import io.trino.tempto.query.QueryExecutor; import org.testng.annotations.Test; @@ -21,8 +22,9 @@ import static io.trino.testing.TestingNames.randomNameSuffix; import static io.trino.tests.product.TestGroups.APACHE_RANGER; import static io.trino.tests.product.TestGroups.PROFILE_SPECIFIC_TESTS; -import static io.trino.tests.product.utils.QueryExecutors.onTrino; +import static io.trino.tests.product.utils.QueryExecutors.connectToTrino; import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatThrownBy; public class TestApacheRanger extends ProductTest @@ -30,22 +32,30 @@ public class TestApacheRanger @Test(groups = {APACHE_RANGER, PROFILE_SPECIFIC_TESTS}) public void testCreateTableAsSelect() { - String tableName = "memory.default.nation_" + randomNameSuffix(); + final String tableName = "memory.default.nation_" + randomNameSuffix(); - try (QueryExecutor trino = onTrino()) { + // config 'presto' is mapped to user hive. Ranger plugin is configured with hive as a superuser, so all queries from hive should succeed. + try (QueryExecutor userPresto = connectToTrino("presto")) { try { - trino.executeQuery("DROP TABLE IF EXISTS " + tableName); - assertThat(trino.executeQuery("CREATE TABLE " + tableName + " AS SELECT * FROM tpch.tiny.nation")).updatedRowsCountIsEqualTo(25); - assertThat(trino.executeQuery("SELECT COUNT(*) FROM " + tableName)).containsOnly(row(25)); - assertThat(trino.executeQuery("TRUNCATE TABLE " + tableName)).updatedRowsCountIsEqualTo(0); - assertThat(trino.executeQuery("INSERT INTO " + tableName + " SELECT * FROM tpch.tiny.nation")).updatedRowsCountIsEqualTo(25); + userPresto.executeQuery("DROP TABLE IF EXISTS " + tableName); + assertThat(userPresto.executeQuery("CREATE TABLE " + tableName + " AS SELECT * FROM tpch.tiny.nation")).updatedRowsCountIsEqualTo(25); + assertThat(userPresto.executeQuery("SELECT COUNT(*) FROM " + tableName)).containsOnly(row(25)); + assertThat(userPresto.executeQuery("TRUNCATE TABLE " + tableName)).updatedRowsCountIsEqualTo(0); + assertThat(userPresto.executeQuery("INSERT INTO " + tableName + " SELECT * FROM tpch.tiny.nation")).updatedRowsCountIsEqualTo(25); /* memory catalog does not support UPDATE and DELETE - assertThat(trino.executeQuery("UPDATE " + tableName + " SET comment = name")).updatedRowsCountIsEqualTo(25); - assertThat(trino.executeQuery("DELETE FROM " + tableName)).updatedRowsCountIsEqualTo(25); + assertThat(userPresto.executeQuery("UPDATE " + tableName + " SET comment = name")).updatedRowsCountIsEqualTo(25); + assertThat(userPresto.executeQuery("DELETE FROM " + tableName)).updatedRowsCountIsEqualTo(25); */ + + // config 'alice@presto' is mapped to user alice. This user doesn't have any permissions in Ranger, so all queries should fail. + try (QueryExecutor userAlice = connectToTrino("alice@presto")) { + assertThatThrownBy(() -> userAlice.executeQuery("SELECT COUNT(*) FROM " + tableName)).isInstanceOf(QueryExecutionException.class); + assertThatThrownBy(() -> userAlice.executeQuery("TRUNCATE TABLE " + tableName)).isInstanceOf(QueryExecutionException.class); + assertThatThrownBy(() -> userAlice.executeQuery("INSERT INTO " + tableName + " SELECT * FROM tpch.tiny.nation")).isInstanceOf(QueryExecutionException.class); + } } finally { - trino.executeQuery("DROP TABLE " + tableName); + userPresto.executeQuery("DROP TABLE IF EXISTS " + tableName); } } }