@@ -77,8 +77,8 @@ public abstract class RangerAuthorizationPlugin
77
77
78
78
protected String metalake ;
79
79
protected final String rangerServiceName ;
80
- protected final RangerClientExtension rangerClient ;
81
- protected final RangerHelper rangerHelper ;
80
+ protected RangerClientExtension rangerClient ;
81
+ protected RangerHelper rangerHelper ;
82
82
@ VisibleForTesting public final String rangerAdminName ;
83
83
84
84
protected RangerAuthorizationPlugin (String metalake , Map <String , String > config ) {
@@ -108,6 +108,26 @@ public String getMetalake() {
108
108
return metalake ;
109
109
}
110
110
111
+ @ VisibleForTesting
112
+ public RangerHelper getRangerHelper () {
113
+ return rangerHelper ;
114
+ }
115
+
116
+ @ VisibleForTesting
117
+ public void setRangerHelper (RangerHelper rangerHelper ) {
118
+ this .rangerHelper = rangerHelper ;
119
+ }
120
+
121
+ @ VisibleForTesting
122
+ public RangerClientExtension getRangerClient () {
123
+ return rangerClient ;
124
+ }
125
+
126
+ @ VisibleForTesting
127
+ public void setRangerClient (RangerClientExtension rangerClient ) {
128
+ this .rangerClient = rangerClient ;
129
+ }
130
+
111
131
/**
112
132
* Set the Ranger policy resource defines rule.
113
133
*
@@ -273,8 +293,13 @@ public Boolean onRoleDeleted(Role role) throws AuthorizationPluginException {
273
293
rangerClient .deleteRole (
274
294
rangerHelper .generateGravitinoRoleName (role .name ()), rangerAdminName , rangerServiceName );
275
295
} catch (RangerServiceException e ) {
276
- // Ignore exception to support idempotent operation
277
- LOG .warn ("Ranger delete role: {} failed!" , role , e );
296
+ if (rangerHelper .getRangerRole (role .name ()) == null ) {
297
+ // Ignore exception to support idempotent operation
298
+ LOG .info ("Ranger delete role: {} failed!" , role , e );
299
+ } else {
300
+ throw new AuthorizationPluginException (
301
+ "Fail to delete role %s exception: %s" , role , e .getMessage ());
302
+ }
278
303
}
279
304
return Boolean .TRUE ;
280
305
}
@@ -292,14 +317,13 @@ public Boolean onRoleUpdated(Role role, RoleChange... changes)
292
317
293
318
List <AuthorizationSecurableObject > authzSecurableObjects =
294
319
translatePrivilege (securableObject );
295
- authzSecurableObjects .stream ()
296
- .forEach (
297
- authzSecurableObject -> {
298
- if (!doAddSecurableObject (role .name (), authzSecurableObject )) {
299
- throw new AuthorizationPluginException (
300
- "Failed to add the securable object to the Ranger policy!" );
301
- }
302
- });
320
+ authzSecurableObjects .forEach (
321
+ authzSecurableObject -> {
322
+ if (!doAddSecurableObject (role .name (), authzSecurableObject )) {
323
+ throw new AuthorizationPluginException (
324
+ "Failed to add the securable object to the Ranger policy!" );
325
+ }
326
+ });
303
327
} else if (change instanceof RoleChange .RemoveSecurableObject ) {
304
328
SecurableObject securableObject =
305
329
((RoleChange .RemoveSecurableObject ) change ).getSecurableObject ();
@@ -337,16 +361,14 @@ public Boolean onRoleUpdated(Role role, RoleChange... changes)
337
361
translatePrivilege (oldSecurableObject );
338
362
List <AuthorizationSecurableObject > rangerNewSecurableObjects =
339
363
translatePrivilege (newSecurableObject );
340
- rangerOldSecurableObjects .stream ()
341
- .forEach (
342
- AuthorizationSecurableObject -> {
343
- removeSecurableObject (role .name (), AuthorizationSecurableObject );
344
- });
345
- rangerNewSecurableObjects .stream ()
346
- .forEach (
347
- AuthorizationSecurableObject -> {
348
- doAddSecurableObject (role .name (), AuthorizationSecurableObject );
349
- });
364
+ rangerOldSecurableObjects .forEach (
365
+ AuthorizationSecurableObject -> {
366
+ removeSecurableObject (role .name (), AuthorizationSecurableObject );
367
+ });
368
+ rangerNewSecurableObjects .forEach (
369
+ AuthorizationSecurableObject -> {
370
+ doAddSecurableObject (role .name (), AuthorizationSecurableObject );
371
+ });
350
372
} else {
351
373
throw new IllegalArgumentException (
352
374
"Unsupported role change type: "
@@ -499,23 +521,21 @@ public Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner, Owner n
499
521
LOG .warn ("Grant owner role: {} failed!" , ownerRoleName , e );
500
522
}
501
523
502
- rangerSecurableObjects .stream ()
503
- .forEach (
504
- rangerSecurableObject -> {
505
- RangerPolicy policy = findManagedPolicy (rangerSecurableObject );
506
- try {
507
- if (policy == null ) {
508
- policy = addOwnerRoleToNewPolicy (rangerSecurableObject , ownerRoleName );
509
- rangerClient .createPolicy (policy );
510
- } else {
511
- rangerHelper .updatePolicyOwnerRole (policy , ownerRoleName );
512
- rangerClient .updatePolicy (policy .getId (), policy );
513
- }
514
- } catch (RangerServiceException e ) {
515
- throw new AuthorizationPluginException (
516
- e , "Failed to add the owner to the Ranger!" );
517
- }
518
- });
524
+ rangerSecurableObjects .forEach (
525
+ rangerSecurableObject -> {
526
+ RangerPolicy policy = findManagedPolicy (rangerSecurableObject );
527
+ try {
528
+ if (policy == null ) {
529
+ policy = addOwnerRoleToNewPolicy (rangerSecurableObject , ownerRoleName );
530
+ rangerClient .createPolicy (policy );
531
+ } else {
532
+ rangerHelper .updatePolicyOwnerRole (policy , ownerRoleName );
533
+ rangerClient .updatePolicy (policy .getId (), policy );
534
+ }
535
+ } catch (RangerServiceException e ) {
536
+ throw new AuthorizationPluginException (e , "Failed to add the owner to the Ranger!" );
537
+ }
538
+ });
519
539
break ;
520
540
case SCHEMA :
521
541
case TABLE :
@@ -576,8 +596,9 @@ public Boolean onGrantedRolesToUser(List<Role> roles, User user)
576
596
try {
577
597
rangerClient .grantRole (rangerServiceName , grantRevokeRoleRequest );
578
598
} catch (RangerServiceException e ) {
579
- // Ignore exception, support idempotent operation
580
- LOG .warn ("Grant role: {} to user: {} failed!" , role , user , e );
599
+ throw new AuthorizationPluginException (
600
+ "Fail to grant role %s to user %s, exception: %s" ,
601
+ role .name (), user .name (), e .getMessage ());
581
602
}
582
603
});
583
604
@@ -611,8 +632,9 @@ public Boolean onRevokedRolesFromUser(List<Role> roles, User user)
611
632
try {
612
633
rangerClient .revokeRole (rangerServiceName , grantRevokeRoleRequest );
613
634
} catch (RangerServiceException e ) {
614
- // Ignore exception to support idempotent operation
615
- LOG .warn ("Revoke role: {} from user: {} failed!" , role , user , e );
635
+ throw new AuthorizationPluginException (
636
+ "Fail to revoke role %s from user %s, exception: %s" ,
637
+ role .name (), user .name (), e .getMessage ());
616
638
}
617
639
});
618
640
@@ -646,8 +668,9 @@ public Boolean onGrantedRolesToGroup(List<Role> roles, Group group)
646
668
try {
647
669
rangerClient .grantRole (rangerServiceName , grantRevokeRoleRequest );
648
670
} catch (RangerServiceException e ) {
649
- // Ignore exception to support idempotent operation
650
- LOG .warn ("Grant role: {} to group: {} failed!" , role , group , e );
671
+ throw new AuthorizationPluginException (
672
+ "Fail to grant role: %s to group %s, exception: %s." ,
673
+ role , group , e .getMessage ());
651
674
}
652
675
});
653
676
return Boolean .TRUE ;
@@ -678,8 +701,9 @@ public Boolean onRevokedRolesFromGroup(List<Role> roles, Group group)
678
701
try {
679
702
rangerClient .revokeRole (rangerServiceName , grantRevokeRoleRequest );
680
703
} catch (RangerServiceException e ) {
681
- // Ignore exception to support idempotent operation
682
- LOG .warn ("Revoke role: {} from group: {} failed!" , role , group , e );
704
+ throw new AuthorizationPluginException (
705
+ "Fail to revoke role %s from group %s, exception: %s" ,
706
+ role .name (), group .name (), e .getMessage ());
683
707
}
684
708
});
685
709
0 commit comments