[Feature] Support Apache Ranger as StarRocks RBAC Authorizer (StarRoc…

…ks#29154)

Support Apache Ranger as StarRocks RBAC Authorizer

Signed-off-by: HangyuanLiu <[email protected]>

fe/fe-core/pom.xml

@@ -808,6 +808,13 @@ under the License.
             <scope>test</scope>
         </dependency>
 
+        <!-- https://mvnrepository.com/artifact/org.apache.ranger/ranger-plugins-common -->
+        <dependency>
+            <groupId>org.apache.ranger</groupId>
+            <artifactId>ranger-plugins-common</artifactId>
+            <version>2.4.0</version>
+        </dependency>
+
     </dependencies>
 
     <build>

fe/fe-core/src/main/java/com/starrocks/common/Config.java

@@ -2468,4 +2468,7 @@ public class Config extends ConfigBase {
      */
     @ConfField(mutable = true)
     public static int primary_key_disk_schedule_time = 3600; // 1h
+
+    @ConfField(mutable = true)
+    public static String access_control = "native";
 }

fe/fe-core/src/main/java/com/starrocks/privilege/AccessControl.java

@@ -14,9 +14,12 @@
 
 package com.starrocks.privilege;
 
+import com.starrocks.analysis.Expr;
 import com.starrocks.analysis.TableName;
 import com.starrocks.catalog.Database;
 import com.starrocks.catalog.Function;
+import com.starrocks.catalog.Type;
+import com.starrocks.qe.ConnectContext;
 import com.starrocks.sql.ast.UserIdentity;
 
 import java.util.Set;
@@ -130,4 +133,12 @@ default void checkStorageVolumeAction(UserIdentity currentUser, Set<Long> roleId
     default void checkAnyActionOnStorageVolume(UserIdentity currentUser, Set<Long> roleIds, String storageVolume) {
         AccessDeniedException.reportAccessDenied("ANY", ObjectType.STORAGE_VOLUME, storageVolume);
     }
+
+    default Expr getColumnMaskingPolicy(ConnectContext currentUser, TableName tableName, String columnName, Type type) {
+        return null;
+    }
+
+    default Expr getRowAccessPolicy(ConnectContext currentUser, TableName tableName) {
+        return null;
+    }
 }

fe/fe-core/src/main/java/com/starrocks/privilege/AccessControlProvider.java

@@ -14,22 +14,45 @@
 
 package com.starrocks.privilege;
 
+import com.starrocks.catalog.InternalCatalog;
 import com.starrocks.sql.analyzer.AuthorizerStmtVisitor;
 
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
 public class AccessControlProvider {
     protected final AuthorizerStmtVisitor privilegeCheckerVisitor;
-    protected final AccessControl accessControl;
+    public final Map<String, AccessControl> catalogToAccessControl;
 
     public AccessControlProvider(AuthorizerStmtVisitor privilegeCheckerVisitor, AccessControl accessControl) {
         this.privilegeCheckerVisitor = privilegeCheckerVisitor;
-        this.accessControl = accessControl;
+
+        this.catalogToAccessControl = new ConcurrentHashMap<>();
+        this.catalogToAccessControl.put(InternalCatalog.DEFAULT_INTERNAL_CATALOG_NAME, accessControl);
     }
 
     public AuthorizerStmtVisitor getPrivilegeCheckerVisitor() {
         return privilegeCheckerVisitor;
     }
 
     public AccessControl getAccessControlOrDefault(String catalogName) {
-        return this.accessControl;
+        if (catalogName == null) {
+            return catalogToAccessControl.get(InternalCatalog.DEFAULT_INTERNAL_CATALOG_NAME);
+        }
+
+        AccessControl catalogAccessController = catalogToAccessControl.get(catalogName);
+        if (catalogAccessController != null) {
+            return catalogAccessController;
+        } else {
+            return catalogToAccessControl.get(InternalCatalog.DEFAULT_INTERNAL_CATALOG_NAME);
+        }
+    }
+
+    public void setAccessControl(String catalog, AccessControl accessControl) {
+        catalogToAccessControl.put(catalog, accessControl);
+    }
+
+    public void removeAccessControl(String catalog) {
+        catalogToAccessControl.remove(catalog);
     }
 }

fe/fe-core/src/main/java/com/starrocks/privilege/PrivilegeType.java

@@ -43,6 +43,9 @@ public String name() {
         }
     }
 
+    // ANY is not in VALID_PRIVILEGE_TYPE, ANY is not a Privilege Type that users can use directly
+    public static final PrivilegeType ANY = new PrivilegeType(0, "ANY");
+
     public static final PrivilegeType GRANT = new PrivilegeType(1, "GRANT");
     public static final PrivilegeType NODE = new PrivilegeType(2, "NODE");
     public static final PrivilegeType OPERATE = new PrivilegeType(3, "OPERATE");

fe/fe-core/src/main/java/com/starrocks/privilege/ranger/RangerStarRocksAccessRequest.java

@@ -0,0 +1,58 @@
+// Copyright 2021-present StarRocks, Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.starrocks.privilege.ranger;
+
+import com.starrocks.catalog.MaterializedView;
+import com.starrocks.sql.ast.UserIdentity;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
+import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
+
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Set;
+
+public class RangerStarRocksAccessRequest extends RangerAccessRequestImpl {
+    private static final Logger LOG = LogManager.getLogger(MaterializedView.class);
+
+    private RangerStarRocksAccessRequest() {
+    }
+
+    public static RangerStarRocksAccessRequest createAccessRequest(RangerAccessResourceImpl resource, UserIdentity user,
+                                                                   String accessType) {
+        UserGroupInformation ugi = UserGroupInformation.createRemoteUser(user.getQualifiedUser());
+        String[] groups = ugi.getGroupNames();
+        Set<String> userGroups = null;
+        if (groups != null && groups.length > 0) {
+            userGroups = new HashSet<>(Arrays.asList(groups));
+        }
+        RangerStarRocksAccessRequest request = new RangerStarRocksAccessRequest();
+        request.setUser(user.getQualifiedUser());
+        request.setUserGroups(userGroups);
+        request.setAccessType(accessType);
+        request.setResource(resource);
+        request.setClientIPAddress(user.getHost());
+        request.setClientType("starrocks");
+        request.setClusterName("starrocks");
+        request.setAccessTime(new Date());
+
+        LOG.debug("RangerStarRocksAccessRequest | " + request.toString());
+
+        return request;
+    }
+}

fe/fe-core/src/main/java/com/starrocks/privilege/ranger/SecurityPolicyRewriteRule.java

@@ -0,0 +1,94 @@
+// Copyright 2021-present StarRocks, Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.starrocks.privilege.ranger;
+
+import com.starrocks.analysis.Expr;
+import com.starrocks.analysis.SlotRef;
+import com.starrocks.analysis.TableName;
+import com.starrocks.catalog.Column;
+import com.starrocks.catalog.InternalCatalog;
+import com.starrocks.common.Config;
+import com.starrocks.qe.ConnectContext;
+import com.starrocks.sql.analyzer.Authorizer;
+import com.starrocks.sql.ast.QueryStatement;
+import com.starrocks.sql.ast.Relation;
+import com.starrocks.sql.ast.SelectList;
+import com.starrocks.sql.ast.SelectListItem;
+import com.starrocks.sql.ast.SelectRelation;
+import com.starrocks.sql.ast.TableRelation;
+import com.starrocks.sql.ast.ViewRelation;
+import com.starrocks.sql.parser.NodePosition;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+public class SecurityPolicyRewriteRule {
+    public static QueryStatement buildView(ConnectContext context, Relation relation, TableName tableName) {
+        if (!Config.access_control.equals("ranger") &&
+                (tableName.getCatalog() == null
+                        || tableName.getCatalog().equals(InternalCatalog.DEFAULT_INTERNAL_CATALOG_NAME))) {
+            return null;
+        }
+
+        if (relation instanceof TableRelation && ((TableRelation) relation).isSyncMVQuery()) {
+            return null;
+        }
+
+        List<Column> columns;
+        if (relation instanceof ViewRelation) {
+            ViewRelation viewRelation = (ViewRelation) relation;
+            columns = viewRelation.getView().getBaseSchema();
+        } else if (relation instanceof TableRelation) {
+            TableRelation tableRelation = (TableRelation) relation;
+            columns = tableRelation.getTable().getBaseSchema();
+        } else {
+            return null;
+        }
+
+        boolean hasPolicy = false;
+        List<SelectListItem> selectListItemList = new ArrayList<>();
+        for (Column column : columns) {
+            Expr maskingExpr = Authorizer.getColumnMaskingPolicy(
+                    context, tableName, column.getName(), column.getType());
+
+            if (maskingExpr != null) {
+                hasPolicy = true;
+                selectListItemList.add(new SelectListItem(maskingExpr, column.getName(), NodePosition.ZERO));
+            } else {
+                selectListItemList.add(new SelectListItem(new SlotRef(tableName, column.getName()), column.getName(),
+                        NodePosition.ZERO));
+            }
+        }
+
+        Expr rowAccessExpr = Authorizer.getRowAccessPolicy(context, tableName);
+        if (rowAccessExpr != null) {
+            hasPolicy = true;
+        }
+
+        if (!hasPolicy) {
+            return null;
+        }
+
+        SelectRelation selectRelation = new SelectRelation(
+                new SelectList(selectListItemList, false),
+                relation,
+                rowAccessExpr,
+                null,
+                null);
+        selectRelation.setOrderBy(Collections.emptyList());
+        return new QueryStatement(selectRelation);
+    }
+}

fe/fe-core/src/main/java/com/starrocks/privilege/ranger/hive/HiveAccessType.java

@@ -0,0 +1,19 @@
+// Copyright 2021-present StarRocks, Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.starrocks.privilege.ranger.hive;
+
+public enum HiveAccessType {
+    NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, USE, READ, WRITE, ALL, SERVICEADMIN, TEMPUDFADMIN;
+}