presto的权限管控
2022-07-11 本文已影响0人
后知不觉1
1、 presto的插件
因为自定义鉴权也相当于是一个插件,所以要先介绍插件写法
1.1、presto的插件引入
presto将所有的插件都通过一个接口类暴露使用到spi技术,能够将所有的插件入口统一
<dependency>
<groupId>com.facebook.presto</groupId>
<artifactId>presto-spi</artifactId>
<version>0.245</version>
<scope>provided</scope>
</dependency>
1.2、spi配置文件描述
创建META-INF.services目录及文件
名称: com.facebook.presto.spi.Plugin
内容:自定义插件实现类的类名,
demo:com.presto.plugin.PrivilegePlugin
image.png
2、权限控制插件写法
2.1、入口类
由spi定义权限控制插件入口类,必须实现getSystemAccessControlFactories方法以com.presto.plugin.PrivilegePlugin为例
public class PrivilegePlugin implements Plugin
{
@Override
public Iterable<SystemAccessControlFactory> getSystemAccessControlFactories()
{
return ImmutableList.<SystemAccessControlFactory>builder()
.add(new ReadOnlyRangerSystemAccessControl.Factory())
.build();
}
}
2.2、SystemAccessControlFactory实现类
public interface SystemAccessControlFactory {
String getName(); #返回自定义名称,用来配置文件指定鉴权实现类,名称要唯一
SystemAccessControl create(Map<String, String> config); #需要返回SystemAccessControl 实现类的实例
}
2.3、SystemAccessControl类的实现
实现类中重写一下方法,如果不报错即代表有权限。后面的鉴权逻辑可以通过restful服务,也可以通过ranger 服务
public interface SystemAccessControl {
void checkCanSetUser(AccessControlContext context, Optional<Principal> principal, String userName);
void checkQueryIntegrity(Identity identity, AccessControlContext context, String query);
void checkCanSetSystemSessionProperty(Identity identity, AccessControlContext context, String propertyName);
default void checkCanAccessCatalog(Identity identity, AccessControlContext context, String catalogName) {
AccessDeniedException.denyCatalogAccess(catalogName);
}
default Set<String> filterCatalogs(Identity identity, AccessControlContext context, Set<String> catalogs) {
return Collections.emptySet();
}
default void checkCanCreateSchema(Identity identity, AccessControlContext context, CatalogSchemaName schema) {
AccessDeniedException.denyCreateSchema(schema.toString());
}
default void checkCanDropSchema(Identity identity, AccessControlContext context, CatalogSchemaName schema) {
AccessDeniedException.denyDropSchema(schema.toString());
}
default void checkCanRenameSchema(Identity identity, AccessControlContext context, CatalogSchemaName schema, String newSchemaName) {
AccessDeniedException.denyRenameSchema(schema.toString(), newSchemaName);
}
default void checkCanShowSchemas(Identity identity, AccessControlContext context, String catalogName) {
AccessDeniedException.denyShowSchemas();
}
default Set<String> filterSchemas(Identity identity, AccessControlContext context, String catalogName, Set<String> schemaNames) {
return Collections.emptySet();
}
default void checkCanCreateTable(Identity identity, AccessControlContext context, CatalogSchemaTableName table) {
AccessDeniedException.denyCreateTable(table.toString());
}
default void checkCanDropTable(Identity identity, AccessControlContext context, CatalogSchemaTableName table) {
AccessDeniedException.denyDropTable(table.toString());
}
default void checkCanRenameTable(Identity identity, AccessControlContext context, CatalogSchemaTableName table, CatalogSchemaTableName newTable) {
AccessDeniedException.denyRenameTable(table.toString(), newTable.toString());
}
default void checkCanShowTablesMetadata(Identity identity, AccessControlContext context, CatalogSchemaName schema) {
AccessDeniedException.denyShowTablesMetadata(schema.toString());
}
default Set<SchemaTableName> filterTables(Identity identity, AccessControlContext context, String catalogName, Set<SchemaTableName> tableNames) {
return Collections.emptySet();
}
default void checkCanAddColumn(Identity identity, AccessControlContext context, CatalogSchemaTableName table) {
AccessDeniedException.denyAddColumn(table.toString());
}
default void checkCanDropColumn(Identity identity, AccessControlContext context, CatalogSchemaTableName table) {
AccessDeniedException.denyDropColumn(table.toString());
}
default void checkCanRenameColumn(Identity identity, AccessControlContext context, CatalogSchemaTableName table) {
AccessDeniedException.denyRenameColumn(table.toString());
}
default void checkCanSelectFromColumns(Identity identity, AccessControlContext context, CatalogSchemaTableName table, Set<String> columns) {
AccessDeniedException.denySelectColumns(table.toString(), columns);
}
default void checkCanInsertIntoTable(Identity identity, AccessControlContext context, CatalogSchemaTableName table) {
AccessDeniedException.denyInsertTable(table.toString());
}
default void checkCanDeleteFromTable(Identity identity, AccessControlContext context, CatalogSchemaTableName table) {
AccessDeniedException.denyDeleteTable(table.toString());
}
default void checkCanCreateView(Identity identity, AccessControlContext context, CatalogSchemaTableName view) {
AccessDeniedException.denyCreateView(view.toString());
}
default void checkCanDropView(Identity identity, AccessControlContext context, CatalogSchemaTableName view) {
AccessDeniedException.denyDropView(view.toString());
}
default void checkCanCreateViewWithSelectFromColumns(Identity identity, AccessControlContext context, CatalogSchemaTableName table, Set<String> columns) {
AccessDeniedException.denyCreateViewWithSelect(table.toString(), identity);
}
default void checkCanSetCatalogSessionProperty(Identity identity, AccessControlContext context, String catalogName, String propertyName) {
AccessDeniedException.denySetCatalogSessionProperty(propertyName);
}
default void checkCanGrantTablePrivilege(Identity identity, AccessControlContext context, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal grantee, boolean withGrantOption) {
AccessDeniedException.denyGrantTablePrivilege(privilege.toString(), table.toString());
}
default void checkCanRevokeTablePrivilege(Identity identity, AccessControlContext context, Privilege privilege, CatalogSchemaTableName table, PrestoPrincipal revokee, boolean grantOptionFor) {
AccessDeniedException.denyRevokeTablePrivilege(privilege.toString(), table.toString());
}
}
3、安装
3.1、配置文件
在$PRESTO_HOME/etc/目录创建access-control.properties
内容: access-control.name=tianzehao
备注: 这里的名称有SystemAccessControlFactory 的实现返回,属于自定义的
3.2、打包插件上传
默认插件位置为 $PRESTO_HOME/plugins,可以自定义catalog.config-dir,重新启动presto
