[core] Introduce privilege system for catalog based on FileSystem #2789
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Please finish documentation in this PR. |
JingsongLi
reviewed
Jan 26, 2024
| import java.util.List; | ||
|
|
||
| /** {@link FileStore} with privilege checks. */ | ||
| public class PrivilegedFileStore<T> implements FileStore<T> { |
There was a problem hiding this comment.
We should not wrap FileStore, all things should be finished in Table interface.
| @@ -54,32 +61,43 @@ | |||
| import static org.apache.paimon.utils.Preconditions.checkArgument; | |||
|
|
|||
| /** Common implementation of {@link Catalog}. */ | |||
| public abstract class AbstractCatalog implements Catalog { | |||
| public abstract class AbstractCatalog implements Catalog, PrivilegedCatalog { | |||
There was a problem hiding this comment.
Maybe we should wrap a catalog just like PrevilegedFileStoreTable.
There was a problem hiding this comment.
Some catalogs may not use FileSystem based Previlege system.
For example, RestCatalog will register users in server not filesystem.
JingsongLi
reviewed
Jan 26, 2024
JingsongLi
changed the title
|
hi, @tsreaper , will there be plan to integrate with apache ranger in the future? like this: https://doris.apache.org/docs/dev/admin-manual/privilege-ldap/ranger/ |
tsreaper
force-pushed
the
priv2
branch
3 times, most recently
from
fcd60bc to
85ee0ec
Compare
JingsongLi
reviewed
Apr 23, 2024
| ## Enable Privileges | ||
|
|
||
| Paimon currently only supports file-based privilege system. | ||
| Only catalogs with `'metastore' = 'filesystem'` (the default value) support such privilege system. |
There was a problem hiding this comment.
Can we support filesystem privilege for hive catalog too?
sunxiaojian
pushed a commit
to sunxiaojian/paimon
that referenced
this pull request
May 28, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose
This PR introduces an identity-based privilege system for catalogs. Catalogs can now be updated into a privileged catalogs, where privileged users can be created and granted privileges to tables, databases or the whole catalog.
Tests
PrivilegeManagerTestPrivilegeProcedureITCaseAPI and Format
Yes. This PR introduces two new system tables: user and privilege.
User table is the table which stores all user information. The schema of user table is:
Privilege table is the table storing what privileges each user have. Its schema is:
PrivilegeTypeDocumentation
Yes. Document is also added.