First implementation of sync policies #47
Conversation
hladush
force-pushed
the
ihladush/add_apache_ranger_integration
branch
from
bd3c4c1 to
e51c0c1
Compare
hladush
force-pushed
the
ihladush/add_apache_ranger_integration
branch
from
0f1cac6 to
69b2503
Compare
| services: | ||
| postgres: | ||
| image: postgres:16 | ||
| image: postgres:16.1 |
There was a problem hiding this comment.
something had been changed in postgre 16 and now when you start docker compose on mack it sends too many logs in console on mac
internal/pkg/heimdall/heimdall.go
Outdated
|
|
||
| rbacsByName := map[string]rbac.RBAC{} | ||
| for rbacName, r := range h.RBACs { | ||
| if err := r.Init(context.Background()); err != nil { |
There was a problem hiding this comment.
this line adds additional latency(up to 1 min), because rbac makes full sync before starting heimdall. Let me know if you have concerns about it
| jobCtx.Query = normalizeTrinoQuery(jobCtx.Query) | ||
|
|
||
| if !canQueryBeExecuted(jobCtx.Query, j.User, c) { | ||
| log.Printf("user %s is not allowed to run the query", j.User) |
There was a problem hiding this comment.
rbac shouldn't block queries for next few weeks.
There was a problem hiding this comment.
Can we return an error here but just leave the rbacs config out of our own cluster config? Wouldn't that produce the same result? @hladush
There was a problem hiding this comment.
The goal here is enable rbac for trino in shadow mode, we want to have logs etc, but want to block any flow.
hladush
force-pushed
the
ihladush/add_apache_ranger_integration
branch
from
ab614d7 to
6e0ac20
Compare
pkg/rbac/ranger/client.go
Outdated
| GetPolicies(serviceName string) ([]*Policy, error) | ||
| } | ||
|
|
||
| type ClientWrapper struct { |
There was a problem hiding this comment.
We need an interface for mocks and wrapper is needed for unmarshaling from yaml
| func (p *Policy) doesControlTableAccess(a *parser.TableAccess) bool { | ||
| for _, v := range p.AllResources { | ||
| match := v.Catalog.regexp.MatchString(a.Catalog) | ||
| if match == v.Catalog.IsExcludes { |
There was a problem hiding this comment.
ranger allows include/exclude for catalog/schema/table. If ranger exclude catalog and regexp match catalog we should scip checking that resource or opposite
| return false, nil | ||
| } | ||
| } | ||
| foundAllowPolicy := false |
There was a problem hiding this comment.
by default everything is disabled in Ranger
There was a problem hiding this comment.
Pull Request Overview
This PR implements the first version of sync policies for Apache Ranger integration, adding comprehensive RBAC (Role-Based Access Control) functionality to Heimdall. The implementation includes SQL query authorization, policy synchronization, and support for fine-grained access control over database resources.
Key changes:
- Adds Apache Ranger RBAC integration with policy sync capabilities
- Implements SQL parser for Trino with action extraction and access control validation
- Integrates RBAC checks into the Trino command handler for query authorization
Reviewed Changes
Copilot reviewed 18 out of 19 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/sql/parser/sql.go | Adds SQL action types, Access interface with QualifiedName method, and TableAccess implementation |
| pkg/sql/parser/factory/factory.go | Creates parser factory for instantiating different SQL parser types |
| pkg/rbac/rbac.go | Defines core RBAC interfaces and YAML unmarshaling logic for Apache Ranger configuration |
| pkg/rbac/ranger/ranger.go | Implements Apache Ranger RBAC provider with policy synchronization and access checking |
| pkg/rbac/ranger/policy.go | Contains policy evaluation logic, resource matching, and permission management |
| pkg/rbac/ranger/client.go | HTTP client implementation for communicating with Apache Ranger APIs |
| pkg/object/cluster/cluster.go | Extends cluster configuration to support RBAC provider references |
| internal/pkg/object/command/trino/trino.go | Integrates RBAC access checks into Trino query execution workflow |
| internal/pkg/heimdall/heimdall.go | Adds RBAC initialization and cluster-to-RBAC mapping during startup |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
2 participants
Heimdall should have an ability to introduce RBAC for any service which is used.
This PR adds rbac infrastructure inside service and first usecase Ttrino + Ranger RBAC for tables only.
RBAC policy checking was covered with unit tests. Integration testing was done on local machine.