[feat](catalog)Support Pre-Execution Authentication for HMS Type Iceb…

…erg Catalog Operations Support Pre-Execution Authentication for HMS Type Iceberg Catalog Operations Summary This PR introduces a new utility class, PreExecutionAuthenticator, which is designed to ensure pre-execution authentication for HMS (Hive Metastore) type operations on Iceberg catalogs. This is especially useful in environments where secure access is required, such as Kerberos-based Hadoop ecosystems. By integrating PreExecutionAuthenticator, each relevant operation will undergo an authentication step prior to execution, maintaining security compliance. Motivation In environments utilizing an Iceberg catalog with an HMS backend, many operations may require authentication to access secure data or perform privileged tasks. Given that operations on HMS-type catalogs typically run within a Hadoop environment secured by Kerberos, ensuring each operation is executed within an authenticated context is essential. Previously, there was no standardized mechanism to enforce pre-execution authentication, which led to potential security gaps. This PR aims to address this issue by introducing an extensible authentication utility. Key Changes Addition of PreExecutionAuthenticator Utility Class Provides a standard way to perform pre-execution authentication for tasks. Leverages HadoopAuthenticator (when available) to execute tasks within a privileged context using doAs. Supports execution with or without authentication, enabling flexibility for both secure and non-secure environments. Integration with Iceberg Catalog Operations All relevant HMS-type catalog operations will now use PreExecutionAuthenticator to perform pre-execution authentication. Ensures that operations like createDb, dropDb, and other privileged tasks are executed only after authentication. Extensible Design PreExecutionAuthenticator is adaptable to other future authentication methods, if needed, beyond Hadoop and Kerberos. CallableToPrivilegedExceptionActionAdapter class allows any Callable task to be executed within a PrivilegedExceptionAction, making it versatile for various task types.
CalvinKirs · Nov 8, 2024 · d90b608 · d90b608
1 parent 6f41a90
commit d90b608
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 6 deletions.
diff --git a/.../main/java/org/apache/doris/common/security/authentication/PreExecutionAuthenticator.java b/.../main/java/org/apache/doris/common/security/authentication/PreExecutionAuthenticator.java
@@ -37,6 +37,10 @@ public class PreExecutionAuthenticator {
      * Default constructor for PreExecutionAuthenticator.
      * This allows setting the HadoopAuthenticator at a later point if needed.
      */
+    public PreExecutionAuthenticator(HadoopAuthenticator authenticator) {
+        this.hadoopAuthenticator = authenticator;
+    }
+
     public PreExecutionAuthenticator() {
     }
 

diff --git a/fe/fe-core/src/main/java/org/apache/doris/datasource/iceberg/IcebergMetadataOps.java b/fe/fe-core/src/main/java/org/apache/doris/datasource/iceberg/IcebergMetadataOps.java
@@ -28,7 +28,6 @@
 import org.apache.doris.common.ErrorCode;
 import org.apache.doris.common.ErrorReport;
 import org.apache.doris.common.UserException;
-import org.apache.doris.common.security.authentication.PreExecutionAuthenticator;
 import org.apache.doris.datasource.DorisTypeVisitor;
 import org.apache.doris.datasource.ExternalCatalog;
 import org.apache.doris.datasource.ExternalDatabase;
@@ -115,8 +114,7 @@ public void createDb(CreateDbStmt stmt) throws DdlException {
 
             });
         } catch (Exception e) {
-            throw new DdlException("Failed to create database: "
-                    + stmt.getFullDbName() + " ,error message is: " + e.getMessage());
+            throw new DdlException("Failed to create database: " + stmt.getFullDbName(), e);
         }
     }
 
@@ -149,7 +147,7 @@ public void dropDb(DropDbStmt stmt) throws DdlException {
                 return null;
             });
         } catch (Exception e) {
-            throw new DdlException("Failed to drop database: " + stmt.getDbName() + " ,error message is: ", e);
+            throw new DdlException("Failed to drop database: " + stmt.getDbName(), e);
         }
     }
 
@@ -173,7 +171,7 @@ public boolean createTable(CreateTableStmt stmt) throws UserException {
         try {
             preExecutionAuthenticator.execute(() -> performCreateTable(stmt));
         } catch (Exception e) {
-            throw new DdlException("Failed to create table: " + stmt.getTableName() + " ,error message is:", e);
+            throw new DdlException("Failed to create table: " + stmt.getTableName(), e);
         }
         return false;
     }
@@ -217,7 +215,7 @@ public void dropTable(DropTableStmt stmt) throws DdlException {
                 return null;
             });
         } catch (Exception e) {
-            throw new DdlException("Failed to drop table: " + stmt.getTableName() + " ,error message is:", e);
+            throw new DdlException("Failed to drop table: " + stmt.getTableName(), e);
         }
     }