From d90b6087ed528d70517e8195fca84ccc7ba5b598 Mon Sep 17 00:00:00 2001 From: Calvin Kirs Date: Thu, 7 Nov 2024 14:36:54 +0800 Subject: [PATCH] [feat](catalog)Support Pre-Execution Authentication for HMS Type Iceberg Catalog Operations Support Pre-Execution Authentication for HMS Type Iceberg Catalog Operations Summary This PR introduces a new utility class, PreExecutionAuthenticator, which is designed to ensure pre-execution authentication for HMS (Hive Metastore) type operations on Iceberg catalogs. This is especially useful in environments where secure access is required, such as Kerberos-based Hadoop ecosystems. By integrating PreExecutionAuthenticator, each relevant operation will undergo an authentication step prior to execution, maintaining security compliance. Motivation In environments utilizing an Iceberg catalog with an HMS backend, many operations may require authentication to access secure data or perform privileged tasks. Given that operations on HMS-type catalogs typically run within a Hadoop environment secured by Kerberos, ensuring each operation is executed within an authenticated context is essential. Previously, there was no standardized mechanism to enforce pre-execution authentication, which led to potential security gaps. This PR aims to address this issue by introducing an extensible authentication utility. Key Changes Addition of PreExecutionAuthenticator Utility Class Provides a standard way to perform pre-execution authentication for tasks. Leverages HadoopAuthenticator (when available) to execute tasks within a privileged context using doAs. Supports execution with or without authentication, enabling flexibility for both secure and non-secure environments. Integration with Iceberg Catalog Operations All relevant HMS-type catalog operations will now use PreExecutionAuthenticator to perform pre-execution authentication. Ensures that operations like createDb, dropDb, and other privileged tasks are executed only after authentication. Extensible Design PreExecutionAuthenticator is adaptable to other future authentication methods, if needed, beyond Hadoop and Kerberos. CallableToPrivilegedExceptionActionAdapter class allows any Callable task to be executed within a PrivilegedExceptionAction, making it versatile for various task types. --- .../authentication/PreExecutionAuthenticator.java | 4 ++++ .../doris/datasource/iceberg/IcebergMetadataOps.java | 10 ++++------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/security/authentication/PreExecutionAuthenticator.java b/fe/fe-common/src/main/java/org/apache/doris/common/security/authentication/PreExecutionAuthenticator.java index 6260833b7db558..cfdb90ec45d941 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/security/authentication/PreExecutionAuthenticator.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/security/authentication/PreExecutionAuthenticator.java @@ -37,6 +37,10 @@ public class PreExecutionAuthenticator { * Default constructor for PreExecutionAuthenticator. * This allows setting the HadoopAuthenticator at a later point if needed. */ + public PreExecutionAuthenticator(HadoopAuthenticator authenticator) { + this.hadoopAuthenticator = authenticator; + } + public PreExecutionAuthenticator() { } diff --git a/fe/fe-core/src/main/java/org/apache/doris/datasource/iceberg/IcebergMetadataOps.java b/fe/fe-core/src/main/java/org/apache/doris/datasource/iceberg/IcebergMetadataOps.java index c1fbaee7fee7f8..295f6e2ab582b2 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/datasource/iceberg/IcebergMetadataOps.java +++ b/fe/fe-core/src/main/java/org/apache/doris/datasource/iceberg/IcebergMetadataOps.java @@ -28,7 +28,6 @@ import org.apache.doris.common.ErrorCode; import org.apache.doris.common.ErrorReport; import org.apache.doris.common.UserException; -import org.apache.doris.common.security.authentication.PreExecutionAuthenticator; import org.apache.doris.datasource.DorisTypeVisitor; import org.apache.doris.datasource.ExternalCatalog; import org.apache.doris.datasource.ExternalDatabase; @@ -115,8 +114,7 @@ public void createDb(CreateDbStmt stmt) throws DdlException { }); } catch (Exception e) { - throw new DdlException("Failed to create database: " - + stmt.getFullDbName() + " ,error message is: " + e.getMessage()); + throw new DdlException("Failed to create database: " + stmt.getFullDbName(), e); } } @@ -149,7 +147,7 @@ public void dropDb(DropDbStmt stmt) throws DdlException { return null; }); } catch (Exception e) { - throw new DdlException("Failed to drop database: " + stmt.getDbName() + " ,error message is: ", e); + throw new DdlException("Failed to drop database: " + stmt.getDbName(), e); } } @@ -173,7 +171,7 @@ public boolean createTable(CreateTableStmt stmt) throws UserException { try { preExecutionAuthenticator.execute(() -> performCreateTable(stmt)); } catch (Exception e) { - throw new DdlException("Failed to create table: " + stmt.getTableName() + " ,error message is:", e); + throw new DdlException("Failed to create table: " + stmt.getTableName(), e); } return false; } @@ -217,7 +215,7 @@ public void dropTable(DropTableStmt stmt) throws DdlException { return null; }); } catch (Exception e) { - throw new DdlException("Failed to drop table: " + stmt.getTableName() + " ,error message is:", e); + throw new DdlException("Failed to drop table: " + stmt.getTableName(), e); } }