Apache Ranger plugin

[dprophet]

Description

Trino native plugin for Apache Ranger. Its a refactoring and rewrite of the Presto It allows full access controls to be applied to catalogs, schemas, tables, columns, and rows.

Strong data access control technologies are one of the required Trino features to make it Enterprise ready.

Is this change a fix, improvement, new feature, refactoring, or other?
New "Trino" feature. There was originally a PrestoSQL based plugin in Apache Ranger but it got orphaned long ago. This brings back these critical enterprise features into open source Trino.

Trino is a rapidly moving open source project. Apache Ranger moves very slow. Its impossible to maintain a Trino plugin outside of Trino itself. The Trino SystemAccessControl spi interfaces change constantly thus breaking any externally maintained plugin.

Is this a change to the core query engine, a connector, client library, or the SPI interfaces? (be specific)
Its a plugin that implements io.trino.spi.security.SystemAccessControl. It allows you to write an SQL access control policy in the Apache Ranger UI yet manage the policies by ActiveDirectory/LDAP systems found in typical corporations.

How would you describe this change to a non-technical end user or system administrator?

If you run Trino, as a Data Mesh, ie datalakes connected to datalakes, the first problem you will run into is not all users should be entitled to the entire content of the Data Mesh. This new feature allows you to secure the contents across a vast ocean Data Mesh. If you look at the Data Mesh as a tree, Ranger allows you to protect anything from the roots to the leaves and everything in between.

Related issues, pull requests, and links

• Apache Ranger

Documentation

(X) Sufficient documentation is included in this PR.

You will find documentation under plugin/trino-ranger. This will be moved to the standard documentation section later.

Release notes

(X) No release notes entries required.
( ) Release notes entries required with the following suggested text:

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Erik Anderson.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email email@example.com
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[kokosing]

Skimmed the code. Initial set of comments.

I think we should have product tests that would prove that KRB authentication is working.

[kokosing]

It is not a connector but system access control

[bitsondatadev]

I agree, this should likely live under /docs/src/main/sphinx/security in a file called ranger-access-control.rst.

[kokosing]

How do we verify that?

[bitsondatadev]

@dprophet we should add some tests for this. @kokosing recommends something like TestSqlStandardAccessControlChecks and we need some environemnt with additional services, so we could follow EnvMultinodeKafka.

[kokosing]

How these files are used?

[bitsondatadev]

@dprophet ^^ I assume these files are default confs? If so, we should likely make a tutorial on these. I can also help with this. cc: @mosabua

[dprophet]

These files are pure example files. I didnt know what/where to put them.

[bitsondatadev]

Yeah, perhaps we could add these for use with a test and later consider making a tutorial with them.

[kokosing]

Are you sure that things are still working after exclusions? It looks risky. I think we we should shade libraries instead otherwise we may get runtime errors that class is not present.

[bitsondatadev]

@dprophet ^^ This is also something that we will validate with product tests.

[dprophet]

Yes. This works after exclusions. If you do a mvn dependency:tree you will see a deep tree where same dependencies (with different) versions exists.

bitsondatadev is correct. This can be ironed out with automated product tests.

[kokosing]

Can you please remove these excludes and fix them instead?

[bitsondatadev]

@dprophet ^^

[kokosing]

What is this for? Should you use Plugin thread safe entities, like io.trino.plugin.base.classloader.ClassLoaderSafeConnectorAccessControl?

[bitsondatadev]

@dprophet

[dprophet]

This is for Ranger plugins, not Trino plugins. All ranger plugins use this same setup. I kept it there because I will allow switching access control systems based on catalogs. In some cases I need a simple REGEX matching based on LDAP/AD not configured in Ranger.

[mosiac1]

I'm not an expert on Ranger, but I've worked on connecting another service to Ranger in this style (having the implementation be part of the service code rather than part of Ranger). So this is my understanding of Ranger class loading and other intricacies:

Ranger has its own class loader which is related to the way it handles injecting code into Trino (or other services). To clarify, am I talking about the cases when a plugin is built in Ranger and then added to the classpath of another service - the way it's done in this PR is different.

In short, Ranger provides a shim class with no logic in it that implements TrinoAuthorizer and calls out to another implementation class. The implementation class should be only loaded by RangerClassLoader so it can bring in its own dependencies. There is a disconnect between service-specific work (in this case, reading configuration for example) and authorization work.

All that activatePluginClassLoader does is:

   public void activate() {
        preActivateClassLoader.set(Thread.currentThread().getContextClassLoader());

        Thread.currentThread().setContextClassLoader(this);
    }

In this case, it might work to remove RangerClassLoader completely and unite the current shim/implementation architecture since Trino has its own system for handling plugin dependencies.

[kokosing]

use io.trino.plugin.base.util.LoggingInvocationHandler instead of this logging.

[bitsondatadev]

@dprophet

[dprophet]

Do you have an example of the LoggingInvocationHandler? There is no usage nor examples in Trino code base. The standard in all the code is io.airlift.log.Logger.

[kokosing]

why current user? That means if you have recursive masks or filters then you may end up that you see filtered or masked data in subsequent expression.

[bitsondatadev]

@dprophet

[dprophet]

In the FileBasedSystemAccessControl.java getRowFilters

They also context.getIdentity().getUser() in the same way I do recall.

DISCLAIMER (off topic): Nesting/recursive row level filters is not a good idea for performance reasons

[kokosing]

How do you tests this?

[bitsondatadev]

@dprophet

[dprophet]

I have significant changes not pushed for this PR around this permissioning. I am happy to push but @bitsondatadev recommended I push on the next round. That said, there is a lot I havent pushed but are very necessary to this functionality

---

In the non-pushed changes:

In Ranger there is a checkbox, impersonate. If that checked, TrinoAccessType.IMPERSONATE is set, you can login to the Trino UI, click on a running query, and kill another users query. Also if you are a superuser you can impersonate any user and kill the running queries.

[kokosing]

rename to TestRangerSystemAccessControl

It looks like most of the access control methods are not covered.

[bitsondatadev]

@dprophet

[dprophet]

It looks like most of the access control methods are not covered.
I know.

[bitsondatadev]

Hey @dprophet, I made a few suggestions around the documentation and highlighted a few comments that @kokosing made that need to be addressed before we loop him back in.

I am happy to work on the devex side of this PR while you address the build and testing issues.

[bitsondatadev]

Suggested change

	Apache Ranger is a framework to enable comprehensive data security across many platforms. Trino is one of these platforms.
	Apache Ranger is a framework to enable comprehensive data security across many platforms, including Trino.

[bitsondatadev]

Suggested change

	This plugin is designed to be build and run inside Trino.
	It works with vanilla Apache Ranger, version 2.2.1 and up. You dont need to customize Ranger at all.
	Here are the setup steps.
	Apache Ranger is a framework to enable comprehensive data security across many platforms, including Trino. Rather than maintain the plugin with the Apache Ranger project, this plugin is designed to be built and run inside Trino.
	It works with vanilla Apache Ranger, version 2.2.1 and up. You don't need to customize Ranger at all.

[cbaenziger]

Apache Ranger is trademarked by the ASF, so saying vanilla Apache Ranger seems a bit redundant?

[dprophet]

@cbaenziger vanilla Ranger means ZERO changes in Ranger. Works out of the box. Happy to change the wording.

[bitsondatadev]

I would like to break this up a bit and avoid the "quick and dirty" terminology. Quick may indicate that it should be simple and make someone feel dumb if they get stuck. Dirty may indicate that it's not ready for production.

Happy to help you break this up. We'll also likely want to make some video enablement around this. That will give me a chance to actually run through and validate these steps and any potential hiccups users might encounter.

[dprophet]

We'll also likely want to make some video enablement around this.

Ya, I was thinking the same thing. IMO, ASF Ranger community has some poor job of documentation. Worse I have seen.

[bitsondatadev]

We should likely have a separate section for LDAP that we reference here. That would make this section shorter and also leave it up to the reader if they want to just play around they can do as they please. I think the recommendation is sound but not everyone is ready to immediately jump into an LDAP setup.

[dprophet]

We should likely have a separate section for LDAP

Agreed. This should be 2 separate setups. LDAP or stand-alone.

[bitsondatadev]

We should document the full ranger setup somewhere in Trino land though and point to it.

[dprophet]

Where?

[bitsondatadev]

@dprophet

[bitsondatadev]

@dprophet

[bitsondatadev]

@dprophet

[bitsondatadev]

I agree, this should likely live under /docs/src/main/sphinx/security in a file called ranger-access-control.rst.

[bitsondatadev]

This would move here.

cc: @mosabua

[bitsondatadev]

We should use the latest Ranger logo. We all love the elephant but anything I see with it now I associate with "outdated and slow".

[osscm]

Hey @dprophet
Wondering, is there any update or decision on this PR (adding Ranger plugin to the Trino itself)

I see now its available at Apache Ranger as well (https://github.com/apache/ranger/tree/master/plugin-trino)

[mosabua]

In my opinion it would still be great to get a plugin into the Trino codebase. This would ensure that it works against the SPI of the current Trino release. The plugin in the Ranger codebase is using Trino 377 at this stage. This is hopelessly out of date and imposes a lot of work on anyone who wants to use this with Trino since they would have to individually update to their version of Trino.

From what I understand @dprophet is still hoping to pick this up again and continue the work.

[lozbrown]

@dprophet any hope on ranger plugin now OPA is merged?

[ebyhr]

@dprophet Are you still working on this PR? @mneethiraj sent a new PR #22675

[sopel39]

why is the server needed for ranger client?

[github-actions]

This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua

[mosabua]

I think the new PR is a replacement. #22675

Closing this one.