Support for configurable external authorizer

fe/fe-core/src/main/java/com/starrocks/common/Config.java

@@ -1784,6 +1784,12 @@ public class Config extends ConfigBase {
     @ConfField(mutable = true)
     public static boolean authorization_enable_column_level_privilege = false;
 
+    /**
+     *  Implementation of ExternalAuthorizer class to be used for external access control 
+     */
+    @ConfField(mutable = false)
+    public static String external_authorization_class_name = "";
+
     /**
      * The authentication_chain configuration specifies the sequence of security integrations
      * that will be used to authenticate a user. Each security integration in the chain will be
@@ -3042,7 +3048,7 @@ public class Config extends ConfigBase {
     @ConfField(mutable = true)
     public static int primary_key_disk_schedule_time = 3600; // 1h
 
-    @ConfField(mutable = true)
+    @ConfField(mutable = false)
     public static String access_control = "native";
 
     /**

fe/fe-core/src/main/java/com/starrocks/privilege/ColumnPrivilege.java

@@ -85,11 +85,15 @@ public static void check(ConnectContext context, QueryStatement stmt, List<Table
         }
 
         Set<TableName> tableUsedExternalAccessController = new HashSet<>();
+        Map<TableName, Boolean> tableSupportsColumnLevelPrivileges = new HashMap<>();
         for (TableName tableName : tableNameTableObj.keySet()) {
             String catalog = tableName.getCatalog() == null ?
                     InternalCatalog.DEFAULT_INTERNAL_CATALOG_NAME : tableName.getCatalog();
-            if (Authorizer.getInstance().getAccessControlOrDefault(catalog) instanceof ExternalAccessController) {
+            AccessController accessController = Authorizer.getInstance().getAccessControlOrDefault(catalog);
+            if (accessController instanceof ExternalAccessController) { 
+                ExternalAccessController externalAccessController = (ExternalAccessController) accessController;
                 tableUsedExternalAccessController.add(tableName);
+                tableSupportsColumnLevelPrivileges.put(tableName, externalAccessController.supportsColumnLevelPrivileges());
             }
         }
 
@@ -124,7 +128,7 @@ public static void check(ConnectContext context, QueryStatement stmt, List<Table
                 continue;
             }
 
-            if (tableUsedExternalAccessController.contains(tableName)) {
+            if (tableUsedExternalAccessController.contains(tableName) && tableSupportsColumnLevelPrivileges.get(tableName)) {
                 Set<String> columns = scanColumns.getOrDefault(tableName, new HashSet<>());
                 for (String column : columns) {
                     try {

fe/fe-core/src/main/java/com/starrocks/privilege/ExternalAccessController.java

@@ -14,4 +14,13 @@
 package com.starrocks.privilege;
 
 public abstract class ExternalAccessController implements AccessController {
+    private final boolean supportsColumnLevelPrivileges;  
+
+    public ExternalAccessController(boolean supportsColumnLevelPrivileges) {  
+        this.supportsColumnLevelPrivileges = supportsColumnLevelPrivileges;  
+    }  
+
+    public boolean supportsColumnLevelPrivileges() {  
+        return supportsColumnLevelPrivileges;  
+    }
 }

fe/fe-core/src/main/java/com/starrocks/privilege/external/AccessTypeConverter.java

@@ -0,0 +1,20 @@
+// Copyright 2021-present StarRocks, Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package com.starrocks.privilege.external;
+
+import com.starrocks.privilege.PrivilegeType;
+
+public interface AccessTypeConverter {
+    String convertToAccessType(PrivilegeType privilegeType);
+}

fe/fe-core/src/main/java/com/starrocks/privilege/external/ConfigurableExternalAccessController.java

@@ -0,0 +1,62 @@
+// Copyright 2021-present StarRocks, Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package com.starrocks.privilege.external;
+
+import com.starrocks.common.Config;
+import com.starrocks.privilege.AccessDeniedException;
+import com.starrocks.privilege.ExternalAccessController;
+import com.starrocks.privilege.PrivilegeType;
+import com.starrocks.privilege.external.ExternalAccessResourceImpl;
+import com.starrocks.privilege.external.ExternalStarRocksAccessRequest;
+import com.starrocks.sql.ast.UserIdentity;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public abstract class ConfigurableExternalAccessController extends ExternalAccessController implements AccessTypeConverter {
+    private static final Logger LOG = LoggerFactory.getLogger(ConfigurableExternalAccessController.class);
+    protected ExternalAuthorizer authorizer;
+
+    public ConfigurableExternalAccessController() {
+        super(false);
+        authorizer = initExternalAuthorizer();
+    }
+
+    private ExternalAuthorizer initExternalAuthorizer() {
+        String externalAuthorizationClassName = Config.external_authorization_class_name;
+        try {
+            ExternalAuthorizer authorizer = Class.forName(externalAuthorizationClassName)
+                            .asSubclass(ExternalAuthorizer.class).newInstance();
+            authorizer.init();
+            return authorizer;
+        } catch (Exception e) {
+            LOG.error("Failed to create external authorizer", e);
+        }
+        return null;
+    }
+
+    protected void hasPermission(ExternalAccessResourceImpl resource, UserIdentity user, PrivilegeType privilegeType)
+        throws AccessDeniedException {
+
+        if (authorizer == null) {
+            throw new AccessDeniedException("External authorizer is not initialized");
+        }
+
+        String accessType = convertToAccessType(privilegeType);
+        ExternalStarRocksAccessRequest request = new ExternalStarRocksAccessRequest(resource, user, accessType);
+
+        if (!authorizer.authorize(request)) {
+            throw new AccessDeniedException("Access denied for user " + user + " on " + resource + " with " + privilegeType);
+        }
+    }
+}

fe/fe-core/src/main/java/com/starrocks/privilege/external/ExternalAccessResourceBuilder.java

@@ -0,0 +1,99 @@
+// Copyright 2021-present StarRocks, Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package com.starrocks.privilege.external;
+
+import com.starrocks.privilege.ObjectType;
+import com.starrocks.privilege.external.ExternalAccessResourceImpl;
+
+public abstract class ExternalAccessResourceBuilder implements ObjectTypeConverter {
+    ExternalAccessResourceImpl externalAccessResource;
+
+    public ExternalAccessResourceImpl build() {
+        return externalAccessResource;
+    }
+
+    protected ExternalAccessResourceBuilder(ExternalAccessResourceImpl externalAccessResource) {
+        this.externalAccessResource = externalAccessResource;
+    }
+
+    public ExternalAccessResourceBuilder setSystem() {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.SYSTEM), "*");
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setUser(String user) {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.USER), user);
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setCatalog(String catalog) {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.CATALOG), catalog);
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setDatabase(String database) {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.DATABASE), database);
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setTable(String table) {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.TABLE), table);
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setColumn(String column) {
+        externalAccessResource.setValue("column", column);
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setView(String view) {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.VIEW), view);
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setMaterializedView(String materializedView) {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.MATERIALIZED_VIEW), materializedView);
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setFunction(String function) {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.FUNCTION), function);
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setGlobalFunction(String globalFunction) {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.GLOBAL_FUNCTION), globalFunction);
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setResource(String resource) {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.RESOURCE), resource);
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setResourceGroup(String resourceGroup) {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.RESOURCE_GROUP), resourceGroup);
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setStorageVolume(String storageVolume) {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.STORAGE_VOLUME), storageVolume);
+        return this;
+    }
+
+    public ExternalAccessResourceBuilder setPipe(String pipe) {
+        externalAccessResource.setValue(convertToExternalObjectType(ObjectType.PIPE), pipe);
+        return this;
+    }
+}

fe/fe-core/src/main/java/com/starrocks/privilege/external/ExternalAccessResourceImpl.java

@@ -0,0 +1,58 @@
+// Copyright 2021-present StarRocks, Inc. All rights reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.starrocks.privilege.external;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+public class ExternalAccessResourceImpl {
+    private final Map<String, String> resourceMap;
+
+    public ExternalAccessResourceImpl() {
+        this.resourceMap = new HashMap<>();
+    }
+
+    public ExternalAccessResourceImpl(Map<String, String> resourceMap) {
+        this.resourceMap = new HashMap<>(resourceMap);
+    }
+
+    public Map<String, String> getResourceMap() {
+        return Collections.unmodifiableMap(resourceMap);
+    }
+
+    public void setValue(String key, String value) {
+        resourceMap.put(key, value);
+    }
+
+    public String getValue(String key) {
+        return resourceMap.get(key);
+    }
+
+    public Set<String> getKeys() {
+        return resourceMap.keySet();
+    }
+
+    public boolean containsKey(String key) {
+        return resourceMap.containsKey(key);
+    }
+
+    public String toString() {
+        return "ExternalAccessResourceImpl{" +
+                "resourceMap=" + resourceMap +
+                '}';
+    }
+}

fe/fe-core/src/main/java/com/starrocks/privilege/external/ExternalAuthorizer.java

@@ -0,0 +1,26 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package com.starrocks.privilege.external;
+
+import com.starrocks.privilege.external.ExternalStarRocksAccessRequest;
+
+public interface ExternalAuthorizer {
+    public void init() throws Exception;
+
+    public boolean authorize(ExternalStarRocksAccessRequest request);
+}