Skip to content

Commit

Permalink
[#5054] improvement(api,server): Add the check of privileges (#5053)
Browse files Browse the repository at this point in the history
### What changes were proposed in this pull request?

Add the check of privileges

### Why are the changes needed?

Fix: #5054

### Does this PR introduce _any_ user-facing change?
No

### How was this patch tested?
Add some UTs

---------

Co-authored-by: Jerry Shao <[email protected]>
  • Loading branch information
jerqi and jerryshao authored Sep 30, 2024
1 parent 2e5bdbf commit f600041
Show file tree
Hide file tree
Showing 8 changed files with 547 additions and 95 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
*/
package org.apache.gravitino.authorization;

import org.apache.gravitino.MetadataObject;
import org.apache.gravitino.annotation.Unstable;

/**
Expand All @@ -39,6 +40,15 @@ public interface Privilege {
*/
Condition condition();

/**
* If the privilege can bind to a securable object, then this method will return true, otherwise
* false.
*
* @param type The securable object type.
* @return It will return true if the privilege can bind to a securable object, otherwise false.
*/
boolean canBindTo(MetadataObject.Type type);

/** The name of this privilege. */
enum Name {
/** The privilege to create a catalog. */
Expand Down
111 changes: 111 additions & 0 deletions api/src/main/java/org/apache/gravitino/authorization/Privileges.java
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,37 @@
*/
package org.apache.gravitino.authorization;

import com.google.common.collect.Sets;
import java.util.Objects;
import java.util.Set;
import org.apache.gravitino.MetadataObject;

/** The helper class for {@link Privilege}. */
public class Privileges {

private static final Set<MetadataObject.Type> TABLE_SUPPORTED_TYPES =
Sets.immutableEnumSet(
MetadataObject.Type.METALAKE,
MetadataObject.Type.CATALOG,
MetadataObject.Type.SCHEMA,
MetadataObject.Type.TABLE);
private static final Set<MetadataObject.Type> TOPIC_SUPPORTED_TYPES =
Sets.immutableEnumSet(
MetadataObject.Type.METALAKE,
MetadataObject.Type.CATALOG,
MetadataObject.Type.SCHEMA,
MetadataObject.Type.TOPIC);
private static final Set<MetadataObject.Type> SCHEMA_SUPPORTED_TYPES =
Sets.immutableEnumSet(
MetadataObject.Type.METALAKE, MetadataObject.Type.CATALOG, MetadataObject.Type.SCHEMA);

private static final Set<MetadataObject.Type> FILESET_SUPPORTED_TYPES =
Sets.immutableEnumSet(
MetadataObject.Type.METALAKE,
MetadataObject.Type.CATALOG,
MetadataObject.Type.SCHEMA,
MetadataObject.Type.FILESET);

/**
* Returns the Privilege with allow condition from the string representation.
*
Expand Down Expand Up @@ -241,6 +267,11 @@ public static CreateCatalog allow() {
public static CreateCatalog deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return type == MetadataObject.Type.METALAKE;
}
}

/** The privilege to use a catalog. */
Expand All @@ -263,6 +294,11 @@ public static UseCatalog allow() {
public static UseCatalog deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return type == MetadataObject.Type.METALAKE || type == MetadataObject.Type.CATALOG;
}
}

/** The privilege to use a schema. */
Expand All @@ -283,6 +319,11 @@ public static UseSchema allow() {
public static UseSchema deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return SCHEMA_SUPPORTED_TYPES.contains(type);
}
}

/** The privilege to create a schema. */
Expand All @@ -305,6 +346,11 @@ public static CreateSchema allow() {
public static CreateSchema deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return type == MetadataObject.Type.METALAKE || type == MetadataObject.Type.CATALOG;
}
}

/** The privilege to create a table. */
Expand All @@ -327,6 +373,11 @@ public static CreateTable allow() {
public static CreateTable deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return SCHEMA_SUPPORTED_TYPES.contains(type);
}
}

/** The privilege to select data from a table. */
Expand All @@ -349,6 +400,11 @@ public static SelectTable allow() {
public static SelectTable deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return TABLE_SUPPORTED_TYPES.contains(type);
}
}

/** The privilege to execute SQL `ALTER`, `INSERT`, `UPDATE`, or `DELETE` for a table. */
Expand All @@ -371,6 +427,11 @@ public static ModifyTable allow() {
public static ModifyTable deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return TABLE_SUPPORTED_TYPES.contains(type);
}
}

/** The privilege to create a fileset. */
Expand All @@ -393,6 +454,11 @@ public static CreateFileset allow() {
public static CreateFileset deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return SCHEMA_SUPPORTED_TYPES.contains(type);
}
}

/** The privilege to read a fileset. */
Expand All @@ -415,6 +481,11 @@ public static ReadFileset allow() {
public static ReadFileset deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return FILESET_SUPPORTED_TYPES.contains(type);
}
}

/** The privilege to write a fileset. */
Expand All @@ -437,6 +508,11 @@ public static WriteFileset allow() {
public static WriteFileset deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return FILESET_SUPPORTED_TYPES.contains(type);
}
}

/** The privilege to create a topic. */
Expand All @@ -459,6 +535,11 @@ public static CreateTopic allow() {
public static CreateTopic deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return SCHEMA_SUPPORTED_TYPES.contains(type);
}
}

/** The privilege to consume from a topic. */
Expand All @@ -481,6 +562,11 @@ public static ConsumeTopic allow() {
public static ConsumeTopic deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return TOPIC_SUPPORTED_TYPES.contains(type);
}
}

/** The privilege to produce to a topic. */
Expand All @@ -503,6 +589,11 @@ public static ProduceTopic allow() {
public static ProduceTopic deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return TOPIC_SUPPORTED_TYPES.contains(type);
}
}

/** The privilege to manage users. */
Expand All @@ -525,6 +616,11 @@ public static ManageUsers allow() {
public static ManageUsers deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return type == MetadataObject.Type.METALAKE;
}
}

/** The privilege to manage groups. */
Expand All @@ -547,6 +643,11 @@ public static ManageGroups allow() {
public static ManageGroups deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return type == MetadataObject.Type.METALAKE;
}
}

/** The privilege to create a role. */
Expand All @@ -569,6 +670,11 @@ public static CreateRole allow() {
public static CreateRole deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return type == MetadataObject.Type.METALAKE;
}
}

/** The privilege to grant or revoke a role for the user or the group. */
Expand All @@ -591,5 +697,10 @@ public static ManageGrants allow() {
public static ManageGrants deny() {
return DENY_INSTANCE;
}

@Override
public boolean canBindTo(MetadataObject.Type type) {
return type == MetadataObject.Type.METALAKE;
}
}
}
Loading

0 comments on commit f600041

Please sign in to comment.