[#5054] improvement(api,server): Add the check of privileges

api/src/main/java/org/apache/gravitino/authorization/Privilege.java

@@ -18,6 +18,7 @@
  */
 package org.apache.gravitino.authorization;
 
+import org.apache.gravitino.MetadataObject;
 import org.apache.gravitino.annotation.Unstable;
 
 /**
@@ -39,6 +40,15 @@ public interface Privilege {
    */
   Condition condition();
 
+  /**
+   * If the privilege can bind to a securable object, then this method will return true, otherwise
+   * false.
+   *
+   * @param type The securable object type.
+   * @return It will return true if the privilege can bind to a securable object, otherwise false.
+   */
+  boolean canBindTo(MetadataObject.Type type);
+
   /** The name of this privilege. */
   enum Name {
     /** The privilege to create a catalog. */

api/src/main/java/org/apache/gravitino/authorization/Privileges.java

@@ -18,11 +18,37 @@
  */
 package org.apache.gravitino.authorization;
 
+import com.google.common.collect.Sets;
 import java.util.Objects;
+import java.util.Set;
+import org.apache.gravitino.MetadataObject;
 
 /** The helper class for {@link Privilege}. */
 public class Privileges {
 
+  private static final Set<MetadataObject.Type> TABLE_SUPPORTED_TYPES =
+      Sets.immutableEnumSet(
+          MetadataObject.Type.METALAKE,
+          MetadataObject.Type.CATALOG,
+          MetadataObject.Type.SCHEMA,
+          MetadataObject.Type.TABLE);
+  private static final Set<MetadataObject.Type> TOPIC_SUPPORTED_TYPES =
+      Sets.immutableEnumSet(
+          MetadataObject.Type.METALAKE,
+          MetadataObject.Type.CATALOG,
+          MetadataObject.Type.SCHEMA,
+          MetadataObject.Type.TOPIC);
+  private static final Set<MetadataObject.Type> SCHEMA_SUPPORTED_TYPES =
+      Sets.immutableEnumSet(
+          MetadataObject.Type.METALAKE, MetadataObject.Type.CATALOG, MetadataObject.Type.SCHEMA);
+
+  private static final Set<MetadataObject.Type> FILESET_SUPPORTED_TYPES =
+      Sets.immutableEnumSet(
+          MetadataObject.Type.METALAKE,
+          MetadataObject.Type.CATALOG,
+          MetadataObject.Type.SCHEMA,
+          MetadataObject.Type.FILESET);
+
   /**
    * Returns the Privilege with allow condition from the string representation.
    *
@@ -241,6 +267,11 @@ public static CreateCatalog allow() {
     public static CreateCatalog deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE;
+    }
   }
 
   /** The privilege to use a catalog. */
@@ -263,6 +294,11 @@ public static UseCatalog allow() {
     public static UseCatalog deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE || type == MetadataObject.Type.CATALOG;
+    }
   }
 
   /** The privilege to use a schema. */
@@ -283,6 +319,11 @@ public static UseSchema allow() {
     public static UseSchema deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return SCHEMA_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to create a schema. */
@@ -305,6 +346,11 @@ public static CreateSchema allow() {
     public static CreateSchema deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE || type == MetadataObject.Type.CATALOG;
+    }
   }
 
   /** The privilege to create a table. */
@@ -327,6 +373,11 @@ public static CreateTable allow() {
     public static CreateTable deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return SCHEMA_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to select data from a table. */
@@ -349,6 +400,11 @@ public static SelectTable allow() {
     public static SelectTable deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return TABLE_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to execute SQL `ALTER`, `INSERT`, `UPDATE`, or `DELETE` for a table. */
@@ -371,6 +427,11 @@ public static ModifyTable allow() {
     public static ModifyTable deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return TABLE_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to create a fileset. */
@@ -393,6 +454,11 @@ public static CreateFileset allow() {
     public static CreateFileset deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return SCHEMA_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to read a fileset. */
@@ -415,6 +481,11 @@ public static ReadFileset allow() {
     public static ReadFileset deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return FILESET_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to write a fileset. */
@@ -437,6 +508,11 @@ public static WriteFileset allow() {
     public static WriteFileset deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return FILESET_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to create a topic. */
@@ -459,6 +535,11 @@ public static CreateTopic allow() {
     public static CreateTopic deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return SCHEMA_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to consume from a topic. */
@@ -481,6 +562,11 @@ public static ConsumeTopic allow() {
     public static ConsumeTopic deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return TOPIC_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to produce to a topic. */
@@ -503,6 +589,11 @@ public static ProduceTopic allow() {
     public static ProduceTopic deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return TOPIC_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to manage users. */
@@ -525,6 +616,11 @@ public static ManageUsers allow() {
     public static ManageUsers deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE;
+    }
   }
 
   /** The privilege to manage groups. */
@@ -547,6 +643,11 @@ public static ManageGroups allow() {
     public static ManageGroups deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE;
+    }
   }
 
   /** The privilege to create a role. */
@@ -569,6 +670,11 @@ public static CreateRole allow() {
     public static CreateRole deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE;
+    }
   }
 
   /** The privilege to grant or revoke a role for the user or the group. */
@@ -591,5 +697,10 @@ public static ManageGrants allow() {
     public static ManageGrants deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE;
+    }
   }
 }