This is an automated email from the ASF dual-hosted git repository.
jshao pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new cf3293523 [#4143] improvment(core): Optimize the privileges of access
control (#4214)
cf3293523 is described below
commit cf329352398d19fd1c1645522d9bfd909b9ccffc
Author: roryqi <[email protected]>
AuthorDate: Tue Jul 23 14:40:09 2024 +0800
[#4143] improvment(core): Optimize the privileges of access control (#4214)
### What changes were proposed in this pull request?
Optimize the privileges of access control
### Why are the changes needed?
Fix: #4143
### Does this PR introduce _any_ user-facing change?
No need.
### How was this patch tested?
Exsiting tests.
---
.../apache/gravitino/authorization/Privilege.java | 28 +--
.../apache/gravitino/authorization/Privileges.java | 249 ++++-----------------
2 files changed, 46 insertions(+), 231 deletions(-)
diff --git
a/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
b/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
index 3527ead1b..8ec9bb6a2 100644
--- a/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
+++ b/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
@@ -67,28 +67,14 @@ public interface Privilege {
PRODUCE_TOPIC(0L, 1L << 12),
/** The privilege to consume from a topic. */
CONSUME_TOPIC(0L, 1L << 13),
- /** The privilege to add a user */
- ADD_USER(0L, 1L << 14),
- /** The privilege to remove a user */
- REMOVE_USER(0L, 1L << 15),
- /** The privilege to get a user */
- GET_USER(0L, 1L << 16),
- /** The privilege to add a group */
- ADD_GROUP(0L, 1L << 17),
- /** The privilege to remove a group */
- REMOVE_GROUP(0L, 1L << 18),
- /** The privilege to get a group */
- GET_GROUP(0L, 1L << 19),
+ /** The privilege to create a user */
+ CREATE_USER(0L, 1L << 14),
+ /** The privilege to create a group */
+ CREATE_GROUP(0L, 1L << 15),
/** The privilege to create a role */
- CREATE_ROLE(0L, 1L << 20),
- /** The privilege to delete a role */
- DELETE_ROLE(0L, 1L << 21),
- /** The privilege to grant a role to the user or the group. */
- GRANT_ROLE(0L, 1L << 22),
- /** The privilege to revoke a role from the user or the group. */
- REVOKE_ROLE(0L, 1L << 23),
- /** The privilege to get a role */
- GET_ROLE(0L, 1L << 24);
+ CREATE_ROLE(0L, 1L << 16),
+ /** The privilege to grant or revoke a role for the user or the group. */
+ MANAGE_GRANTS(0L, 1L << 17);
private final long highBits;
private final long lowBits;
diff --git
a/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
b/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
index 07a745760..6947ced25 100644
--- a/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
+++ b/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
@@ -79,32 +79,18 @@ public class Privileges {
return ConsumeTopic.allow();
// User
- case ADD_USER:
- return AddUser.allow();
- case REMOVE_USER:
- return RemoveUser.allow();
- case GET_USER:
- return GetUser.allow();
+ case CREATE_USER:
+ return CreateUser.allow();
// Group
- case ADD_GROUP:
- return AddGroup.allow();
- case REMOVE_GROUP:
- return RemoveGroup.allow();
- case GET_GROUP:
- return GetGroup.allow();
+ case CREATE_GROUP:
+ return CreateGroup.allow();
// Role
case CREATE_ROLE:
return CreateRole.allow();
- case DELETE_ROLE:
- return DeleteRole.allow();
- case GRANT_ROLE:
- return GrantRole.allow();
- case REVOKE_ROLE:
- return RevokeRole.allow();
- case GET_ROLE:
- return GetRole.allow();
+ case MANAGE_GRANTS:
+ return ManageGrants.allow();
default:
throw new IllegalArgumentException("Doesn't support the privilege: " +
name);
@@ -167,32 +153,18 @@ public class Privileges {
return ConsumeTopic.deny();
// User
- case ADD_USER:
- return AddUser.deny();
- case REMOVE_USER:
- return RemoveUser.deny();
- case GET_USER:
- return GetUser.deny();
+ case CREATE_USER:
+ return CreateUser.deny();
// Group
- case ADD_GROUP:
- return AddGroup.deny();
- case REMOVE_GROUP:
- return RemoveGroup.deny();
- case GET_GROUP:
- return GetGroup.deny();
+ case CREATE_GROUP:
+ return CreateGroup.deny();
// Role
case CREATE_ROLE:
return CreateRole.deny();
- case DELETE_ROLE:
- return DeleteRole.deny();
- case GRANT_ROLE:
- return GrantRole.deny();
- case REVOKE_ROLE:
- return RevokeRole.deny();
- case GET_ROLE:
- return GetRole.deny();
+ case MANAGE_GRANTS:
+ return ManageGrants.deny();
default:
throw new IllegalArgumentException("Doesn't support the privilege: " +
name);
@@ -533,127 +505,46 @@ public class Privileges {
}
}
- /** The privilege to get a user. */
- public static class GetUser extends GenericPrivilege<GetUser> {
- private static final GetUser ALLOW_INSTANCE = new GetUser(Condition.ALLOW,
Name.GET_USER);
- private static final GetUser DENY_INSTANCE = new GetUser(Condition.DENY,
Name.GET_USER);
+ /** The privilege to create a user. */
+ public static class CreateUser extends GenericPrivilege<CreateUser> {
+ private static final CreateUser ALLOW_INSTANCE =
+ new CreateUser(Condition.ALLOW, Name.CREATE_USER);
+ private static final CreateUser DENY_INSTANCE =
+ new CreateUser(Condition.DENY, Name.CREATE_USER);
- private GetUser(Condition condition, Name name) {
+ private CreateUser(Condition condition, Name name) {
super(condition, name);
}
/** @return The instance with allow condition of the privilege. */
- public static GetUser allow() {
+ public static CreateUser allow() {
return ALLOW_INSTANCE;
}
/** @return The instance with deny condition of the privilege. */
- public static GetUser deny() {
+ public static CreateUser deny() {
return DENY_INSTANCE;
}
}
- /** The privilege to add a user. */
- public static class AddUser extends GenericPrivilege<AddUser> {
- private static final AddUser ALLOW_INSTANCE = new AddUser(Condition.ALLOW,
Name.ADD_USER);
- private static final AddUser DENY_INSTANCE = new AddUser(Condition.DENY,
Name.ADD_USER);
+ /** The privilege to create a group. */
+ public static class CreateGroup extends GenericPrivilege<CreateGroup> {
+ private static final CreateGroup ALLOW_INSTANCE =
+ new CreateGroup(Condition.ALLOW, Name.CREATE_GROUP);
+ private static final CreateGroup DENY_INSTANCE =
+ new CreateGroup(Condition.DENY, Name.CREATE_GROUP);
- private AddUser(Condition condition, Name name) {
+ private CreateGroup(Condition condition, Name name) {
super(condition, name);
}
/** @return The instance with allow condition of the privilege. */
- public static AddUser allow() {
+ public static CreateGroup allow() {
return ALLOW_INSTANCE;
}
/** @return The instance with deny condition of the privilege. */
- public static AddUser deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to remove a user. */
- public static class RemoveUser extends GenericPrivilege<RemoveUser> {
- private static final RemoveUser ALLOW_INSTANCE =
- new RemoveUser(Condition.ALLOW, Name.REMOVE_USER);
- private static final RemoveUser DENY_INSTANCE =
- new RemoveUser(Condition.DENY, Name.REMOVE_USER);
-
- private RemoveUser(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static RemoveUser allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static RemoveUser deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to add a group. */
- public static class AddGroup extends GenericPrivilege<AddGroup> {
- private static final AddGroup ALLOW_INSTANCE = new
AddGroup(Condition.ALLOW, Name.ADD_GROUP);
- private static final AddGroup DENY_INSTANCE = new AddGroup(Condition.DENY,
Name.ADD_GROUP);
-
- private AddGroup(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static AddGroup allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static AddGroup deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to remove a group. */
- public static class RemoveGroup extends GenericPrivilege<RemoveGroup> {
- private static final RemoveGroup ALLOW_INSTANCE =
- new RemoveGroup(Condition.ALLOW, Name.REMOVE_GROUP);
- private static final RemoveGroup DENY_INSTANCE =
- new RemoveGroup(Condition.DENY, Name.REMOVE_GROUP);
-
- private RemoveGroup(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static RemoveGroup allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static RemoveGroup deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to get a group. */
- public static class GetGroup extends GenericPrivilege<GetGroup> {
- private static final GetGroup ALLOW_INSTANCE =
- new GetGroup(Condition.ALLOW, Name.CREATE_CATALOG);
- private static final GetGroup DENY_INSTANCE = new GetGroup(Condition.DENY,
Name.CREATE_CATALOG);
-
- private GetGroup(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static GetGroup allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static GetGroup deny() {
+ public static CreateGroup deny() {
return DENY_INSTANCE;
}
}
@@ -680,86 +571,24 @@ public class Privileges {
}
}
- /** The privilege to get a role. */
- public static class GetRole extends GenericPrivilege<GetRole> {
- private static final GetRole ALLOW_INSTANCE = new GetRole(Condition.ALLOW,
Name.GET_ROLE);
- private static final GetRole DENY_INSTANCE = new GetRole(Condition.DENY,
Name.GET_ROLE);
-
- private GetRole(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static GetRole allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static GetRole deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to delete a role. */
- public static class DeleteRole extends GenericPrivilege<DeleteRole> {
- private static final DeleteRole ALLOW_INSTANCE =
- new DeleteRole(Condition.ALLOW, Name.DELETE_ROLE);
- private static final DeleteRole DENY_INSTANCE =
- new DeleteRole(Condition.DENY, Name.DELETE_ROLE);
-
- private DeleteRole(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static DeleteRole allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static DeleteRole deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to grant a role to the user or the group. */
- public static class GrantRole extends GenericPrivilege<GrantRole> {
- private static final GrantRole ALLOW_INSTANCE = new
GrantRole(Condition.ALLOW, Name.GRANT_ROLE);
- private static final GrantRole DENY_INSTANCE = new
GrantRole(Condition.DENY, Name.GRANT_ROLE);
-
- private GrantRole(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static GrantRole allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static GrantRole deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to revoke a role from the user or the group. */
- public static class RevokeRole extends GenericPrivilege<RevokeRole> {
- private static final RevokeRole ALLOW_INSTANCE =
- new RevokeRole(Condition.ALLOW, Name.REVOKE_ROLE);
- private static final RevokeRole DENY_INSTANCE =
- new RevokeRole(Condition.DENY, Name.REVOKE_ROLE);
+ /** The privilege to grant or revoke a role for the user or the group. */
+ public static class ManageGrants extends GenericPrivilege<ManageGrants> {
+ private static final ManageGrants ALLOW_INSTANCE =
+ new ManageGrants(Condition.ALLOW, Name.MANAGE_GRANTS);
+ private static final ManageGrants DENY_INSTANCE =
+ new ManageGrants(Condition.DENY, Name.MANAGE_GRANTS);
- private RevokeRole(Condition condition, Name name) {
+ private ManageGrants(Condition condition, Name name) {
super(condition, name);
}
/** @return The instance with allow condition of the privilege. */
- public static RevokeRole allow() {
+ public static ManageGrants allow() {
return ALLOW_INSTANCE;
}
/** @return The instance with deny condition of the privilege. */
- public static RevokeRole deny() {
+ public static ManageGrants deny() {
return DENY_INSTANCE;
}
}
