yuqi1129 commented on code in PR #5021:
URL: https://github.com/apache/gravitino/pull/5021#discussion_r1778371861
##########
core/src/main/java/org/apache/gravitino/authorization/PermissionManager.java:
##########
@@ -373,11 +376,174 @@ User revokeRolesFromUser(String metalake, List<String>
roles, String user) {
}
}
- private List<String> toRoleNames(List<RoleEntity> roleEntities) {
- return
roleEntities.stream().map(RoleEntity::name).collect(Collectors.toList());
+ Role grantPrivilegeToRole(
+ String metalake, String role, MetadataObject object, List<Privilege>
privileges) {
+ try {
+ return store.update(
+ AuthorizationUtils.ofRole(metalake, role),
+ RoleEntity.class,
+ Entity.EntityType.ROLE,
+ roleEntity -> {
+ List<SecurableObject> securableObjects =
roleEntity.securableObjects();
+
+ boolean objectExist = false;
+
+ List<SecurableObject> updateSecurableObjects =
Lists.newArrayList();
+ // Only update the first matched securable object privilege
+ for (SecurableObject securableObject : securableObjects) {
Review Comment:
Is it possible that there are many securable objects that equals to the
`object` in the List?
##########
core/src/main/java/org/apache/gravitino/authorization/PermissionManager.java:
##########
@@ -373,11 +376,174 @@ User revokeRolesFromUser(String metalake, List<String>
roles, String user) {
}
}
- private List<String> toRoleNames(List<RoleEntity> roleEntities) {
- return
roleEntities.stream().map(RoleEntity::name).collect(Collectors.toList());
+ Role grantPrivilegeToRole(
+ String metalake, String role, MetadataObject object, List<Privilege>
privileges) {
+ try {
+ return store.update(
+ AuthorizationUtils.ofRole(metalake, role),
+ RoleEntity.class,
+ Entity.EntityType.ROLE,
+ roleEntity -> {
+ List<SecurableObject> securableObjects =
roleEntity.securableObjects();
+
+ boolean objectExist = false;
+
+ List<SecurableObject> updateSecurableObjects =
Lists.newArrayList();
+ // Only update the first matched securable object privilege
+ for (SecurableObject securableObject : securableObjects) {
+ if (!objectExist
+ && securableObject.type() == object.type()
+ && securableObject.fullName().equals(object.fullName())) {
+ objectExist = true;
+ Set<Privilege> updatePrivileges = Sets.newHashSet();
+ updatePrivileges.addAll(securableObject.privileges());
+ // If privileges has granted, we won't generate the new
securable object.
+ if (updatePrivileges.containsAll(privileges)) {
+ updateSecurableObjects.add(securableObject);
+ } else {
+ updatePrivileges.addAll(privileges);
+ SecurableObject newSecurableObject =
+ SecurableObjects.parse(
+ securableObject.fullName(),
+ securableObject.type(),
+ Lists.newArrayList(updatePrivileges));
+
+ updateSecurableObjects.add(newSecurableObject);
+ AuthorizationUtils.callAuthorizationPluginForMetadataObject(
+ metalake,
+ object,
+ authorizationPlugin -> {
+ authorizationPlugin.onRoleUpdated(
+ roleEntity,
+ RoleChange.updateSecurableObject(
+ role, securableObject, newSecurableObject));
+ });
+ }
+
+ } else {
+ updateSecurableObjects.add(securableObject);
+ }
+ }
+
+ // If the role doesn't contain the securable object, the role
appends a new securable
+ // object.
+ if (!objectExist) {
+ SecurableObject securableObject =
+ SecurableObjects.parse(
Review Comment:
```suggestion
List<SecurableObject> updateSecurableObjects =
Lists.newArrayList(securableObjects);
SecurableObject se =
securableObjects.stream().filter(securableObject ->
securableObject.type() == object.type()
&& securableObject.fullName().equals(object.fullName()))
.findFirst().orElse(null);
if (se == null) {
SecurableObject securableObject =
SecurableObjects.parse(
object.fullName(), object.type(),
Lists.newArrayList(privileges));
AuthorizationUtils.callAuthorizationPluginForMetadataObject(
metalake,
object,
authorizationPlugin -> {
authorizationPlugin.onRoleUpdated(
roleEntity, RoleChange.addSecurableObject(role,
securableObject));
});
updateSecurableObjects.add(securableObject);
} else {
Set<Privilege> updatePrivileges = Sets.newHashSet();
updatePrivileges.addAll(se.privileges());
if (!updatePrivileges.containsAll(privileges)) {
updatePrivileges.addAll(privileges);
SecurableObject newSecurableObject =
SecurableObjects.parse(
se.fullName(),
se.type(),
Lists.newArrayList(updatePrivileges));
// Remove the old one and add the new one
updateSecurableObjects.remove(se);
updateSecurableObjects.add(newSecurableObject);
// Update the new newSecurableObject in the authorization
plugin
AuthorizationUtils.callAuthorizationPluginForMetadataObject(
metalake,
object,
authorizationPlugin -> {
authorizationPlugin.onRoleUpdated(
roleEntity,
RoleChange.updateSecurableObject(
role, se, newSecurableObject));
});
}
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
