This is an automated email from the ASF dual-hosted git repository.
liuxun pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new d04a17c4c [#5364] feat(auth-ranger): Throw
AuthorizationPluginException in authorization plugin (#5365)
d04a17c4c is described below
commit d04a17c4cb8db9a756e1bb81f806213eadeac7e7
Author: Xun <[email protected]>
AuthorDate: Thu Oct 31 09:09:44 2024 +0800
[#5364] feat(auth-ranger): Throw AuthorizationPluginException in
authorization plugin (#5365)
### What changes were proposed in this pull request?
Currently, the Authorization plugin throws RuntimePluginException, We
needs change it to AuthorizationPluginExceptionto
### Why are the changes needed?
Fix: #5364
### Does this PR introduce _any_ user-facing change?
N/A
### How was this patch tested?
Added ITs.
---
.../exceptions/AuthorizationPluginException.java | 12 +++--
.../ranger/RangerAuthorizationPlugin.java | 49 ++++++++++++--------
.../authorization/ranger/RangerHelper.java | 8 ++--
.../ranger/integration/test/RangerHiveIT.java | 54 +++++++++++++++++-----
.../ranger/integration/test/RangerITEnv.java | 13 ++++--
.../authorization/RoleAuthorizationPlugin.java | 36 ++++++++-------
.../UserGroupAuthorizationPlugin.java | 33 ++++++-------
7 files changed, 130 insertions(+), 75 deletions(-)
diff --git
a/api/src/main/java/org/apache/gravitino/exceptions/AuthorizationPluginException.java
b/api/src/main/java/org/apache/gravitino/exceptions/AuthorizationPluginException.java
index a57944c94..2ac47f1b8 100644
---
a/api/src/main/java/org/apache/gravitino/exceptions/AuthorizationPluginException.java
+++
b/api/src/main/java/org/apache/gravitino/exceptions/AuthorizationPluginException.java
@@ -22,7 +22,7 @@ import com.google.errorprone.annotations.FormatMethod;
import com.google.errorprone.annotations.FormatString;
/** An exception thrown when an authorization plugin operation failed. */
-public class AuthorizationPluginException extends IllegalArgumentException {
+public class AuthorizationPluginException extends GravitinoRuntimeException {
/**
* Constructs a new exception with the specified detail message.
@@ -36,11 +36,15 @@ public class AuthorizationPluginException extends
IllegalArgumentException {
}
/**
- * Constructs a new exception with the specified cause.
+ * Constructs a new exception with the specified detail message and cause.
*
* @param cause the cause.
+ * @param message the detail message.
+ * @param args the arguments to the message.
*/
- public AuthorizationPluginException(Throwable cause) {
- super(cause);
+ @FormatMethod
+ public AuthorizationPluginException(
+ Throwable cause, @FormatString String message, Object... args) {
+ super(cause, message, args);
}
}
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
index ff26d1ca6..b0e46d5c1 100644
---
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java
@@ -113,7 +113,7 @@ public abstract class RangerAuthorizationPlugin
* 2. Save role name in the Policy items. <br>
*/
@Override
- public Boolean onRoleCreated(Role role) throws RuntimeException {
+ public Boolean onRoleCreated(Role role) throws AuthorizationPluginException {
if (!validAuthorizationOperation(role.securableObjects())) {
return false;
}
@@ -127,7 +127,7 @@ public abstract class RangerAuthorizationPlugin
}
@Override
- public Boolean onRoleAcquired(Role role) throws RuntimeException {
+ public Boolean onRoleAcquired(Role role) throws AuthorizationPluginException
{
if (!validAuthorizationOperation(role.securableObjects())) {
return false;
}
@@ -136,7 +136,7 @@ public abstract class RangerAuthorizationPlugin
/** Remove the role name from the Ranger policy item, and delete this Role
in the Ranger. <br> */
@Override
- public Boolean onRoleDeleted(Role role) throws RuntimeException {
+ public Boolean onRoleDeleted(Role role) throws AuthorizationPluginException {
if (!validAuthorizationOperation(role.securableObjects())) {
return false;
}
@@ -157,7 +157,8 @@ public abstract class RangerAuthorizationPlugin
}
@Override
- public Boolean onRoleUpdated(Role role, RoleChange... changes) throws
RuntimeException {
+ public Boolean onRoleUpdated(Role role, RoleChange... changes)
+ throws AuthorizationPluginException {
for (RoleChange change : changes) {
if (change instanceof RoleChange.AddSecurableObject) {
SecurableObject securableObject =
@@ -171,7 +172,7 @@ public abstract class RangerAuthorizationPlugin
.forEach(
rangerSecurableObject -> {
if (!doAddSecurableObject(role.name(),
rangerSecurableObject)) {
- throw new RuntimeException(
+ throw new AuthorizationPluginException(
"Failed to add the securable object to the Ranger
policy!");
}
});
@@ -187,7 +188,7 @@ public abstract class RangerAuthorizationPlugin
.forEach(
rangerSecurableObject -> {
if (!doRemoveSecurableObject(role.name(),
rangerSecurableObject)) {
- throw new RuntimeException(
+ throw new AuthorizationPluginException(
"Failed to add the securable object to the Ranger
policy!");
}
});
@@ -276,7 +277,7 @@ public abstract class RangerAuthorizationPlugin
*/
@Override
public Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner,
Owner newOwner)
- throws RuntimeException {
+ throws AuthorizationPluginException {
Preconditions.checkArgument(newOwner != null, "The newOwner must be not
null");
// Add the user or group to the Ranger
@@ -365,7 +366,8 @@ public abstract class RangerAuthorizationPlugin
rangerClient.updatePolicy(policy.getId(), policy);
}
} catch (RangerServiceException e) {
- throw new RuntimeException(e);
+ throw new AuthorizationPluginException(
+ e, "Failed to add the owner to the Ranger!");
}
});
break;
@@ -385,7 +387,8 @@ public abstract class RangerAuthorizationPlugin
rangerClient.updatePolicy(policy.getId(), policy);
}
} catch (RangerServiceException e) {
- throw new RuntimeException(e);
+ throw new AuthorizationPluginException(
+ e, "Failed to add the owner to the Ranger!");
}
});
break;
@@ -408,7 +411,8 @@ public abstract class RangerAuthorizationPlugin
* @param user The user to grant the roles.
*/
@Override
- public Boolean onGrantedRolesToUser(List<Role> roles, User user) throws
RuntimeException {
+ public Boolean onGrantedRolesToUser(List<Role> roles, User user)
+ throws AuthorizationPluginException {
if (roles.stream().anyMatch(role ->
!validAuthorizationOperation(role.securableObjects()))) {
return false;
}
@@ -443,7 +447,8 @@ public abstract class RangerAuthorizationPlugin
* @param user The user to revoke the roles.
*/
@Override
- public Boolean onRevokedRolesFromUser(List<Role> roles, User user) throws
RuntimeException {
+ public Boolean onRevokedRolesFromUser(List<Role> roles, User user)
+ throws AuthorizationPluginException {
if (roles.stream().anyMatch(role ->
!validAuthorizationOperation(role.securableObjects()))) {
return false;
}
@@ -477,7 +482,8 @@ public abstract class RangerAuthorizationPlugin
* @param group The group to grant the roles.
*/
@Override
- public Boolean onGrantedRolesToGroup(List<Role> roles, Group group) throws
RuntimeException {
+ public Boolean onGrantedRolesToGroup(List<Role> roles, Group group)
+ throws AuthorizationPluginException {
if (roles.stream().anyMatch(role ->
!validAuthorizationOperation(role.securableObjects()))) {
return false;
}
@@ -510,7 +516,8 @@ public abstract class RangerAuthorizationPlugin
* @param group The group to revoke the roles.
*/
@Override
- public Boolean onRevokedRolesFromGroup(List<Role> roles, Group group) throws
RuntimeException {
+ public Boolean onRevokedRolesFromGroup(List<Role> roles, Group group)
+ throws AuthorizationPluginException {
if (roles.stream().anyMatch(role ->
!validAuthorizationOperation(role.securableObjects()))) {
return false;
}
@@ -533,7 +540,7 @@ public abstract class RangerAuthorizationPlugin
}
@Override
- public Boolean onUserAdded(User user) throws RuntimeException {
+ public Boolean onUserAdded(User user) throws AuthorizationPluginException {
VXUserList list = rangerClient.searchUser(ImmutableMap.of("name",
user.name()));
if (list.getListSize() > 0) {
LOG.warn("The user({}) already exists in the Ranger!", user.name());
@@ -545,7 +552,7 @@ public abstract class RangerAuthorizationPlugin
}
@Override
- public Boolean onUserRemoved(User user) throws RuntimeException {
+ public Boolean onUserRemoved(User user) throws AuthorizationPluginException {
VXUserList list = rangerClient.searchUser(ImmutableMap.of("name",
user.name()));
if (list.getListSize() == 0) {
LOG.warn("The user({}) doesn't exist in the Ranger!", user);
@@ -556,7 +563,7 @@ public abstract class RangerAuthorizationPlugin
}
@Override
- public Boolean onUserAcquired(User user) throws RuntimeException {
+ public Boolean onUserAcquired(User user) throws AuthorizationPluginException
{
VXUserList list = rangerClient.searchUser(ImmutableMap.of("name",
user.name()));
if (list.getListSize() == 0) {
LOG.warn("The user({}) doesn't exist in the Ranger!", user);
@@ -566,13 +573,13 @@ public abstract class RangerAuthorizationPlugin
}
@Override
- public Boolean onGroupAdded(Group group) throws RuntimeException {
+ public Boolean onGroupAdded(Group group) throws AuthorizationPluginException
{
return rangerClient.createGroup(
VXGroup.builder().withName(group.name()).withDescription(group.name()).build());
}
@Override
- public Boolean onGroupRemoved(Group group) throws RuntimeException {
+ public Boolean onGroupRemoved(Group group) throws
AuthorizationPluginException {
VXGroupList list = rangerClient.searchGroup(ImmutableMap.of("name",
group.name()));
if (list.getListSize() == 0) {
LOG.warn("The group({}) doesn't exist in the Ranger!", group);
@@ -650,7 +657,8 @@ public abstract class RangerAuthorizationPlugin
rangerClient.updatePolicy(policy.getId(), policy);
}
} catch (RangerServiceException e) {
- throw new RuntimeException(e);
+ throw new AuthorizationPluginException(
+ e, "Failed to add the securable object to the Ranger!");
}
return true;
@@ -720,7 +728,8 @@ public abstract class RangerAuthorizationPlugin
}
} catch (RangerServiceException e) {
LOG.error("Failed to remove the policy item from the Ranger policy {}!",
policy);
- throw new RuntimeException(e);
+ throw new AuthorizationPluginException(
+ e, "Failed to remove the securable object from Ranger!");
}
return true;
}
diff --git
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
index 86ed2ee88..b8c9868f6 100644
---
a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
+++
b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java
@@ -182,7 +182,7 @@ public class RangerHelper {
List<RangerPolicy> policies = rangerClient.findPolicies(searchFilters);
return policies;
} catch (RangerServiceException e) {
- throw new AuthorizationPluginException(e);
+ throw new AuthorizationPluginException(e, "Failed to find the policies
in the Ranger");
}
}
@@ -246,7 +246,8 @@ public class RangerHelper {
try {
rangerClient.getRole(roleName, rangerAdminName, rangerServiceName);
} catch (RangerServiceException e) {
- throw new AuthorizationPluginException(e);
+ throw new AuthorizationPluginException(
+ e, "Failed to check the role(%s) in the Ranger", roleName);
}
return true;
}
@@ -302,7 +303,8 @@ public class RangerHelper {
rangerClient.createRole(rangerServiceName, rangerRole);
}
} catch (RangerServiceException e) {
- throw new RuntimeException(e);
+ throw new AuthorizationPluginException(
+ e, "Failed to create the role(%s) in the Ranger", roleName);
}
return rangerRole;
}
diff --git
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
index 00a231e80..a72503c2f 100644
---
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
+++
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java
@@ -22,6 +22,7 @@ import static
org.apache.gravitino.authorization.ranger.integration.test.RangerI
import static
org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.rangerClient;
import static
org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.verifyRoleInRanger;
+import com.google.common.base.Joiner;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
@@ -49,6 +50,7 @@ import
org.apache.gravitino.authorization.ranger.RangerMetadataObject;
import org.apache.gravitino.authorization.ranger.RangerPrivileges;
import org.apache.gravitino.authorization.ranger.RangerSecurableObject;
import org.apache.gravitino.authorization.ranger.reference.RangerDefines;
+import org.apache.gravitino.exceptions.AuthorizationPluginException;
import org.apache.gravitino.integration.test.util.GravitinoITUtils;
import org.apache.gravitino.meta.AuditInfo;
import org.apache.gravitino.meta.GroupEntity;
@@ -325,16 +327,20 @@ public class RangerHiveIT {
String dbName = currentFunName();
createHivePolicy(
Lists.newArrayList(String.format("%s*", dbName), "*"),
- GravitinoITUtils.genRandomName(currentFunName()));
+ GravitinoITUtils.genRandomName(currentFunName()),
+ true);
createHivePolicy(
Lists.newArrayList(String.format("%s*", dbName), "tab*"),
- GravitinoITUtils.genRandomName(currentFunName()));
+ GravitinoITUtils.genRandomName(currentFunName()),
+ true);
createHivePolicy(
Lists.newArrayList(String.format("%s3", dbName), "*"),
- GravitinoITUtils.genRandomName(currentFunName()));
+ GravitinoITUtils.genRandomName(currentFunName()),
+ true);
createHivePolicy(
Lists.newArrayList(String.format("%s3", dbName), "tab*"),
- GravitinoITUtils.genRandomName(currentFunName()));
+ GravitinoITUtils.genRandomName(currentFunName()),
+ true);
// findManagedPolicy function use precise search, so return null
RangerSecurableObject rangerSecurableObject =
rangerAuthHivePlugin.generateRangerSecurableObject(
@@ -348,12 +354,33 @@ public class RangerHiveIT {
// Add a policy for `db3.tab1`
createHivePolicy(
Lists.newArrayList(String.format("%s3", dbName), "tab1"),
- GravitinoITUtils.genRandomName(currentFunName()));
+ GravitinoITUtils.genRandomName(currentFunName()),
+ true);
// findManagedPolicy function use precise search, so return not null
Assertions.assertNotNull(rangerHelper.findManagedPolicy(rangerSecurableObject));
}
- static void createHivePolicy(List<String> metaObjects, String roleName) {
+ @Test
+ public void testManagedByGravitinoLabel() {
+ RoleEntity role = mock3TableRole(currentFunName());
+ role.securableObjects().stream()
+ .forEach(
+ securableObject -> {
+ Joiner DOT_JOINER = Joiner.on('.');
+ List<String> names =
+ Lists.newArrayList(
+
SecurableObjects.DOT_SPLITTER.splitToList(securableObject.fullName()));
+ names.remove(0); // remove catalog node
+ // Manual create the Ranger Policy
+ createHivePolicy(Lists.newArrayList(names),
DOT_JOINER.join(names), false);
+ });
+ // Use role to create Ranger Policy
+ Assertions.assertThrows(
+ AuthorizationPluginException.class, () ->
rangerAuthHivePlugin.onRoleCreated(role));
+ }
+
+ static void createHivePolicy(
+ List<String> metaObjects, String roleName, boolean
labelManagedByGravitino) {
Assertions.assertTrue(metaObjects.size() < 4);
Map<String, RangerPolicy.RangerPolicyResource> policyResourceMap = new
HashMap<>();
for (int i = 0; i < metaObjects.size(); i++) {
@@ -377,7 +404,8 @@ public class RangerHiveIT {
RangerITEnv.RANGER_HIVE_REPO_NAME,
roleName,
policyResourceMap,
- Collections.singletonList(policyItem));
+ Collections.singletonList(policyItem),
+ labelManagedByGravitino);
}
static boolean deleteHivePolicy(RangerSecurableObject rangerSecurableObject)
{
@@ -780,16 +808,20 @@ public class RangerHiveIT {
throws RangerServiceException {
createHivePolicy(
Lists.newArrayList(String.format("%s*", funcName), "*"),
- GravitinoITUtils.genRandomName(currentFunName()));
+ GravitinoITUtils.genRandomName(currentFunName()),
+ true);
createHivePolicy(
Lists.newArrayList(String.format("%s*", funcName), "tab*"),
- GravitinoITUtils.genRandomName(currentFunName()));
+ GravitinoITUtils.genRandomName(currentFunName()),
+ true);
createHivePolicy(
Lists.newArrayList(String.format("%s3", funcName), "*"),
- GravitinoITUtils.genRandomName(currentFunName()));
+ GravitinoITUtils.genRandomName(currentFunName()),
+ true);
createHivePolicy(
Lists.newArrayList(String.format("%s3", funcName), "tab*"),
- GravitinoITUtils.genRandomName(currentFunName()));
+ GravitinoITUtils.genRandomName(currentFunName()),
+ true);
Assertions.assertEquals(
4,
rangerClient.getPoliciesInService(RangerITEnv.RANGER_HIVE_REPO_NAME).size());
diff --git
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
index be653bd3d..fdc2d8fab 100644
---
a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
+++
b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java
@@ -180,7 +180,8 @@ public class RangerITEnv {
RANGER_HDFS_REPO_NAME,
policyName,
policyResourceMap,
- Collections.singletonList(policyItem));
+ Collections.singletonList(policyItem),
+ false);
}
/**
@@ -217,7 +218,8 @@ public class RangerITEnv {
RANGER_HIVE_REPO_NAME,
policyName,
policyResourceMap,
- Collections.singletonList(policyItem));
+ Collections.singletonList(policyItem),
+ false);
}
public void createRangerTrinoRepository(String trinoIp) {
@@ -513,7 +515,8 @@ public class RangerITEnv {
String serviceName,
String policyName,
Map<String, RangerPolicy.RangerPolicyResource> policyResourceMap,
- List<RangerPolicy.RangerPolicyItem> policyItems) {
+ List<RangerPolicy.RangerPolicyItem> policyItems,
+ boolean labelManagedByGravitino) {
Map<String, String> resourceFilter = new HashMap<>(); // use to match the
precise policy
Map<String, String> policyFilter = new HashMap<>();
@@ -572,7 +575,9 @@ public class RangerITEnv {
policy.setServiceType(type);
policy.setService(serviceName);
policy.setName(policyName);
-
policy.setPolicyLabels(Lists.newArrayList(RangerHelper.MANAGED_BY_GRAVITINO));
+ if (labelManagedByGravitino) {
+
policy.setPolicyLabels(Lists.newArrayList(RangerHelper.MANAGED_BY_GRAVITINO));
+ }
policy.setResources(policyResourceMap);
policy.setPolicyItems(policyItems);
rangerClient.createPolicy(policy);
diff --git
a/core/src/main/java/org/apache/gravitino/connector/authorization/RoleAuthorizationPlugin.java
b/core/src/main/java/org/apache/gravitino/connector/authorization/RoleAuthorizationPlugin.java
index 67dec8fff..2384bff22 100644
---
a/core/src/main/java/org/apache/gravitino/connector/authorization/RoleAuthorizationPlugin.java
+++
b/core/src/main/java/org/apache/gravitino/connector/authorization/RoleAuthorizationPlugin.java
@@ -23,6 +23,7 @@ import org.apache.gravitino.authorization.Group;
import org.apache.gravitino.authorization.Role;
import org.apache.gravitino.authorization.RoleChange;
import org.apache.gravitino.authorization.User;
+import org.apache.gravitino.exceptions.AuthorizationPluginException;
/** Interface for authorization Role plugin operation of the underlying access
control system */
interface RoleAuthorizationPlugin {
@@ -32,9 +33,9 @@ interface RoleAuthorizationPlugin {
*
* @param role The entity of the Role.
* @return True if the create operation success; False if the create
operation failed.
- * @throws RuntimeException If creating the Role encounters storage issues.
+ * @throws AuthorizationPluginException If creating the Role encounters
storage issues.
*/
- Boolean onRoleCreated(Role role) throws RuntimeException;
+ Boolean onRoleCreated(Role role) throws AuthorizationPluginException;
/**
* After acquiring a role from Gravitino, this method is called to acquire
the role in the
@@ -45,10 +46,10 @@ interface RoleAuthorizationPlugin {
*
* @param role The entity of the Role.
* @return IF exist return true, else return false.
- * @throws RuntimeException If getting the Role encounters underlying access
control system
- * issues.
+ * @throws AuthorizationPluginException If getting the Role encounters
underlying access control
+ * system issues.
*/
- Boolean onRoleAcquired(Role role) throws RuntimeException;
+ Boolean onRoleAcquired(Role role) throws AuthorizationPluginException;
/**
* After deleting a role from Gravitino, this method is called to delete the
role in the
@@ -56,9 +57,9 @@ interface RoleAuthorizationPlugin {
*
* @param role The entity of the Role.
* @return True if the Role was successfully deleted, false only when
there's no such role
- * @throws RuntimeException If deleting the Role encounters storage issues.
+ * @throws AuthorizationPluginException If deleting the Role encounters
storage issues.
*/
- Boolean onRoleDeleted(Role role) throws RuntimeException;
+ Boolean onRoleDeleted(Role role) throws AuthorizationPluginException;
/**
* After updating a role in Gravitino, this method is called to update the
role in the underlying
@@ -67,9 +68,9 @@ interface RoleAuthorizationPlugin {
* @param role The entity of the Role.
* @param changes role changes apply to the role.
* @return True if the update operation is successful; False if the update
operation fails.
- * @throws RuntimeException If update role encounters storage issues.
+ * @throws AuthorizationPluginException If update role encounters storage
issues.
*/
- Boolean onRoleUpdated(Role role, RoleChange... changes) throws
RuntimeException;
+ Boolean onRoleUpdated(Role role, RoleChange... changes) throws
AuthorizationPluginException;
/**
* After granting roles to a user from Gravitino, this method is called to
grant roles to the user
@@ -78,9 +79,9 @@ interface RoleAuthorizationPlugin {
* @param user The entity of the User.
* @param roles The entities of the Roles.
* @return True if the Grant was successful, false if the Grant was failed.
- * @throws RuntimeException If granting roles to a user encounters storage
issues.
+ * @throws AuthorizationPluginException If granting roles to a user
encounters storage issues.
*/
- Boolean onGrantedRolesToUser(List<Role> roles, User user) throws
RuntimeException;
+ Boolean onGrantedRolesToUser(List<Role> roles, User user) throws
AuthorizationPluginException;
/**
* After revoking roles from a user from Gravitino, this method is called to
revoke roles from the
@@ -89,9 +90,9 @@ interface RoleAuthorizationPlugin {
* @param user The entity of the User.
* @param roles The entities of the Roles.
* @return True if the revoke was successfully removed, false if the revoke
failed.
- * @throws RuntimeException If revoking roles from a user encounters storage
issues.
+ * @throws AuthorizationPluginException If revoking roles from a user
encounters storage issues.
*/
- Boolean onRevokedRolesFromUser(List<Role> roles, User user) throws
RuntimeException;
+ Boolean onRevokedRolesFromUser(List<Role> roles, User user) throws
AuthorizationPluginException;
/**
* After granting roles to a group from Gravitino, this method is called to
grant roles to the
@@ -100,9 +101,9 @@ interface RoleAuthorizationPlugin {
* @param group The entity of the Group.
* @param roles The entities of the Roles.
* @return True if the revoke was successfully removed, False if the revoke
failed.
- * @throws RuntimeException If granting roles to a group encounters storage
issues.
+ * @throws AuthorizationPluginException If granting roles to a group
encounters storage issues.
*/
- Boolean onGrantedRolesToGroup(List<Role> roles, Group group) throws
RuntimeException;
+ Boolean onGrantedRolesToGroup(List<Role> roles, Group group) throws
AuthorizationPluginException;
/**
* After revoking roles from a group from Gravitino, this method is called
to revoke roles from
@@ -111,7 +112,8 @@ interface RoleAuthorizationPlugin {
* @param group The entity of the Group.
* @param roles The entities of the Roles.
* @return True if the revoke was successfully removed, False if the revoke
failed.
- * @throws RuntimeException If revoking roles from a group encounters
storage issues.
+ * @throws AuthorizationPluginException If revoking roles from a group
encounters storage issues.
*/
- Boolean onRevokedRolesFromGroup(List<Role> roles, Group group) throws
RuntimeException;
+ Boolean onRevokedRolesFromGroup(List<Role> roles, Group group)
+ throws AuthorizationPluginException;
}
diff --git
a/core/src/main/java/org/apache/gravitino/connector/authorization/UserGroupAuthorizationPlugin.java
b/core/src/main/java/org/apache/gravitino/connector/authorization/UserGroupAuthorizationPlugin.java
index 973b7a815..819afecf2 100644
---
a/core/src/main/java/org/apache/gravitino/connector/authorization/UserGroupAuthorizationPlugin.java
+++
b/core/src/main/java/org/apache/gravitino/connector/authorization/UserGroupAuthorizationPlugin.java
@@ -22,6 +22,7 @@ import org.apache.gravitino.MetadataObject;
import org.apache.gravitino.authorization.Group;
import org.apache.gravitino.authorization.Owner;
import org.apache.gravitino.authorization.User;
+import org.apache.gravitino.exceptions.AuthorizationPluginException;
/**
* Interface for authorization User and Group plugin operation of the
underlying access control
@@ -34,9 +35,9 @@ interface UserGroupAuthorizationPlugin {
*
* @param user The user entity.
* @return True if the add User was successfully added, false if the add
User failed.
- * @throws RuntimeException If adding the User encounters storage issues.
+ * @throws AuthorizationPluginException If adding the User encounters
storage issues.
*/
- Boolean onUserAdded(User user) throws RuntimeException;
+ Boolean onUserAdded(User user) throws AuthorizationPluginException;
/**
* After removing a User from Gravitino, this method is called to remove the
User from the
@@ -44,9 +45,9 @@ interface UserGroupAuthorizationPlugin {
*
* @param user The user entity.
* @return True if the User was successfully removed, false if the remove
User failed.
- * @throws RuntimeException If removing the User encounters storage issues.
+ * @throws AuthorizationPluginException If removing the User encounters
storage issues.
*/
- Boolean onUserRemoved(User user) throws RuntimeException;
+ Boolean onUserRemoved(User user) throws AuthorizationPluginException;
/**
* After acquiring a User from Gravitino, this method is called to acquire
the User in the
@@ -57,10 +58,10 @@ interface UserGroupAuthorizationPlugin {
*
* @param user The user entity.
* @return IF exist return true, else return false.
- * @throws RuntimeException If getting the User encounters underlying access
control system
- * issues.
+ * @throws AuthorizationPluginException If getting the User encounters
underlying access control
+ * system issues.
*/
- Boolean onUserAcquired(User user) throws RuntimeException;
+ Boolean onUserAcquired(User user) throws AuthorizationPluginException;
/**
* After adding a Group to Gravitino, this method is called to add the Group
to the underlying
@@ -68,9 +69,9 @@ interface UserGroupAuthorizationPlugin {
*
* @param group The group entity.
* @return True if the add Group was successfully added, false if the add
Group failed.
- * @throws RuntimeException If adding the Group encounters storage issues.
+ * @throws AuthorizationPluginException If adding the Group encounters
storage issues.
*/
- Boolean onGroupAdded(Group group) throws RuntimeException;
+ Boolean onGroupAdded(Group group) throws AuthorizationPluginException;
/**
* After removing a Group from Gravitino, this method is called to remove
the Group from the
@@ -79,9 +80,9 @@ interface UserGroupAuthorizationPlugin {
* @param group The group entity.
* @return True if the remove Group was successfully removed, false if the
remove Group was
* failed.
- * @throws RuntimeException If removing the Group encounters storage issues.
+ * @throws AuthorizationPluginException If removing the Group encounters
storage issues.
*/
- Boolean onGroupRemoved(Group group) throws RuntimeException;
+ Boolean onGroupRemoved(Group group) throws AuthorizationPluginException;
/**
* After acquiring a Group from Gravitino, this method is called to acquire
the Group in the
@@ -92,10 +93,10 @@ interface UserGroupAuthorizationPlugin {
*
* @param group The group entity.
* @return If exist return true, else return false.
- * @throws RuntimeException If getting the Group encounters underlying
access control system
- * issues.
+ * @throws AuthorizationPluginException If getting the Group encounters
underlying access control
+ * system issues.
*/
- Boolean onGroupAcquired(Group group) throws RuntimeException;
+ Boolean onGroupAcquired(Group group) throws AuthorizationPluginException;
/**
* After set a Owner to Gravitino, this method is called to set the Owner to
the underlying
@@ -105,8 +106,8 @@ interface UserGroupAuthorizationPlugin {
* @param preOwner The previous owner.
* @param newOwner The new owner.
* @return True if the set Owner was successfully set, false if the set
Owner failed.
- * @throws RuntimeException If adding the Group encounters storage issues.
+ * @throws AuthorizationPluginException If adding the Group encounters
storage issues.
*/
Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner, Owner
newOwner)
- throws RuntimeException;
+ throws AuthorizationPluginException;
}
