Re: [PR] [#6054] feat(core): add more permission to support fileset operations [gravitino]

Wed, 08 Jan 2025 00:30:35 -0800 


yuqi1129 commented on code in PR #6141:
URL: https://github.com/apache/gravitino/pull/6141#discussion_r1906718286


##########
bundles/gcp/src/main/java/org/apache/gravitino/gcs/credential/GCSTokenProvider.java:
##########
@@ -99,6 +101,57 @@ private AccessToken getToken(Set<String> readLocations, 
Set<String> writeLocatio
     return downscopedCredentials.refreshAccessToken();
   }
 
+  private List<String> getReadExpressions(String bucketName, String 
resourcePath) {
+    List<String> readExpressions = new ArrayList<>();
+    readExpressions.add(
+        String.format(
+            "resource.name.startsWith('projects/_/buckets/%s/objects/%s')",
+            bucketName, resourcePath));
+    getAllResources(resourcePath)

Review Comment:
   Why do we only need to handle `readExpressions`, what about 
`writeExpressions`?



##########
bundles/gcp/src/main/java/org/apache/gravitino/gcs/credential/GCSTokenProvider.java:
##########
@@ -99,6 +101,57 @@ private AccessToken getToken(Set<String> readLocations, 
Set<String> writeLocatio
     return downscopedCredentials.refreshAccessToken();
   }
 
+  private List<String> getReadExpressions(String bucketName, String 
resourcePath) {
+    List<String> readExpressions = new ArrayList<>();
+    readExpressions.add(
+        String.format(
+            "resource.name.startsWith('projects/_/buckets/%s/objects/%s')",
+            bucketName, resourcePath));
+    getAllResources(resourcePath)
+        .forEach(
+            parentResourcePath ->
+                readExpressions.add(
+                    String.format(
+                        "resource.name == 'projects/_/buckets/%s/objects/%s'",
+                        bucketName, parentResourcePath)));
+    return readExpressions;
+  }
+
+  @VisibleForTesting
+  // "a/b/c" will get ["a", "a/", "a/b", "a/b/", "a/b/c"]
+  static List<String> getAllResources(String resourcePath) {

Review Comment:
   What's the real cause of this issue? I recall that you used the prefix match 
mode to control permission. Why can't it work?
   
   When I worked on GCS IAM authorization, I tested if using the prefix 
condition on a role, I worked, so I wonder if there is any difference in 
credentials. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to