This is an automated email from the ASF dual-hosted git repository.
roryqi pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new c54b9bd8eb [#6682] fix(authz): Remove `privilege_names` and
`privilege_conditions` check when delete securable objects of a role. (#6690)
c54b9bd8eb is described below
commit c54b9bd8eba2b34781b66aa87b669fc82fc432f4
Author: luoxin <[email protected]>
AuthorDate: Wed Mar 19 15:08:57 2025 +0800
[#6682] fix(authz): Remove `privilege_names` and `privilege_conditions`
check when delete securable objects of a role. (#6690)
### What changes were proposed in this pull request?
remove privilege_names and privilege_conditions check when delete
secruable objects of a role.
### Why are the changes needed?
Fix: #6682
### Does this PR introduce _any_ user-facing change?
no
### How was this patch tested?
add a integration test case.
---------
Co-authored-by: luoxin5 <[email protected]>
---
.../test/authorization/AccessControlIT.java | 43 ++++++++++++++++++++++
.../base/SecurableObjectBaseSQLProvider.java | 4 +-
2 files changed, 44 insertions(+), 3 deletions(-)
diff --git
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/AccessControlIT.java
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/AccessControlIT.java
index 07232e8a8d..1b24bb9083 100644
---
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/AccessControlIT.java
+++
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/AccessControlIT.java
@@ -578,4 +578,47 @@ public class AccessControlIT extends BaseIT {
}
}
}
+
+ @Test
+ void testRevokeRolePermissions() {
+ String roleName = "role#124";
+ Map<String, String> properties = Maps.newHashMap();
+ properties.put("k1", "v1");
+ metalake.createRole(roleName, properties, Lists.newArrayList());
+
+ MetadataObject metadataObject =
+ MetadataObjects.of("fileset_catalog", "fileset_schema",
MetadataObject.Type.SCHEMA);
+
+ // Multiple privileges (CreateFileset、ReadFileset、WriteFileset) are granted
+ // to the role here to better find errors, see (#6682).
+ Role role =
+ metalake.grantPrivilegesToRole(
+ roleName,
+ metadataObject,
+ Sets.newHashSet(
+ Privileges.CreateFileset.allow(),
+ Privileges.ReadFileset.allow(),
+ Privileges.WriteFileset.allow()));
+ Assertions.assertEquals(1, role.securableObjects().size());
+
+ // Then revoke
+ Role revokedRole =
+ metalake.revokePrivilegesFromRole(
+ roleName,
+ metadataObject,
+ Sets.newHashSet(
+ Privileges.CreateFileset.allow(),
+ Privileges.ReadFileset.allow(),
+ Privileges.WriteFileset.allow()));
+
+ // Confirm the return data has no securable objects.
+ Assertions.assertEquals(0, revokedRole.securableObjects().size());
+
+ // Confirm the role securable objects in memory has been actually soft
deleted.
+ Role newRole = metalake.getRole(roleName);
+ Assertions.assertEquals(0, newRole.securableObjects().size());
+
+ // Cleanup.
+ metalake.deleteRole(roleName);
+ }
}
diff --git
a/core/src/main/java/org/apache/gravitino/storage/relational/mapper/provider/base/SecurableObjectBaseSQLProvider.java
b/core/src/main/java/org/apache/gravitino/storage/relational/mapper/provider/base/SecurableObjectBaseSQLProvider.java
index 1c47741e05..42e9026193 100644
---
a/core/src/main/java/org/apache/gravitino/storage/relational/mapper/provider/base/SecurableObjectBaseSQLProvider.java
+++
b/core/src/main/java/org/apache/gravitino/storage/relational/mapper/provider/base/SecurableObjectBaseSQLProvider.java
@@ -63,9 +63,7 @@ public class SecurableObjectBaseSQLProvider {
+ " WHERE FALSE "
+ "<foreach collection='securableObjects' item='item' separator=' '>"
+ " OR (metadata_object_id = #{item.metadataObjectId} AND"
- + " role_id = #{item.roleId} AND deleted_at = 0 AND"
- + " privilege_names = #{item.privilegeNames} AND"
- + " privilege_conditions = #{item.privilegeConditions})"
+ + " role_id = #{item.roleId} AND deleted_at = 0 )"
+ "</foreach>"
+ "</script>";
}
