This is an automated email from the ASF dual-hosted git repository.
jshao pushed a commit to branch branch-metadata-authz
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/branch-metadata-authz by this
push:
new 97be1985ed [#6774] feat(authz): Support initialize GravitinoAuthorizer
(#7062)
97be1985ed is described below
commit 97be1985ed4e05fbf45dbcc7ebbdf9888c834e20
Author: yangyang zhong <[email protected]>
AuthorDate: Tue Apr 29 10:05:50 2025 +0800
[#6774] feat(authz): Support initialize GravitinoAuthorizer (#7062)
### What changes were proposed in this pull request?
Support initialize GravitinoAuthorizer
### Why are the changes needed?
Fix: #6774
### Does this PR introduce _any_ user-facing change?
None
### How was this patch tested?
1、org.apache.gravitino.server.authorization.TestGravitinoAuthorizerProvider
2、org.apache.gravitino.server.authorization.TestAllowAuthorizer
---
.../authorization/GravitinoAuthorizerProvider.java | 19 ++++++++--
...uthorizeApi.java => PassThroughAuthorizer.java} | 34 ++++++++++++------
.../annotations/MetadataAuthorizeApi.java | 24 -------------
.../TestGravitinoAuthorizerProvider.java | 40 ++++++++++++++++++++++
.../authorization/TestPassThroughAuthorizer.java} | 24 ++++++++-----
.../authorization/annotations/TestAnnotations.java | 2 +-
.../apache/gravitino/server/GravitinoServer.java | 9 ++++-
.../gravitino/server/TestGravitinoServer.java | 2 +-
8 files changed, 106 insertions(+), 48 deletions(-)
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authorization/GravitinoAuthorizerProvider.java
b/server-common/src/main/java/org/apache/gravitino/server/authorization/GravitinoAuthorizerProvider.java
index ad48590feb..49390cf27f 100644
---
a/server-common/src/main/java/org/apache/gravitino/server/authorization/GravitinoAuthorizerProvider.java
+++
b/server-common/src/main/java/org/apache/gravitino/server/authorization/GravitinoAuthorizerProvider.java
@@ -17,6 +17,7 @@
package org.apache.gravitino.server.authorization;
+import org.apache.gravitino.Configs;
import org.apache.gravitino.server.ServerConfig;
/**
@@ -31,7 +32,7 @@ public class GravitinoAuthorizerProvider {
private GravitinoAuthorizerProvider() {}
- private GravitinoAuthorizer gravitinoAuthorizer;
+ private volatile GravitinoAuthorizer gravitinoAuthorizer;
/**
* Instantiate the {@link GravitinoAuthorizer}, and then execute the
initialize method in the
@@ -40,7 +41,21 @@ public class GravitinoAuthorizerProvider {
* @param serverConfig Gravitino server config
*/
public void initialize(ServerConfig serverConfig) {
- // TODO
+ if (gravitinoAuthorizer == null) {
+ synchronized (this) {
+ if (gravitinoAuthorizer == null) {
+ boolean enableAuthorization =
serverConfig.get(Configs.ENABLE_AUTHORIZATION);
+ if (enableAuthorization) {
+ // TODO
+ } else {
+ gravitinoAuthorizer = new PassThroughAuthorizer();
+ }
+ if (gravitinoAuthorizer != null) {
+ gravitinoAuthorizer.initialize();
+ }
+ }
+ }
+ }
}
public static GravitinoAuthorizerProvider getInstance() {
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/ExpressionsAuthorizeApi.java
b/server-common/src/main/java/org/apache/gravitino/server/authorization/PassThroughAuthorizer.java
similarity index 54%
rename from
server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/ExpressionsAuthorizeApi.java
rename to
server-common/src/main/java/org/apache/gravitino/server/authorization/PassThroughAuthorizer.java
index b45cf7707a..645b946b6b 100644
---
a/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/ExpressionsAuthorizeApi.java
+++
b/server-common/src/main/java/org/apache/gravitino/server/authorization/PassThroughAuthorizer.java
@@ -15,17 +15,31 @@
* under the License.
*/
-package org.apache.gravitino.server.authorization.annotations;
+package org.apache.gravitino.server.authorization;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
+import java.io.IOException;
+import java.security.Principal;
+import org.apache.gravitino.MetadataObject;
+import org.apache.gravitino.authorization.Privilege;
/**
- * This annotation is used to implement unified authentication in AOP. Use
Expressions to define the
- * required privileges for an API.
+ * The default implementation of GravitinoAuthorizer, indicating that metadata
permission control is
+ * not enabled.
*/
-@Target({ElementType.METHOD})
-@Retention(RetentionPolicy.RUNTIME)
-public @interface ExpressionsAuthorizeApi {}
+public class PassThroughAuthorizer implements GravitinoAuthorizer {
+
+ @Override
+ public void initialize() {}
+
+ @Override
+ public boolean authorize(
+ Principal principal,
+ String metalake,
+ MetadataObject metadataObject,
+ Privilege.Name privilege) {
+ return true;
+ }
+
+ @Override
+ public void close() throws IOException {}
+}
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/MetadataAuthorizeApi.java
b/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/MetadataAuthorizeApi.java
deleted file mode 100644
index 2fae8439fb..0000000000
---
a/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/MetadataAuthorizeApi.java
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- * http://www.apache.org/licenses/LICENSE-2.0
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.gravitino.server.authorization.annotations;
-
-/**
- * Defines the annotation for authorizing access to an API. Use the
resourceType and privileges
- * fields to define the required privileges and resource type for the API.
- */
-public @interface MetadataAuthorizeApi {}
diff --git
a/server-common/src/test/java/org/apache/gravitino/server/authorization/TestGravitinoAuthorizerProvider.java
b/server-common/src/test/java/org/apache/gravitino/server/authorization/TestGravitinoAuthorizerProvider.java
new file mode 100644
index 0000000000..888080ced3
--- /dev/null
+++
b/server-common/src/test/java/org/apache/gravitino/server/authorization/TestGravitinoAuthorizerProvider.java
@@ -0,0 +1,40 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.gravitino.server.authorization;
+
+import org.apache.gravitino.Configs;
+import org.apache.gravitino.server.ServerConfig;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+/** Test of {@link GravitinoAuthorizerProvider} */
+public class TestGravitinoAuthorizerProvider {
+
+ @Test
+ public void testInitializeAllowAuthorizer() {
+ ServerConfig serverConfig = new ServerConfig();
+ serverConfig.set(Configs.ENABLE_AUTHORIZATION, false);
+ GravitinoAuthorizerProvider.getInstance().initialize(serverConfig);
+ GravitinoAuthorizer gravitinoAuthorizer =
+ GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer();
+ Assertions.assertInstanceOf(
+ PassThroughAuthorizer.class,
+ gravitinoAuthorizer,
+ "Error initializing GravitinoAuthorizerProvider");
+ }
+}
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/AuthorizeMetadata.java
b/server-common/src/test/java/org/apache/gravitino/server/authorization/TestPassThroughAuthorizer.java
similarity index 59%
rename from
server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/AuthorizeMetadata.java
rename to
server-common/src/test/java/org/apache/gravitino/server/authorization/TestPassThroughAuthorizer.java
index 9fa04357ba..32e8510cce 100644
---
a/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/AuthorizeMetadata.java
+++
b/server-common/src/test/java/org/apache/gravitino/server/authorization/TestPassThroughAuthorizer.java
@@ -15,14 +15,20 @@
* under the License.
*/
-package org.apache.gravitino.server.authorization.annotations;
+package org.apache.gravitino.server.authorization;
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
+import java.io.IOException;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
-/** This annotation identify which parameters in the request are to be used
for authorization. */
-@Target({ElementType.PARAMETER, ElementType.FIELD})
-@Retention(RetentionPolicy.RUNTIME)
-public @interface AuthorizeMetadata {}
+/** Test of {@link PassThroughAuthorizer} */
+public class TestPassThroughAuthorizer {
+
+ @Test
+ public void testAuthorize() throws IOException {
+ try (PassThroughAuthorizer passThroughAuthorizer = new
PassThroughAuthorizer()) {
+ boolean result = passThroughAuthorizer.authorize(null, null, null, null);
+ Assertions.assertTrue(result, "Logic error in PassThroughAuthorizer");
+ }
+ }
+}
diff --git
a/server-common/src/test/java/org/apache/gravitino/server/authorization/annotations/TestAnnotations.java
b/server-common/src/test/java/org/apache/gravitino/server/authorization/annotations/TestAnnotations.java
index 9bad0c47d6..75a041eabb 100644
---
a/server-common/src/test/java/org/apache/gravitino/server/authorization/annotations/TestAnnotations.java
+++
b/server-common/src/test/java/org/apache/gravitino/server/authorization/annotations/TestAnnotations.java
@@ -45,7 +45,7 @@ public class TestAnnotations {
// This class is used to test the AuthorizeApi annotation.
// 1. ResourceAuthorizeApi
- // 2. ExpressionsAuthorizeApi
+ // 2. AuthorizationExpression
static class TestAuthorizeAnnotationClass {
@AuthorizationMetadataPrivileges(
privileges = {Privilege.Name.CREATE_CATALOG,
Privilege.Name.USE_CATALOG},
diff --git
a/server/src/main/java/org/apache/gravitino/server/GravitinoServer.java
b/server/src/main/java/org/apache/gravitino/server/GravitinoServer.java
index ab10bcf5dc..ebfc385a02 100644
--- a/server/src/main/java/org/apache/gravitino/server/GravitinoServer.java
+++ b/server/src/main/java/org/apache/gravitino/server/GravitinoServer.java
@@ -20,6 +20,7 @@ package org.apache.gravitino.server;
import com.google.common.collect.Lists;
import java.io.File;
+import java.io.IOException;
import java.util.List;
import java.util.Properties;
import javax.servlet.Servlet;
@@ -37,6 +38,7 @@ import org.apache.gravitino.metalake.MetalakeDispatcher;
import org.apache.gravitino.metrics.MetricsSystem;
import org.apache.gravitino.metrics.source.MetricsSource;
import org.apache.gravitino.server.authentication.ServerAuthenticator;
+import org.apache.gravitino.server.authorization.GravitinoAuthorizer;
import org.apache.gravitino.server.authorization.GravitinoAuthorizerProvider;
import org.apache.gravitino.server.web.ConfigServlet;
import org.apache.gravitino.server.web.HttpServerMetricsSource;
@@ -161,7 +163,12 @@ public class GravitinoServer extends ResourceConfig {
server.join();
}
- public void stop() {
+ public void stop() throws IOException {
+ GravitinoAuthorizer gravitinoAuthorizer =
+ GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer();
+ if (gravitinoAuthorizer != null) {
+ gravitinoAuthorizer.close();
+ }
server.stop();
gravitinoEnv.shutdown();
}
diff --git
a/server/src/test/java/org/apache/gravitino/server/TestGravitinoServer.java
b/server/src/test/java/org/apache/gravitino/server/TestGravitinoServer.java
index 428d642491..2155047c9e 100644
--- a/server/src/test/java/org/apache/gravitino/server/TestGravitinoServer.java
+++ b/server/src/test/java/org/apache/gravitino/server/TestGravitinoServer.java
@@ -81,7 +81,7 @@ public class TestGravitinoServer {
}
@AfterEach
- public void tearDown() {
+ public void tearDown() throws IOException {
if (gravitinoServer != null) {
gravitinoServer.stop();
}
