hdygxsj commented on code in PR #7077: URL: https://github.com/apache/gravitino/pull/7077#discussion_r2077508649
########## server-common/src/test/java/org/apache/gravitino/server/authorization/expression/TestAuthorizationExpressionConverter.java: ########## @@ -0,0 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.server.authorization.expression; + +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.Test; + +/** Test for {@link AuthorizationExpressionConverter} */ +public class TestAuthorizationExpressionConverter { + + @Test + public void testConvertToOgnlWithoutOwnerExpression() { + String createTableAuthorizationExpression = "CATALOG::CREATE_TABLE || SCHEMA::CREATE_SCHEMA"; + String createTableOgnlExpression = + AuthorizationExpressionConverter.convertToOgnlExpression( + createTableAuthorizationExpression); + Assertions.assertEquals( + "authorizer.authorize(principal,METALAKE_NAME,CATALOG,@org.apache.gravitino.authorization.Privilege$Name@CREATE_TABLE) || authorizer.authorize(principal,METALAKE_NAME,SCHEMA,@org.apache.gravitino.authorization.Privilege$Name@CREATE_SCHEMA)", + createTableOgnlExpression); + String selectTableAuthorizationExpression = + "CATALOG::USE_CATALOG && SCHEMA::USE_SCHEMA && (TABLE::SELECT_TABLE || TABLE::MODIFY_TABLE)"; + String selectTableOgnlExpression = + AuthorizationExpressionConverter.convertToOgnlExpression( + selectTableAuthorizationExpression); + Assertions.assertEquals( + "authorizer.authorize(principal,METALAKE_NAME,CATALOG,@org.apache.gravitino.authorization.Privilege$Name@USE_CATALOG) && authorizer.authorize(principal,METALAKE_NAME,SCHEMA,@org.apache.gravitino.authorization.Privilege$Name@USE_SCHEMA) && (authorizer.authorize(principal,METALAKE_NAME,TABLE,@org.apache.gravitino.authorization.Privilege$Name@SELECT_TABLE) || authorizer.authorize(principal,METALAKE_NAME,TABLE,@org.apache.gravitino.authorization.Privilege$Name@MODIFY_TABLE))", + selectTableOgnlExpression); Review Comment: fixed ########## server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionEvaluator.java: ########## @@ -17,29 +17,62 @@ package org.apache.gravitino.server.authorization.expression; +import java.security.Principal; import java.util.Map; +import ognl.Ognl; +import ognl.OgnlContext; +import ognl.OgnlException; import org.apache.gravitino.MetadataObject; +import org.apache.gravitino.MetadataObjects; +import org.apache.gravitino.NameIdentifier; import org.apache.gravitino.server.authorization.GravitinoAuthorizer; +import org.apache.gravitino.server.authorization.GravitinoAuthorizerProvider; +import org.apache.gravitino.utils.PrincipalUtils; -/** Evaluate the runtime result of the AuthorizationExpression.. */ +/** Evaluate the runtime result of the AuthorizationExpression. */ public class AuthorizationExpressionEvaluator { + private final String ognlAuthorizationExpression; + /** - * Use {@link AuthorizationConverter} to convert the authorization expression into an OGNL - * expression, and then call {@link GravitinoAuthorizer} to perform permission verification. + * Use {@link AuthorizationExpressionConverter} to convert the authorization expression into an + * OGNL expression, and then call {@link GravitinoAuthorizer} to perform permission verification. * * @param expression authorization expression */ - public AuthorizationExpressionEvaluator(String expression) {} + public AuthorizationExpressionEvaluator(String expression) { + this.ognlAuthorizationExpression = + AuthorizationExpressionConverter.convertToOgnlExpression(expression); + } /** * Use OGNL expressions to invoke GravitinoAuthorizer for authorizing multiple types of metadata * IDs. * - * @param metadataIds key-metadata type, value-metadata id + * @param metadataNames key-metadata type, value-metadata NameIdentifier * @return authorization result */ - public boolean evaluate(Map<MetadataObject.Type, Long> metadataIds) { - throw new UnsupportedOperationException(); + public boolean evaluate(Map<MetadataObject.Type, NameIdentifier> metadataNames) { + Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal(); + GravitinoAuthorizer gravitinoAuthorizer = + GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer(); + OgnlContext ognlContext = Ognl.createDefaultContext(null); + ognlContext.put("principal", currentPrincipal); + ognlContext.put("authorizer", gravitinoAuthorizer); + metadataNames.forEach( + (metadataType, metadataName) -> { + MetadataObjects.MetadataObjectImpl metadataObject = + new MetadataObjects.MetadataObjectImpl( + metadataName.namespace().toString(), metadataName.name(), metadataType); Review Comment: fixed ########## server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConverter.java: ########## @@ -0,0 +1,79 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.server.authorization.expression; + +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; +import java.util.regex.Matcher; +import java.util.regex.Pattern; +import org.apache.gravitino.server.authorization.MetadataFilterHelper; + +/** + * Convert the authorization expression into an executable expression, such as OGNL expression, etc. + */ +public class AuthorizationExpressionConverter { + + /** Match authorization expressions */ + private static final Pattern PATTERN = Pattern.compile("([A-Z_]+)::([A-Z_]+)"); + + /** + * The EXPRESSION_CACHE caches the result of converting authorization expressions into an OGNL + * expression. + */ + private static final Map<String, String> EXPRESSION_CACHE = new ConcurrentHashMap<>(); + + private AuthorizationExpressionConverter() {} + + /** + * Convert the authorization expression to OGNL expression. <a + * href="https://github.com/orphan-oss/ognl";>OGNL</a> stands for Object-Graph Navigation Language; + * It is an expression language for getting and setting properties of Java objects, plus other + * extras such as list projection and selection and lambda expressions. You use the same + * expression for both getting and setting the value of a property. + * + * @param authorizationExpression authorization expression from {@link MetadataFilterHelper} + * @return an OGNL expression used to call GravitinoAuthorizer + */ + public static String convertToOgnlExpression(String authorizationExpression) { + return EXPRESSION_CACHE.computeIfAbsent( + authorizationExpression, + (expression) -> { + Matcher matcher = PATTERN.matcher(expression); + StringBuffer result = new StringBuffer(); + + while (matcher.find()) { + String metadataType = matcher.group(1); + String privilegeOrOwner = matcher.group(2); + if ("OWNER".equals(privilegeOrOwner)) { + String replacement = + String.format("authorizer.isOwner(principal,METALAKE_NAME,%s)", metadataType); + matcher.appendReplacement(result, replacement); + } else { + String replacement = + String.format( + "authorizer.authorize(principal,METALAKE_NAME,%s,@org.apache.gravitino.authorization.Privilege\\$Name@%s)", Review Comment: fixed ########## server-common/src/main/java/org/apache/gravitino/server/authorization/GravitinoAuthorizer.java: ########## @@ -45,4 +45,14 @@ boolean authorize( String metalake, MetadataObject metadataObject, Privilege.Name privilege); + + /** + * Determine whether the user is the Owner of a certain metadataType. Review Comment: fixed -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
