jerqi commented on code in PR #7197: URL: https://github.com/apache/gravitino/pull/7197#discussion_r2102526716
########## server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java: ########## @@ -0,0 +1,159 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.server.authorization.jcasbin; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.core.type.TypeReference; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.common.base.Preconditions; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.security.Principal; +import java.util.List; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; +import org.apache.commons.io.IOUtils; +import org.apache.gravitino.MetadataObject; +import org.apache.gravitino.auth.AuthConstants; +import org.apache.gravitino.authorization.Privilege; +import org.apache.gravitino.server.authorization.GravitinoAuthorizer; +import org.apache.gravitino.server.authorization.MetadataIdConverter; +import org.apache.gravitino.server.web.ObjectMapperProvider; +import org.apache.gravitino.storage.relational.po.RolePO; +import org.apache.gravitino.storage.relational.po.SecurableObjectPO; +import org.apache.gravitino.storage.relational.service.MetalakeMetaService; +import org.apache.gravitino.storage.relational.service.RoleMetaService; +import org.apache.gravitino.storage.relational.service.UserMetaService; +import org.casbin.jcasbin.main.Enforcer; +import org.casbin.jcasbin.model.Model; + +/** The Jcasbin implementation of GravitinoAuthorizer. */ +public class JcasbinAuthorizer implements GravitinoAuthorizer { + + /** Jcasbin enforcer is used for metadata authorization. */ + private Enforcer enforcer; + + /** + * loadedRoles is used to cache roles that have loaded permissions. When the permissions of a role + * are updated, they should be removed from it. + */ + private Set<Long> loadedRoles = ConcurrentHashMap.newKeySet(); + + @Override + public void initialize() { + try (InputStream modelStream = + JcasbinAuthorizer.class.getResourceAsStream("/jcasbin_model.conf")) { + Preconditions.checkNotNull(modelStream, "Jcasbin model file can not found."); + String modelData = IOUtils.toString(modelStream, StandardCharsets.UTF_8); + Model model = new Model(); + model.loadModelFromText(modelData); + enforcer = new Enforcer(model, new PassThroughAdapter()); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + + @Override + public boolean authorize( + Principal principal, + String metalake, + MetadataObject metadataObject, + Privilege.Name privilege) { + return authorizeInternal(principal, metalake, metadataObject, privilege.name()); + } + + @Override + public boolean isOwner(Principal principal, String metalake, MetadataObject metadataObject) { + return authorizeInternal(principal, metalake, metadataObject, AuthConstants.OWNER); + } + + @Override + public void handleRolePrivilegeChange(Long roleId) { + loadedRoles.remove(roleId); + enforcer.deleteRole(String.valueOf(roleId)); + } + + @Override + public void close() throws IOException {} + + private boolean authorizeInternal( + Principal principal, String metalake, MetadataObject metadataObject, String privilege) { + String username = principal.getName(); + Long metalakeId = MetalakeMetaService.getInstance().getMetalakeIdByName(metalake); Review Comment: It's not good to use `MetalakeMetaServie` instead EntityStore interface. Because we want to use EntityStore interface to provide universial access . ########## server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/PassThroughAdapter.java: ########## @@ -0,0 +1,57 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.server.authorization.jcasbin; + +import java.util.List; +import org.casbin.jcasbin.model.Model; +import org.casbin.jcasbin.persist.Adapter; + +/** + * The {@link Adapter} in Jcasbin is used to load the policy from the Adpater when initializing the + * {@link org.casbin.jcasbin.main.Enforcer} , and to persist the policy when the method of executing + * the Enforcer changes the policy + * + * <p>GravitinoAdapter will not perform any actions because there is no need to persist Privilege. + * All Privileges will be temporarily loaded into the Jcasbin cache when a user requests them. + */ +public class PassThroughAdapter implements Adapter { Review Comment: Sorry to give a bad name. After reading the code, it may be not a good name `PassThroughAdapter`. It may be better to call JcasbinAdapter. I ever thought it's related to PassThoughAUthorizer. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
