hdygxsj commented on code in PR #7197: URL: https://github.com/apache/gravitino/pull/7197#discussion_r2102719555
########## server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java: ########## @@ -0,0 +1,159 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.server.authorization.jcasbin; + +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.core.type.TypeReference; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.common.base.Preconditions; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.security.Principal; +import java.util.List; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; +import org.apache.commons.io.IOUtils; +import org.apache.gravitino.MetadataObject; +import org.apache.gravitino.auth.AuthConstants; +import org.apache.gravitino.authorization.Privilege; +import org.apache.gravitino.server.authorization.GravitinoAuthorizer; +import org.apache.gravitino.server.authorization.MetadataIdConverter; +import org.apache.gravitino.server.web.ObjectMapperProvider; +import org.apache.gravitino.storage.relational.po.RolePO; +import org.apache.gravitino.storage.relational.po.SecurableObjectPO; +import org.apache.gravitino.storage.relational.service.MetalakeMetaService; +import org.apache.gravitino.storage.relational.service.RoleMetaService; +import org.apache.gravitino.storage.relational.service.UserMetaService; +import org.casbin.jcasbin.main.Enforcer; +import org.casbin.jcasbin.model.Model; + +/** The Jcasbin implementation of GravitinoAuthorizer. */ +public class JcasbinAuthorizer implements GravitinoAuthorizer { + + /** Jcasbin enforcer is used for metadata authorization. */ + private Enforcer enforcer; + + /** + * loadedRoles is used to cache roles that have loaded permissions. When the permissions of a role + * are updated, they should be removed from it. + */ + private Set<Long> loadedRoles = ConcurrentHashMap.newKeySet(); + + @Override + public void initialize() { + try (InputStream modelStream = + JcasbinAuthorizer.class.getResourceAsStream("/jcasbin_model.conf")) { + Preconditions.checkNotNull(modelStream, "Jcasbin model file can not found."); + String modelData = IOUtils.toString(modelStream, StandardCharsets.UTF_8); + Model model = new Model(); + model.loadModelFromText(modelData); + enforcer = new Enforcer(model, new PassThroughAdapter()); + } catch (IOException e) { + throw new RuntimeException(e); + } + } + + @Override + public boolean authorize( + Principal principal, + String metalake, + MetadataObject metadataObject, + Privilege.Name privilege) { + return authorizeInternal(principal, metalake, metadataObject, privilege.name()); + } + + @Override + public boolean isOwner(Principal principal, String metalake, MetadataObject metadataObject) { + return authorizeInternal(principal, metalake, metadataObject, AuthConstants.OWNER); + } + + @Override + public void handleRolePrivilegeChange(Long roleId) { + loadedRoles.remove(roleId); + enforcer.deleteRole(String.valueOf(roleId)); + } + + @Override + public void close() throws IOException {} + + private boolean authorizeInternal( + Principal principal, String metalake, MetadataObject metadataObject, String privilege) { + String username = principal.getName(); + Long metalakeId = MetalakeMetaService.getInstance().getMetalakeIdByName(metalake); + Long userId = UserMetaService.getInstance().getUserIdByMetalakeIdAndName(metalakeId, username); + // When Jcasbin authentication fails, load the permissions from the db + return authorizeByJcasbin(userId, metadataObject, privilege) Review Comment: done -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
