Re: [PR] [#6788] feat(authz) :Introduce MetadataFilterHelper to filter the result data obtained from list requests. [gravitino]

[via GitHub]

jerqi commented on code in PR #7167:
URL: https://github.com/apache/gravitino/pull/7167#discussion_r2111188262


##########
server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataFilterHelper.java:
##########
@@ -39,23 +46,86 @@ private MetadataFilterHelper() {}
    * @param metadataList metadata list.
    * @return metadata List that the user has permission to access.
    */
-  @DoNotCall
-  public static NameIdentifier[] filter(
-      MetadataObject.Type metadataType, String privilege, NameIdentifier[] 
metadataList) {
-    throw new UnsupportedOperationException();
+  public static NameIdentifier[] filterByPrivilege(
+      String metalake,
+      MetadataObject.Type metadataType,
+      String privilege,
+      NameIdentifier[] metadataList) {
+    GravitinoAuthorizer gravitinoAuthorizer =
+        GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer();
+    Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal();
+    return Arrays.stream(metadataList)
+        .filter(
+            metaDataName ->
+                gravitinoAuthorizer.authorize(
+                    currentPrincipal,
+                    metalake,
+                    MetadataObjects.of(metadataType, metaDataName),
+                    Privilege.Name.valueOf(privilege)))
+        .toArray(NameIdentifier[]::new);
   }
 
   /**
    * Call {@link AuthorizationExpressionEvaluator} to filter the metadata list
    *
+   * @param metalake metalake
    * @param expression authorization expression
    * @param metadataType for example, CATALOG, SCHEMA,TABLE, etc.
    * @param nameIdentifiers metaData list.
    * @return metadata List that the user has permission to access.
    */
-  @DoNotCall
   public static NameIdentifier[] filterByExpression(
-      String expression, MetadataObject.Type metadataType, NameIdentifier[] 
nameIdentifiers) {
-    throw new UnsupportedOperationException();
+      String metalake,
+      String expression,
+      MetadataObject.Type metadataType,
+      NameIdentifier[] nameIdentifiers) {
+    AuthorizationExpressionEvaluator authorizationExpressionEvaluator =
+        new AuthorizationExpressionEvaluator(expression);
+    return Arrays.stream(nameIdentifiers)
+        .filter(
+            metaDataName -> {
+              Map<MetadataObject.Type, NameIdentifier> nameIdentifierMap =
+                  spiltMetadataNames(metalake, metadataType, metaDataName);
+              return 
authorizationExpressionEvaluator.evaluate(nameIdentifierMap);
+            })
+        .toArray(NameIdentifier[]::new);
+  }
+
+  /**
+   * Extract the parent metadata from NameIdentify, for example, extract 
Schema and Catalog from
+   * Table.
+   *
+   * @param metalake metalake
+   * @param metadataType metadata type
+   * @param nameIdentifier metadata name
+   * @return metadata name
+   */
+  private static Map<MetadataObject.Type, NameIdentifier> spiltMetadataNames(

Review Comment:
   Maybe you can reuse some methods of `NameIdentifierUtils`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@gravitino.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org