Re: [PR] [#7545] feat(authz): Support fileset authorization [gravitino]

Wed, 09 Jul 2025 19:40:56 -0700 


hdygxsj commented on code in PR #7581:
URL: https://github.com/apache/gravitino/pull/7581#discussion_r2196381167


##########
server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java:
##########
@@ -367,20 +375,20 @@ public Response dropFileset(
   @ResponseMetered(name = "get-file-location", absolute = true)
   @AuthorizationExpression(
       expression =
-          "METALAKE::READ_FILESET || CATALOG::READ_FILESET "
-              + "|| SCHEMA::READ_FILESET || FILESET::READ_FILESET "
-              + "|| METALAKE::WRITE_FILESET || CATALOG::WRITE_FILESET "
-              + "|| SCHEMA::WRITE_FILESET || FILESET::WRITE_FILESET "
-              + "|| METALAKE::OWNER || CATALOG::OWNER "
-              + "|| SCHEMA::OWNER || FILESET::OWNER",
+          "ANY(OWNER, METALAKE, CATALOG, SCHEMA, FILESET) ||"

Review Comment:
   FILESET OWNER need USE_SCHEMA and USE_CATALOG
   
   SCHEMA OWNER need USE_CATALOG



##########
server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java:
##########
@@ -289,18 +297,17 @@ public Response listFiles(
   @ResponseMetered(name = "alter-fileset", absolute = true)
   @AuthorizationExpression(
       expression =
-          "METALAKE::WRITE_FILESET || CATALOG::WRITE_FILESET "
-              + "|| SCHEMA::WRITE_FILESET || FILESET::WRITE_FILESET "
-              + "|| METALAKE::OWNER || CATALOG::OWNER "
-              + "|| SCHEMA::OWNER || FILESET::OWNER",
+          "ANY(WRITE_FILESET, METALAKE, CATALOG, SCHEMA, FILESET) || "
+              + "ANY(OWNER, METALAKE, CATALOG, SCHEMA, FILESET)",

Review Comment:
   FILESET OWNER need USE_SCHEMA and USE_CATALOG
   
   SCHEMA OWNER need USE_CATALOG



##########
server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java:
##########
@@ -202,20 +200,30 @@ public Response createFileset(
   @ResponseMetered(name = "load-fileset", absolute = true)
   @AuthorizationExpression(
       expression =
-          "METALAKE::READ_FILESET || CATALOG::READ_FILESET "
-              + "|| SCHEMA::READ_FILESET || FILESET::READ_FILESET "
-              + "|| METALAKE::WRITE_FILESET || CATALOG::WRITE_FILESET "
-              + "|| SCHEMA::WRITE_FILESET || FILESET::WRITE_FILESET "
-              + "|| METALAKE::OWNER || CATALOG::OWNER "
-              + "|| SCHEMA::OWNER || FILESET::OWNER",
+          "ANY(OWNER, METALAKE, CATALOG, SCHEMA, FILESET) ||"
+              + "("
+              + "   ANY(USE_CATALOG, METALAKE, CATALOG, SCHEMA) && "
+              + "   ( ANY(READ_FILESET, METALAKE, CATALOG, SCHEMA, FILESET) || 
ANY(WRITE_FILESET, METALAKE, CATALOG, SCHEMA, FILESET))"

Review Comment:
   please add a ANY_WRITE_FILESET in 
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConverter
 such as ANY_USE_CATALOG



##########
server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java:
##########
@@ -330,15 +337,16 @@ public Response alterFileset(
   @Timed(name = "drop-fileset." + MetricNames.HTTP_PROCESS_DURATION, absolute 
= true)
   @ResponseMetered(name = "drop-fileset", absolute = true)
   @AuthorizationExpression(
-      expression = "METALAKE::OWNER || CATALOG::OWNER " + "|| SCHEMA::OWNER || 
FILESET::OWNER",
+      expression = "ANY(OWNER, METALAKE, CATALOG, SCHEMA, FILESET)",

Review Comment:
   FILESET OWNER need USE_SCHEMA and USE_CATALOG
   
   SCHEMA OWNER need USE_CATALOG



##########
server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java:
##########
@@ -110,14 +110,12 @@ public Response listFilesets(
             idents =
                 MetadataFilterHelper.filterByExpression(
                     metalake,
-                    "( (METALAKE::USE_CATALOG || CATALOG::USE_CATALOG) && "
-                        + "(METALAKE::USE_SCHEMA || CATALOG::USE_SCHEMA 
||SCHEMA::USE_SCHEMA) && "
-                        + " (METALAKE::READ_FILESET || CATALOG::READ_FILESET "
-                        + "|| SCHEMA::READ_FILESET || FILESET::READ_FILESET "
-                        + "|| METALAKE::WRITE_FILESET || 
CATALOG::WRITE_FILESET "
-                        + "|| SCHEMA::WRITE_FILESET || FILESET::WRITE_FILESET) 
"
-                        + "|| METALAKE::OWNER || CATALOG::OWNER "
-                        + "|| SCHEMA::OWNER || FILESET::OWNER)",
+                    "ANY(OWNER, METALAKE, CATALOG, SCHEMA, FILESET) ||"
+                        + "("
+                        + "  ANY(USE_CATALOG, METALAKE, CATALOG) && "
+                        + "  ANY(USE_SCHEMA, METALAKE, CATALOG, SCHEMA) && "

Review Comment:
   ANY(USE_SCHEMA, METALAKE, CATALOG, SCHEMA) replace to ANY_USE_SCHEMA 
   ANY(USE_CATALOG, METALAKE, CATALOG) replace to ANY_USE_CATALOG



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to