This is an automated email from the ASF dual-hosted git repository.
liuxun pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new 2e36a4d44c [#7875] fix(authz): List users API access control is
ineffective (#7882)
2e36a4d44c is described below
commit 2e36a4d44caa9aa538dbc02b78c1add379abc7a6
Author: yangyang zhong <[email protected]>
AuthorDate: Fri Aug 1 10:34:44 2025 +0800
[#7875] fix(authz): List users API access control is ineffective (#7882)
### What changes were proposed in this pull request?
Fix list users API, access control is ineffective
### Why are the changes needed?
Fix: 7875
### Does this PR introduce _any_ user-facing change?
None
### How was this patch tested?
org.apache.gravitino.client.integration.test.authorization.UserAuthorizationIT
---
.../test/authorization/UserAuthorizationIT.java | 9 +++++++++
.../gravitino/server/web/rest/UserOperations.java | 19 ++++++++++++++++++-
2 files changed, 27 insertions(+), 1 deletion(-)
diff --git
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/UserAuthorizationIT.java
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/UserAuthorizationIT.java
index 225599fd3b..41b9725831 100644
---
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/UserAuthorizationIT.java
+++
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/UserAuthorizationIT.java
@@ -31,6 +31,7 @@ import org.apache.gravitino.authorization.Privileges;
import org.apache.gravitino.authorization.User;
import org.apache.gravitino.client.GravitinoAdminClient;
import org.apache.gravitino.client.GravitinoMetalake;
+import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.MethodOrderer;
import org.junit.jupiter.api.Order;
import org.junit.jupiter.api.Tag;
@@ -65,6 +66,14 @@ public class UserAuthorizationIT extends
BaseRestApiAuthorizationIT {
"user1",
},
usersLoadByUser1);
+ String[] usernames = client.loadMetalake(METALAKE).listUserNames();
+ Assertions.assertArrayEquals(new String[] {USER, NORMAL_USER, "user1",
"user2"}, usernames);
+ String[] usernamesLoadByUser1 =
getClientByUser("user1").loadMetalake(METALAKE).listUserNames();
+ Assertions.assertArrayEquals(
+ new String[] {
+ "user1",
+ },
+ usernamesLoadByUser1);
}
@Test
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/UserOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/UserOperations.java
index b25b91a704..a3ee30e0c4 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/UserOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/UserOperations.java
@@ -126,7 +126,24 @@ public class UserOperations {
.toArray(new User[0]);
return Utils.ok(new
UserListResponse(DTOConverters.toDTOs(users)));
} else {
- return Utils.ok(new
NameListResponse(accessControlManager.listUserNames(metalake)));
+ String[] users = accessControlManager.listUserNames(metalake);
+ users =
+ Arrays.stream(users)
+ .filter(
+ user -> {
+ NameIdentifier[] nameIdentifiers =
+ new NameIdentifier[]
{NameIdentifierUtil.ofUser(metalake, user)};
+ return MetadataFilterHelper.filterByExpression(
+ metalake,
+ "METALAKE::OWNER ||
MATALAKE::MANAGE_USERS || USER::SELF",
+ Entity.EntityType.USER,
+ nameIdentifiers)
+ .length
+ > 0;
+ })
+ .collect(Collectors.toList())
+ .toArray(new String[0]);
+ return Utils.ok(new NameListResponse(users));
}
});
} catch (Exception e) {
