danhuawang opened a new issue, #7964:
URL: https://github.com/apache/gravitino/issues/7964
### Version
main branch
### Describe what's wrong
A user has all privileges but he can't create a table in MySQL catalog if
the schema is loaded from external.
### Error message and/or stacktrace
```
2025-08-07 09:14:56.034 WARN [Gravitino-webserver-51]
[org.apache.gravitino.server.web.filter.GravitinoInterceptionService$MetadataAuthorizationMethodInterceptor.invoke(GravitinoInterceptionService.java:140)]
- Authorization failed - User: Tom, Operation: createTable, Metadata: null,
Expression: ANY(OWNER, METALAKE, CATALOG) || SCHEMA_OWNER_WITH_USE_CATALOG ||
ANY_USE_CATALOG && ANY_USE_SCHEMA && ANY_CREATE_TABLE
2025-08-07 09:14:56.034 ERROR [Gravitino-webserver-51]
[org.apache.gravitino.server.web.filter.GravitinoInterceptionService$MetadataAuthorizationMethodInterceptor.invoke(GravitinoInterceptionService.java:155)]
- System internal error during authorization - User: Tom, Operation:
createTable
java.lang.NullPointerException: Cannot invoke
"org.apache.gravitino.NameIdentifier.name()" because "accessMetadataName" is
null
at
org.apache.gravitino.server.web.filter.GravitinoInterceptionService$MetadataAuthorizationMethodInterceptor.buildNoAuthResponse(GravitinoInterceptionService.java:181)
~[gravitino-server-1.0.0-SNAPSHOT.jar:?]
at
org.apache.gravitino.server.web.filter.GravitinoInterceptionService$MetadataAuthorizationMethodInterceptor.invoke(GravitinoInterceptionService.java:147)
~[gravitino-server-1.0.0-SNAPSHOT.jar:?]
at
org.jvnet.hk2.internal.MethodInterceptorHandler.invoke(MethodInterceptorHandler.java:97)
~[hk2-locator-2.6.1.jar:?]
at
org.apache.gravitino.server.web.rest.TableOperations_$$_jvstfdf_9.createTable(TableOperations_$$_jvstfdf_9.java)
~[gravitino-server-1.0.0-SNAPSHOT.jar:?]
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[?:?]
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
~[?:?]
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:?]
at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
at
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
~[jersey-server-2.41.jar:?]
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146)
~[jersey-server-2.41.jar:?]
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189)
~[jersey-server-2.41.jar:?]
at
org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
~[jersey-server-2.41.jar:?]
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:93)
~[jersey-server-2.41.jar:?]
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478)
~[jersey-server-2.41.jar:?]
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400)
~[jersey-server-2.41.jar:?]
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)
~[jersey-server-2.41.jar:?]
at
org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:256)
~[jersey-server-2.41.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
~[jersey-common-2.41.jar:?]
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
~[jersey-common-2.41.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
~[jersey-common-2.41.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
~[jersey-common-2.41.jar:?]
at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
~[jersey-common-2.41.jar:?]
at
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)
~[jersey-common-2.41.jar:?]
at
org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:235)
~[jersey-server-2.41.jar:?]
at
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684)
~[jersey-server-2.41.jar:?]
at
org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394)
~[jersey-container-servlet-core-2.41.jar:?]
at
org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)
~[jersey-container-servlet-core-2.41.jar:?]
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)
~[jersey-container-servlet-core-2.41.jar:?]
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:311)
~[jersey-container-servlet-core-2.41.jar:?]
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)
~[jersey-container-servlet-core-2.41.jar:?]
at
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
~[jetty-servlet-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1656)
~[jetty-servlet-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.apache.gravitino.server.authentication.AuthenticationFilter.lambda$doFilter$0(AuthenticationFilter.java:89)
~[gravitino-server-common-1.0.0-SNAPSHOT.jar:?]
at
java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
~[?:?]
at java.base/javax.security.auth.Subject.doAs(Subject.java:439) ~[?:?]
at
org.apache.gravitino.utils.PrincipalUtils.doAs(PrincipalUtils.java:39)
~[gravitino-core-1.0.0-SNAPSHOT.jar:?]
at
org.apache.gravitino.server.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:86)
~[gravitino-server-common-1.0.0-SNAPSHOT.jar:?]
at
org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
~[jetty-servlet-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
~[jetty-servlet-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.apache.gravitino.server.web.VersioningFilter.doFilter(VersioningFilter.java:111)
~[gravitino-server-1.0.0-SNAPSHOT.jar:?]
at
org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
~[jetty-servlet-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
~[jetty-servlet-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552)
~[jetty-servlet-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:600)
~[jetty-security-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)
~[jetty-servlet-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at org.eclipse.jetty.server.Server.handle(Server.java:516)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)
~[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
[jetty-server-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
[jetty-io-9.4.51.v20230217.jar:9.4.51.v20230217]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
[jetty-io-9.4.51.v20230217.jar:9.4.51.v20230217]
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
[jetty-io-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
[jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
[jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
[jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
[jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
[jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
[jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217]
at
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
[jetty-util-9.4.51.v20230217.jar:9.4.51.v20230217]
at java.base/java.lang.Thread.run(Thread.java:833) [?:?]
```
### How to reproduce
1. Steps:
Scenario: test NullPointerException
Given Load init data in MySQL
Given Grant RoleALLAllow role to user Tom in metalake
metalake_list_operations
Given Grant RoleALLAllow role to user Molly in metalake
metalake_list_operations
When Switch user to Molly
And create MySQL catalog mysql_catalog1 in metalake
metalake_list_operations
When Switch user to Tom
And User create mysql table tb01 in schema icedb1 catalog mysql_catalog1
metalake metalake_list_operations
2. The role `RoleALLAllow` is as following. the schema `icedb1` is not
created by Gravitino.
```
{
"code": 0,
"role": {
"name": "RoleALLAllow",
"audit": {
"creator": "anonymous",
"createTime": "2025-08-07T09:06:24.967153677Z"
},
"properties": {
"k1": "v1"
},
"securableObjects": [
{
"type": "metalake",
"privileges": [
{
"name": "use_catalog",
"condition": "allow"
},
{
"name": "manage_users",
"condition": "allow"
},
{
"name": "manage_groups",
"condition": "allow"
},
{
"name": "create_topic",
"condition": "allow"
},
{
"name": "create_model",
"condition": "allow"
},
{
"name": "manage_grants",
"condition": "allow"
},
{
"name": "create_table",
"condition": "allow"
},
{
"name": "create_schema",
"condition": "allow"
},
{
"name": "select_table",
"condition": "allow"
},
{
"name": "modify_table",
"condition": "allow"
},
{
"name": "read_fileset",
"condition": "allow"
},
{
"name": "use_model",
"condition": "allow"
},
{
"name": "create_role",
"condition": "allow"
},
{
"name": "produce_topic",
"condition": "allow"
},
{
"name": "consume_topic",
"condition": "allow"
},
{
"name": "create_fileset",
"condition": "allow"
},
{
"name": "write_fileset",
"condition": "allow"
},
{
"name": "use_schema",
"condition": "allow"
},
{
"name": "create_catalog",
"condition": "allow"
},
{
"name": "create_model_version",
"condition": "allow"
}
],
"fullName": "metalake_list_operations"
}
]
}
}
```
### Additional context
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@gravitino.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
