This is an automated email from the ASF dual-hosted git repository.
roryqi pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new 0b2a215bee [#7942] improvement(authz): Optimize authorization
expression by text blocks (#8901)
0b2a215bee is described below
commit 0b2a215bee9a2ca42f36165954975768737b8723
Author: yangyang zhong <[email protected]>
AuthorDate: Fri Oct 24 11:10:22 2025 +0800
[#7942] improvement(authz): Optimize authorization expression by text
blocks (#8901)
### What changes were proposed in this pull request?
Optimize authorization expression by text blocks
### Why are the changes needed?
Optimize authorization expression by text blocks
Fix: #7942
### Does this PR introduce _any_ user-facing change?
None
### How was this patch tested?
Existing test case
---
.../AuthorizationExpressionConstants.java | 62 +++++++++++++--------
.../server/web/rest/FilesetOperations.java | 24 +++++---
.../gravitino/server/web/rest/ModelOperations.java | 64 ++++++++++++++--------
.../gravitino/server/web/rest/TableOperations.java | 16 ++++--
.../gravitino/server/web/rest/TopicOperations.java | 24 +++++---
5 files changed, 119 insertions(+), 71 deletions(-)
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConstants.java
b/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConstants.java
index 486506ba6e..06bfaf9de4 100644
---
a/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConstants.java
+++
b/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConstants.java
@@ -21,28 +21,38 @@ public class AuthorizationExpressionConstants {
"ANY_USE_CATALOG || ANY(OWNER, METALAKE, CATALOG)";
public static final String loadSchemaAuthorizationExpression =
- " ANY(OWNER, METALAKE, CATALOG) || "
- + "ANY_USE_CATALOG && (SCHEMA::OWNER || ANY_USE_SCHEMA) ";
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ ANY_USE_CATALOG && (SCHEMA::OWNER || ANY_USE_SCHEMA)
+ """;
public static final String loadModelAuthorizationExpression =
- "ANY(OWNER, METALAKE, CATALOG) ||"
- + " SCHEMA_OWNER_WITH_USE_CATALOG || "
- + " ANY_USE_CATALOG && ANY_USE_SCHEMA && (MODEL::OWNER ||
ANY_USE_MODEL)";
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && (MODEL::OWNER ||
ANY_USE_MODEL)
+ """;
public static final String loadTableAuthorizationExpression =
- "ANY(OWNER, METALAKE, CATALOG) ||"
- + "SCHEMA_OWNER_WITH_USE_CATALOG ||"
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (TABLE::OWNER ||
ANY_SELECT_TABLE || ANY_MODIFY_TABLE)";
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && (TABLE::OWNER ||
ANY_SELECT_TABLE || ANY_MODIFY_TABLE)
+ """;
public static final String loadTopicsAuthorizationExpression =
- "ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (TOPIC::OWNER ||
ANY_CONSUME_TOPIC || ANY_PRODUCE_TOPIC)";
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && (TOPIC::OWNER ||
ANY_CONSUME_TOPIC || ANY_PRODUCE_TOPIC)
+ """;
public static final String loadFilesetAuthorizationExpression =
- "ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (FILESET::OWNER ||
ANY_READ_FILESET || ANY_WRITE_FILESET)";
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && (FILESET::OWNER ||
ANY_READ_FILESET || ANY_WRITE_FILESET)
+ """;
public static final String filterSchemaAuthorizationExpression =
"ANY(OWNER, METALAKE, CATALOG, SCHEMA) || ANY_USE_SCHEMA";
@@ -51,17 +61,23 @@ public class AuthorizationExpressionConstants {
"ANY(OWNER, METALAKE, CATALOG, SCHEMA, MODEL) || ANY_USE_MODEL";
public static final String filterTableAuthorizationExpression =
- "ANY(OWNER, METALAKE, CATALOG, SCHEMA, TABLE) || "
- + "ANY_SELECT_TABLE || "
- + "ANY_MODIFY_TABLE";
+ """
+ ANY(OWNER, METALAKE, CATALOG, SCHEMA, TABLE) ||
+ ANY_SELECT_TABLE ||
+ ANY_MODIFY_TABLE
+ """;
public static final String filterTopicsAuthorizationExpression =
- "ANY(OWNER, METALAKE, CATALOG, SCHEMA, TOPIC) || "
- + "ANY_CONSUME_TOPIC || "
- + "ANY_PRODUCE_TOPIC";
+ """
+ ANY(OWNER, METALAKE, CATALOG, SCHEMA, TOPIC) ||
+ ANY_CONSUME_TOPIC ||
+ ANY_PRODUCE_TOPIC
+ """;
public static final String filterFilesetAuthorizationExpression =
- "ANY(OWNER, METALAKE, CATALOG, SCHEMA, FILESET) || "
- + "ANY_READ_FILESET || "
- + "ANY_WRITE_FILESET";
+ """
+ ANY(OWNER, METALAKE, CATALOG, SCHEMA, FILESET) ||
+ ANY_READ_FILESET ||
+ ANY_WRITE_FILESET
+ """;
}
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java
index b476ad9c36..3a5a0c2e07 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java
@@ -132,9 +132,11 @@ public class FilesetOperations {
@ResponseMetered(name = "create-fileset", absolute = true)
@AuthorizationExpression(
expression =
- "ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && ANY_CREATE_FILESET",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && ANY_CREATE_FILESET
+ """,
accessMetadataType = MetadataObject.Type.SCHEMA)
public Response createFileset(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -273,9 +275,11 @@ public class FilesetOperations {
@ResponseMetered(name = "alter-fileset", absolute = true)
@AuthorizationExpression(
expression =
- "ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (FILESET::OWNER ||
ANY_WRITE_FILESET)",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && (FILESET::OWNER ||
ANY_WRITE_FILESET)
+ """,
accessMetadataType = MetadataObject.Type.FILESET)
public Response alterFileset(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -313,9 +317,11 @@ public class FilesetOperations {
@ResponseMetered(name = "drop-fileset", absolute = true)
@AuthorizationExpression(
expression =
- "ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && FILESET::OWNER",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && FILESET::OWNER
+ """,
accessMetadataType = MetadataObject.Type.FILESET)
public Response dropFileset(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/ModelOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/ModelOperations.java
index 5c2e1ea7e2..b94a7780cf 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/ModelOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/ModelOperations.java
@@ -160,9 +160,11 @@ public class ModelOperations {
@ResponseMetered(name = "register-model", absolute = true)
@AuthorizationExpression(
expression =
- " ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && ANY_CREATE_MODEL",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && ANY_CREATE_MODEL
+ """,
accessMetadataType = MetadataObject.Type.SCHEMA)
public Response registerModel(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -205,9 +207,11 @@ public class ModelOperations {
@ResponseMetered(name = "delete-model", absolute = true)
@AuthorizationExpression(
expression =
- " ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && MODEL::OWNER",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && MODEL::OWNER
+ """,
accessMetadataType = MetadataObject.Type.MODEL)
public Response deleteModel(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -401,9 +405,11 @@ public class ModelOperations {
@ResponseMetered(name = "link-model-version", absolute = true)
@AuthorizationExpression(
expression =
- " ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (MODEL::OWNER ||
ANY_USE_MODEL && ANY_CREATE_MODEL_VERSION)",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && (MODEL::OWNER ||
ANY_USE_MODEL && ANY_CREATE_MODEL_VERSION)
+ """,
accessMetadataType = MetadataObject.Type.MODEL)
public Response linkModelVersion(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -449,9 +455,11 @@ public class ModelOperations {
@ResponseMetered(name = "delete-model-version", absolute = true)
@AuthorizationExpression(
expression =
- " ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && MODEL::OWNER",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && MODEL::OWNER
+ """,
accessMetadataType = MetadataObject.Type.MODEL)
public Response deleteModelVersion(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -496,9 +504,11 @@ public class ModelOperations {
@ResponseMetered(name = "delete-model-alias", absolute = true)
@AuthorizationExpression(
expression =
- " ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && MODEL::OWNER",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && MODEL::OWNER
+ """,
accessMetadataType = MetadataObject.Type.MODEL)
public Response deleteModelVersionByAlias(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -544,9 +554,11 @@ public class ModelOperations {
@ResponseMetered(name = "alter-model-version", absolute = true)
@AuthorizationExpression(
expression =
- " ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && MODEL::OWNER",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && MODEL::OWNER
+ """,
accessMetadataType = MetadataObject.Type.MODEL)
public Response alterModelVersion(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -597,9 +609,11 @@ public class ModelOperations {
@ResponseMetered(name = "alter-model-alias", absolute = true)
@AuthorizationExpression(
expression =
- " ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && MODEL::OWNER",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && MODEL::OWNER
+ """,
accessMetadataType = MetadataObject.Type.MODEL)
public Response alterModelVersionByAlias(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -649,9 +663,11 @@ public class ModelOperations {
@ResponseMetered(name = "alter-model", absolute = true)
@AuthorizationExpression(
expression =
- " ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && MODEL::OWNER",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && MODEL::OWNER
+ """,
accessMetadataType = MetadataObject.Type.MODEL)
public Response alterModel(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/TableOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/TableOperations.java
index 8c79b6ee26..ec47cf8e64 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/TableOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/TableOperations.java
@@ -199,9 +199,11 @@ public class TableOperations {
@ResponseMetered(name = "alter-table", absolute = true)
@AuthorizationExpression(
expression =
- "ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (TABLE::OWNER ||
ANY_MODIFY_TABLE)",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && (TABLE::OWNER ||
ANY_MODIFY_TABLE)
+ """,
accessMetadataType = MetadataObject.Type.TABLE)
public Response alterTable(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -239,9 +241,11 @@ public class TableOperations {
@ResponseMetered(name = "drop-table", absolute = true)
@AuthorizationExpression(
expression =
- "ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && TABLE::OWNER ",
+ """
+ ANY(OWNER, METALAKE, CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && TABLE::OWNER
+ """,
accessMetadataType = MetadataObject.Type.TABLE)
public Response dropTable(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/TopicOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/TopicOperations.java
index 6eb04d4c13..79f0b270f7 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/TopicOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/TopicOperations.java
@@ -112,9 +112,11 @@ public class TopicOperations {
@ResponseMetered(name = "create-topic", absolute = true)
@AuthorizationExpression(
expression =
- "ANY(OWNER,METALAKE,CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && ANY_CREATE_TOPIC",
+ """
+ ANY(OWNER,METALAKE,CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && ANY_CREATE_TOPIC
+ """,
accessMetadataType = MetadataObject.Type.SCHEMA)
public Response createTopic(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -192,9 +194,11 @@ public class TopicOperations {
@ResponseMetered(name = "alter-topic", absolute = true)
@AuthorizationExpression(
expression =
- "ANY(OWNER,METALAKE,CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (TOPIC::OWNER ||
ANY_PRODUCE_TOPIC)",
+ """
+ ANY(OWNER,METALAKE,CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && (TOPIC::OWNER ||
ANY_PRODUCE_TOPIC)
+ """,
accessMetadataType = MetadataObject.Type.TOPIC)
public Response alterTopic(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -233,9 +237,11 @@ public class TopicOperations {
@ResponseMetered(name = "drop-topic", absolute = true)
@AuthorizationExpression(
expression =
- "ANY(OWNER,METALAKE,CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && TOPIC::OWNER",
+ """
+ ANY(OWNER,METALAKE,CATALOG) ||
+ SCHEMA_OWNER_WITH_USE_CATALOG ||
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && TOPIC::OWNER
+ """,
accessMetadataType = MetadataObject.Type.TOPIC)
public Response dropTopic(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
