jerqi commented on code in PR #9018:
URL: https://github.com/apache/gravitino/pull/9018#discussion_r2496817828
##########
docs/security/access-control.md:
##########
@@ -958,71 +964,80 @@ You can follow the steps to achieve the authorization of
Gravitino.
The following table lists the required privileges for each API.
-| API | Required Conditions(s)
|
-|-----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| create metalake | The user must be the service admins,
configured in the server configurations.
|
-| load metalake | The user is in the metalake
|
-| alter metalake | The owner of the metalake
|
-| drop metalake | The owner of the metalake
|
-| create catalog | `CREATE_CATALOG` on the metalake or the
owner of the metalake
|
-| alter catalog | The owner of the catalog, metalake
|
-| drop catalog | The owner of the catalog, metalake
|
-| list catalog | The owner of the metalake can see all
the catalogs, others can see the catalogs which they can load
|
-| load catalog | The one of owners of the metalake,
catalog or have `USE_CATALOG` on the metalake,catalog
|
-| create schema | `CREATE_SCHEMA` and `USE_CATALOG` on the
metalake, catalog or the owner of the metalake, catalog.
|
-| alter schema | First, you should have the privilege to
load the catalog. Then, you are one of the owners of the schema, catalog,
metalake
|
-| drop schema | First, you should have the privilege to
load the catalog. Then, you are one of the owners of the schema, catalog,
metalake
|
-| list schema | First, you should have the privilege to
load the catalog. Then, the owner of the metalake, catalog can see all the
schemas, others can see the schemas which they can load.
|
-| load schema | First, you should have the privilege to
load the catalog. Then, you are the owner of the metalake, catalog, schema or
have `USE_SCHEMA` on the metalake, catalog, schema.
|
-| create table | First, you should have the privilege to
load the catalog and the schema. `CREATE_TABLE` on the metalake, catalog,
schema or the owner of the metalake, catalog, schema
|
-| alter table | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema,catalog, metalake or have `MODIFY_TABLE` on the table, schema, catalog,
metalake |
-| update table statistics | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema,catalog, metalake or have `MODIFY_TABLE` on the table, schema, catalog,
metalake |
-| drop table statistics | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema,catalog, metalake or have `MODIFY_TABLE` on the table, schema, catalog,
metalake |
-| update table partition statistics | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema,catalog, metalake or have `MODIFY_TABLE` on the table, schema, catalog,
metalake |
-| drop table partition statistics | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema,catalog, metalake or have `MODIFY_TABLE` on the table, schema, catalog,
metalake |
-| drop table | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema, catalog, metalake
|
-| list table | First, you should have the privilege to
load the catalog and the schema. Then, the owner of the schema, catalog,
metalake can see all the tables, others can see the tables which they can load
|
-| load table | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema, metalake, catalog or have either `SELECT_TABLE` or `MODIFY_TABLE` on
the table, schema, catalog, metalake |
-| list table statistics | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema, metalake, catalog or have either `SELECT_TABLE` or `MODIFY_TABLE` on
the table, schema, catalog, metalake |
-| list table partition statistics | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema, metalake, catalog or have either `SELECT_TABLE` or `MODIFY_TABLE` on
the table, schema, catalog, metalake |
-| create topic | First, you should have the privilege to
load the catalog and the schema. Then, you have `CREATE_TOPIC` on the metalake,
catalog, schema or are the owner of the metalake, catalog, schema
|
-| alter topic | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the topic,
schema,catalog, metalake or have `PRODUCE_TOPIC` on the topic, schema, catalog,
metalake |
-| drop topic | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the topic,
schema, catalog, metalake
|
-| list topic | First, you should have the privilege to
load the catalog and the schema. Then, the owner of the schema, catalog,
metalake can see all the topics, others can see the topics which they can load
|
-| load topic | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the topic,
schema, metalake, catalog or have either `CONSUME_TOPIC` or `PRODUCE_TOPIC` on
the topic, schema, catalog, metalake |
-| create fileset | First, you should have the privilege to
load the catalog and the schema. Then, you have`CREATE_FILESET` on the
metalake, catalog, schema or are the owner of the metalake, catalog, schema
|
-| alter fileset | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the
fileset, schema,catalog, metalake or `WRITE_FILESET` on the fileset, schema,
catalog, metalake |
-| drop fileset | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the
fileset, schema, catalog, metalake
|
-| list fileset | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the schema,
catalog, metalake can see all the filesets, others can see the filesets which
they can load |
+| API | Required Conditions(s)
|
+| --------------------------------- |
------------------------------------------------------------ |
+| create metalake | The user must be the service admins,
configured in the server configurations. |
+| load metalake | The user is in the metalake
|
+| alter metalake | The owner of the metalake
|
+| drop metalake | The owner of the metalake
|
+| create catalog | `CREATE_CATALOG` on the metalake or the
owner of the metalake |
+| alter catalog | The owner of the catalog, metalake
|
+| drop catalog | The owner of the catalog, metalake
|
+| list catalog | The owner of the metalake can see all
the catalogs, others can see the catalogs which they can load |
+| load catalog | The one of owners of the metalake,
catalog or have `USE_CATALOG` on the metalake,catalog |
+| create schema | `CREATE_SCHEMA` and `USE_CATALOG` on the
metalake, catalog or the owner of the metalake, catalog. |
+| alter schema | First, you should have the privilege to
load the catalog. Then, you are one of the owners of the schema, catalog,
metalake |
+| drop schema | First, you should have the privilege to
load the catalog. Then, you are one of the owners of the schema, catalog,
metalake |
+| list schema | First, you should have the privilege to
load the catalog. Then, the owner of the metalake, catalog can see all the
schemas, others can see the schemas which they can load. |
+| load schema | First, you should have the privilege to
load the catalog. Then, you are the owner of the metalake, catalog, schema or
have `USE_SCHEMA` on the metalake, catalog, schema. |
+| create table | First, you should have the privilege to
load the catalog and the schema. `CREATE_TABLE` on the metalake, catalog,
schema or the owner of the metalake, catalog, schema |
+| alter table | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema,catalog, metalake or have `MODIFY_TABLE` on the table, schema, catalog,
metalake |
+| update table statistics | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema,catalog, metalake or have `MODIFY_TABLE` on the table, schema, catalog,
metalake |
+| drop table statistics | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema,catalog, metalake or have `MODIFY_TABLE` on the table, schema, catalog,
metalake |
+| update table partition statistics | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema,catalog, metalake or have `MODIFY_TABLE` on the table, schema, catalog,
metalake |
+| drop table partition statistics | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema,catalog, metalake or have `MODIFY_TABLE` on the table, schema, catalog,
metalake |
+| drop table | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema, catalog, metalake |
+| list table | First, you should have the privilege to
load the catalog and the schema. Then, the owner of the schema, catalog,
metalake can see all the tables, others can see the tables which they can load |
+| load table | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema, metalake, catalog or have either `SELECT_TABLE` or `MODIFY_TABLE` on
the table, schema, catalog, metalake |
+| list table statistics | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema, metalake, catalog or have either `SELECT_TABLE` or `MODIFY_TABLE` on
the table, schema, catalog, metalake |
+| list table partition statistics | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the table,
schema, metalake, catalog or have either `SELECT_TABLE` or `MODIFY_TABLE` on
the table, schema, catalog, metalake |
+| create topic | First, you should have the privilege to
load the catalog and the schema. Then, you have `CREATE_TOPIC` on the metalake,
catalog, schema or are the owner of the metalake, catalog, schema |
+| alter topic | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the topic,
schema,catalog, metalake or have `PRODUCE_TOPIC` on the topic, schema, catalog,
metalake |
+| drop topic | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the topic,
schema, catalog, metalake |
+| list topic | First, you should have the privilege to
load the catalog and the schema. Then, the owner of the schema, catalog,
metalake can see all the topics, others can see the topics which they can load |
+| load topic | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the topic,
schema, metalake, catalog or have either `CONSUME_TOPIC` or `PRODUCE_TOPIC` on
the topic, schema, catalog, metalake |
+| create fileset | First, you should have the privilege to
load the catalog and the schema. Then, you have`CREATE_FILESET` on the
metalake, catalog, schema or are the owner of the metalake, catalog, schema |
+| alter fileset | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the
fileset, schema,catalog, metalake or `WRITE_FILESET` on the fileset, schema,
catalog, metalake |
+| drop fileset | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the
fileset, schema, catalog, metalake |
+| list fileset | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the schema,
catalog, metalake can see all the filesets, others can see the filesets which
they can load |
| load fileset | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the
fileset, schema, metalake, catalog or have either `READ_FILESET` or
`WRITE_FILESET` on the fileset, schema, catalog, metalake |
| list file | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the
fileset, schema, metalake, catalog or have either `READ_FILESET` or
`WRITE_FILESET` on the fileset, schema, catalog, metalake |
-| register model | First, you should have the privilege to
load the catalog and the schema. Then, you have `CREATE_MODEL` on the metalake,
catalog, schema or are the owner of the metalake, catalog, schema
|
-| link model version | First, you should have the privilege to
load the catalog, the schema and the model. Then, you have
`CREATE_MODEL_VERSION` on the metalake, catalog, schema, model or are the owner
of the metalake, catalog, schema, model |
-| alter model | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, catalog, metalake
|
-| drop model | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, catalog, metalake
|
-| list model | First, you should have the privilege to
load the catalog and the schema. Then the owner of the schema, catalog,
metalake can see all the models, others can see the models which they can load
|
-| load model | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, metalake, catalog or have `USE_MODEL on the model, schema, catalog,
metalake |
-| list model version | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, catalog, metalake or have `USE_MODEL on the model, schema, catalog,
metalake |
-| load model version | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, metalake, catalog or have `USE_MODEL on the model, schema, catalog,
metalake |
-| load model version by alias | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, metalake, catalog or have `USE_MODEL on the model, schema, catalog,
metalake |
-| delete model version | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, metalake, catalog.
|
-| alter model version | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, metalake, catalog.
|
-| delete model version alias | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, metalake, catalog.
|
-| add user | `MANAGE_USERS` on the metalake or the
owner of the metalake
|
-| delete user | `MANAGE_USERS` on the metalake or the
owner of the metalake
|
-| get user | `MANAGE_USERS` on the metalake or the
owner of the metalake or himself
|
-| list users | `MANAGE_USERS` on the metalake or the
owner of the metalake can see all the users, others can see himself
|
-| add group | `MANAGE_GROUPS` on the metalake or the
owner of the metalake
|
-| delete group | `MANAGE_GROUPS` on the metalake or the
owner of the metalake
|
-| get group | `MANAGE_GROUPS` on the metalake or the
owner of the metalake or his groups
|
-| list groups | `MANAGE_GROUPS` on the metalake or the
owner of the metalake can see all the groups, others can see his group
|
-| create role | `CREATE_ROLE` on the metalake or the
owner of the metalake
|
-| delete role | The owner of the metalake or the role
|
-| get role | The owner of the metalake or the role.
others can see his granted or owned roles.
|
-| list roles | The owner of the metalake can see all
the roles. Others can see his granted roles or owned roles.
|
-| grant role | `MANAGE_GRANTS` on the metalake
|
-| revoke role | `MANAGE_GRANTS` on the metalake
|
-| grant privilege | `MANAGE_GRANTS` on the metalake or the
owner of the securable object
|
-| revoke privilege | `MANAGE_GRANTS` on the metalake or the
owner of the securable object
|
-| set owner | The owner of the securable object
|
+| register model | First, you should have the privilege to
load the catalog and the schema. Then, you have `CREATE_MODEL` on the metalake,
catalog, schema or are the owner of the metalake, catalog, schema |
+| link model version | First, you should have the privilege to
load the catalog, the schema and the model. Then, you have
`CREATE_MODEL_VERSION` on the metalake, catalog, schema, model or are the owner
of the metalake, catalog, schema, model |
+| alter model | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, catalog, metalake |
+| drop model | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, catalog, metalake |
+| list model | First, you should have the privilege to
load the catalog and the schema. Then the owner of the schema, catalog,
metalake can see all the models, others can see the models which they can load |
+| load model | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, metalake, catalog or have `USE_MODEL on the model, schema, catalog,
metalake |
+| list model version | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, catalog, metalake or have `USE_MODEL on the model, schema, catalog,
metalake |
+| load model version | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, metalake, catalog or have `USE_MODEL on the model, schema, catalog,
metalake |
+| load model version by alias | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, metalake, catalog or have `USE_MODEL on the model, schema, catalog,
metalake |
+| delete model version | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, metalake, catalog. |
+| alter model version | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, metalake, catalog. |
+| delete model version alias | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, metalake, catalog. |
+| add user | `MANAGE_USERS` on the metalake or the
owner of the metalake |
+| delete user | `MANAGE_USERS` on the metalake or the
owner of the metalake |
+| get user | `MANAGE_USERS` on the metalake or the
owner of the metalake or himself |
+| list users | `MANAGE_USERS` on the metalake or the
owner of the metalake can see all the users, others can see himself |
+| add group | `MANAGE_GROUPS` on the metalake or the
owner of the metalake |
+| delete group | `MANAGE_GROUPS` on the metalake or the
owner of the metalake |
+| get group | `MANAGE_GROUPS` on the metalake or the
owner of the metalake or his groups |
+| list groups | `MANAGE_GROUPS` on the metalake or the
owner of the metalake can see all the groups, others can see his group |
+| create role | `CREATE_ROLE` on the metalake or the
owner of the metalake |
+| delete role | The owner of the metalake or the role
|
+| get role | The owner of the metalake or the role.
others can see his granted or owned roles. |
+| list roles | The owner of the metalake can see all
the roles. Others can see his granted roles or owned roles. |
+| grant role | `MANAGE_GRANTS` on the metalake
|
+| revoke role | `MANAGE_GRANTS` on the metalake
|
+| grant privilege | `MANAGE_GRANTS` on the metalake or the
owner of the securable object |
+| revoke privilege | `MANAGE_GRANTS` on the metalake or the
owner of the securable object |
+| set owner | The owner of the securable object
|
+| list tags | The owner of the metalake can see all
the tags. Others can see his owned tags. |
+| create tag | `CREATE_TAG` on the metalake or the
owner of the metalake |
+| get tag | The owner of the metalake or the tag.
|
Review Comment:
I have some concern about this. Maybe we can't use this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
