jerqi commented on code in PR #9018:
URL: https://github.com/apache/gravitino/pull/9018#discussion_r2536213284
##########
server/src/main/java/org/apache/gravitino/server/web/rest/MetadataObjectTagOperations.java:
##########
@@ -219,21 +252,48 @@ public Response listTagsForMetadataObject(
@Produces("application/vnd.gravitino.v1+json")
@Timed(name = "associate-object-tags." + MetricNames.HTTP_PROCESS_DURATION,
absolute = true)
@ResponseMetered(name = "associate-object-tags", absolute = true)
+ @AuthorizationExpression(expression = CAN_ACCESS_METADATA)
public Response associateTagsForObject(
- @PathParam("metalake") String metalake,
- @PathParam("type") String type,
- @PathParam("fullName") String fullName,
+ @PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
+ String metalake,
+ @PathParam("type") @AuthorizationObjectType String type,
+ @PathParam("fullName") @AuthorizationFullName String fullName,
TagsAssociateRequest request) {
LOG.info(
"Received associate tags request for object type: {}, full name: {}
under metalake: {}",
type,
fullName,
metalake);
-
try {
return Utils.doAs(
httpRequest,
() -> {
+ String[] tagsToAdd = request.getTagsToAdd();
+ if (tagsToAdd != null && tagsToAdd.length > 0) {
+ Arrays.stream(tagsToAdd)
+ .forEach(
+ tag -> {
+ boolean result =
+ new AuthorizationExpressionEvaluator(
Review Comment:
If we have the tag which we don't have privilege, we should forbid the
behaviour.
You should move the logic to `GravitinoInterceptionService`
We can add the new annotation for the request like
```
AuthorizationRequest authorizeRequest =
parameter.getAnnotation(AuthorizationRequest.class);
```
then
```
preAuthzRequest(authorizeRequest);
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
