hdygxsj commented on code in PR #9018:
URL: https://github.com/apache/gravitino/pull/9018#discussion_r2536426994
##########
server/src/main/java/org/apache/gravitino/server/web/rest/MetadataObjectTagOperations.java:
##########
@@ -219,21 +252,48 @@ public Response listTagsForMetadataObject(
@Produces("application/vnd.gravitino.v1+json")
@Timed(name = "associate-object-tags." + MetricNames.HTTP_PROCESS_DURATION,
absolute = true)
@ResponseMetered(name = "associate-object-tags", absolute = true)
+ @AuthorizationExpression(expression = CAN_ACCESS_METADATA)
public Response associateTagsForObject(
- @PathParam("metalake") String metalake,
- @PathParam("type") String type,
- @PathParam("fullName") String fullName,
+ @PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
+ String metalake,
+ @PathParam("type") @AuthorizationObjectType String type,
+ @PathParam("fullName") @AuthorizationFullName String fullName,
TagsAssociateRequest request) {
LOG.info(
"Received associate tags request for object type: {}, full name: {}
under metalake: {}",
type,
fullName,
metalake);
-
try {
return Utils.doAs(
httpRequest,
() -> {
+ String[] tagsToAdd = request.getTagsToAdd();
+ if (tagsToAdd != null && tagsToAdd.length > 0) {
+ Arrays.stream(tagsToAdd)
+ .forEach(
+ tag -> {
+ boolean result =
+ new AuthorizationExpressionEvaluator(
Review Comment:
AuthorizationExpressionEvaluator and authorization expressions are not
suitable for authorizing lists/arrays—or even multiple metadata objects within
multiple lists/arrays(tagsToAdd, tagsToRemove). Should we consider designing a
new authorization mechanism specifically for this scenario?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
