Re: [PR] [#9071] feat(authz): Add job and job template privileges interfaces and documents [gravitino]

Tue, 25 Nov 2025 01:48:48 -0800 


jerqi commented on code in PR #9177:
URL: https://github.com/apache/gravitino/pull/9177#discussion_r2559313707


##########
api/src/main/java/org/apache/gravitino/authorization/SecurableObjects.java:
##########
@@ -138,6 +138,40 @@ public static SecurableObject ofModel(
     return of(MetadataObject.Type.MODEL, names, privileges);
   }
 
+  /**
+   * Create the tag {@link SecurableObject} with the given tag name and 
privileges.
+   *
+   * @param tag The tag name
+   * @param privileges The privileges of the tag
+   * @return The created tag {@link SecurableObject}
+   */
+  public static SecurableObject ofTag(String tag, List<Privilege> privileges) {
+    return of(MetadataObject.Type.TAG, Lists.newArrayList(tag), privileges);
+  }
+
+  /**
+   * Create the policy {@link SecurableObject} with the given policy name and 
privileges.
+   *
+   * @param policy The policy name
+   * @param privileges The privileges of the policy
+   * @return The created policy {@link SecurableObject}
+   */
+  public static SecurableObject ofPolicy(String policy, List<Privilege> 
privileges) {
+    return of(MetadataObject.Type.POLICY, Lists.newArrayList(policy), 
privileges);
+  }
+
+  /**
+   * Create the job template {@link SecurableObject} with the given job 
template name and
+   * privileges.
+   *
+   * @param jobTemplate The job template name
+   * @param privileges The privileges of the job template
+   * @return The created job template {@link SecurableObject}
+   */
+  public static SecurableObject ofJobTemplate(String jobTemplate, 
List<Privilege> privileges) {
+    return of(MetadataObject.Type.JOB_TEMPLATE, 
Lists.newArrayList(jobTemplate), privileges);
+  }
+

Review Comment:
   The securable object `JOB` can't bind any privilege. So we don't add the 
helper method.



##########
docs/security/access-control.md:
##########
@@ -279,6 +281,19 @@ DENY `WRITE_FILESET` won‘t deny the `READ_FILESET` 
operation if the user has t
 | CREATE_POLICY | Metalake                  | Create a policy                  
         |
 | APPLY_POLICY  | Metalake, Policy          | Associate policies with metadata 
objects. |
 
+### Job template privileges
+
+| Name                | Supports Securable Object | Operation                  
              |
+|---------------------|---------------------------|------------------------------------------|
+| CREATE_JOB_TEMPLATE | Metalake                  | Create a job template      
              |
+| USE_JOB_TEMPLATE    | Metalake, JobTemplate     | Use a job template when 
creating the job |

Review Comment:
   Fixed.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to