Copilot commented on code in PR #9252: URL: https://github.com/apache/gravitino/pull/9252#discussion_r2564631369
########## server/src/main/java/org/apache/gravitino/server/web/filter/authorization/AssociatePolicyAuthorizationExecutor.java: ########## @@ -0,0 +1,111 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.server.web.filter.authorization; + +import static org.apache.gravitino.server.web.filter.ParameterUtil.buildNameIdentifierForBatchAuthorization; +import static org.apache.gravitino.server.web.filter.ParameterUtil.extractFromParameters; + +import com.google.common.base.Preconditions; +import java.lang.reflect.Parameter; +import java.util.HashMap; +import java.util.Map; +import java.util.Optional; +import org.apache.gravitino.Entity; +import org.apache.gravitino.NameIdentifier; +import org.apache.gravitino.authorization.AuthorizationRequestContext; +import org.apache.gravitino.dto.requests.PoliciesAssociateRequest; +import org.apache.gravitino.server.authorization.expression.AuthorizationExpressionEvaluator; + +/** + * Metadata object authorization for {@link + * org.apache.gravitino.server.web.rest.MetadataObjectPolicyOperations#associatePoliciesForObject(String, + * String, String, PoliciesAssociateRequest)} + */ +public class AssociatePolicyAuthorizationExecutor extends CommonAuthorizerExecutor + implements AuthorizationExecutor { + + private final Parameter[] parameters; + private final Object[] args; + + public AssociatePolicyAuthorizationExecutor( + String expression, + Parameter[] parameters, + Object[] args, + Map<Entity.EntityType, NameIdentifier> metadataContext, + AuthorizationExpressionEvaluator authorizationExpressionEvaluator, + Map<String, Object> pathParams, + String entityType) { + super(expression, metadataContext, authorizationExpressionEvaluator, pathParams, entityType); + this.parameters = parameters; + this.args = args; + } + + @Override + public boolean execute() throws Exception { + Object request = extractFromParameters(parameters, args); + if (request == null) { + return false; + } + + AuthorizationRequestContext context = new AuthorizationRequestContext(); + context.setOriginalAuthorizationExpression(expression); + Entity.EntityType targetType = + Entity.EntityType.POLICY; // policies are the only supported batch target here + Preconditions.checkArgument( + request instanceof PoliciesAssociateRequest, + "Only tag can use AssociatePolicyAuthorizationExecutor, please contact the administrator."); Review Comment: The error message says 'Only tag can use AssociatePolicyAuthorizationExecutor' but should say 'Only policy can use AssociatePolicyAuthorizationExecutor'. The message incorrectly references tags instead of policies. ```suggestion "Only policy can use AssociatePolicyAuthorizationExecutor, please contact the administrator."); ``` ########## server/src/main/java/org/apache/gravitino/server/web/filter/authorization/AssociatePolicyAuthorizationExecutor.java: ########## @@ -0,0 +1,111 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.server.web.filter.authorization; + +import static org.apache.gravitino.server.web.filter.ParameterUtil.buildNameIdentifierForBatchAuthorization; +import static org.apache.gravitino.server.web.filter.ParameterUtil.extractFromParameters; + +import com.google.common.base.Preconditions; +import java.lang.reflect.Parameter; +import java.util.HashMap; +import java.util.Map; +import java.util.Optional; +import org.apache.gravitino.Entity; +import org.apache.gravitino.NameIdentifier; +import org.apache.gravitino.authorization.AuthorizationRequestContext; +import org.apache.gravitino.dto.requests.PoliciesAssociateRequest; +import org.apache.gravitino.server.authorization.expression.AuthorizationExpressionEvaluator; + +/** + * Metadata object authorization for {@link + * org.apache.gravitino.server.web.rest.MetadataObjectPolicyOperations#associatePoliciesForObject(String, + * String, String, PoliciesAssociateRequest)} + */ +public class AssociatePolicyAuthorizationExecutor extends CommonAuthorizerExecutor + implements AuthorizationExecutor { + + private final Parameter[] parameters; + private final Object[] args; + + public AssociatePolicyAuthorizationExecutor( + String expression, + Parameter[] parameters, + Object[] args, + Map<Entity.EntityType, NameIdentifier> metadataContext, + AuthorizationExpressionEvaluator authorizationExpressionEvaluator, + Map<String, Object> pathParams, + String entityType) { + super(expression, metadataContext, authorizationExpressionEvaluator, pathParams, entityType); + this.parameters = parameters; + this.args = args; + } + + @Override + public boolean execute() throws Exception { + Object request = extractFromParameters(parameters, args); + if (request == null) { + return false; + } + + AuthorizationRequestContext context = new AuthorizationRequestContext(); + context.setOriginalAuthorizationExpression(expression); + Entity.EntityType targetType = + Entity.EntityType.POLICY; // policies are the only supported batch target here + Preconditions.checkArgument( + request instanceof PoliciesAssociateRequest, + "Only tag can use AssociatePolicyAuthorizationExecutor, please contact the administrator."); + PoliciesAssociateRequest policiesAssociateRequest = (PoliciesAssociateRequest) request; + policiesAssociateRequest.validate(); + // Authorize both 'policiesToAdd' and 'policiesToRemove' fields. + return authorizePolicy(policiesAssociateRequest.getPoliciesToAdd(), context, targetType) + && authorizePolicy(policiesAssociateRequest.getPoliciesToRemove(), context, targetType); + } + + /** + * Performs batch authorization for a given field (e.g., "policiesToAdd" or "policiesToRemove") + * containing an array of tag names. Review Comment: The documentation says 'containing an array of tag names' but should say 'containing an array of policy names' since this is for policies, not tags. ```suggestion * containing an array of policy names. ``` ########## server/src/main/java/org/apache/gravitino/server/web/filter/authorization/AssociatePolicyAuthorizationExecutor.java: ########## @@ -0,0 +1,111 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.server.web.filter.authorization; + +import static org.apache.gravitino.server.web.filter.ParameterUtil.buildNameIdentifierForBatchAuthorization; +import static org.apache.gravitino.server.web.filter.ParameterUtil.extractFromParameters; + +import com.google.common.base.Preconditions; +import java.lang.reflect.Parameter; +import java.util.HashMap; +import java.util.Map; +import java.util.Optional; +import org.apache.gravitino.Entity; +import org.apache.gravitino.NameIdentifier; +import org.apache.gravitino.authorization.AuthorizationRequestContext; +import org.apache.gravitino.dto.requests.PoliciesAssociateRequest; +import org.apache.gravitino.server.authorization.expression.AuthorizationExpressionEvaluator; + +/** + * Metadata object authorization for {@link + * org.apache.gravitino.server.web.rest.MetadataObjectPolicyOperations#associatePoliciesForObject(String, + * String, String, PoliciesAssociateRequest)} + */ +public class AssociatePolicyAuthorizationExecutor extends CommonAuthorizerExecutor + implements AuthorizationExecutor { + + private final Parameter[] parameters; + private final Object[] args; + + public AssociatePolicyAuthorizationExecutor( + String expression, + Parameter[] parameters, + Object[] args, + Map<Entity.EntityType, NameIdentifier> metadataContext, + AuthorizationExpressionEvaluator authorizationExpressionEvaluator, + Map<String, Object> pathParams, + String entityType) { + super(expression, metadataContext, authorizationExpressionEvaluator, pathParams, entityType); + this.parameters = parameters; + this.args = args; + } + + @Override + public boolean execute() throws Exception { + Object request = extractFromParameters(parameters, args); + if (request == null) { + return false; + } + + AuthorizationRequestContext context = new AuthorizationRequestContext(); + context.setOriginalAuthorizationExpression(expression); + Entity.EntityType targetType = + Entity.EntityType.POLICY; // policies are the only supported batch target here + Preconditions.checkArgument( + request instanceof PoliciesAssociateRequest, + "Only tag can use AssociatePolicyAuthorizationExecutor, please contact the administrator."); + PoliciesAssociateRequest policiesAssociateRequest = (PoliciesAssociateRequest) request; + policiesAssociateRequest.validate(); + // Authorize both 'policiesToAdd' and 'policiesToRemove' fields. + return authorizePolicy(policiesAssociateRequest.getPoliciesToAdd(), context, targetType) + && authorizePolicy(policiesAssociateRequest.getPoliciesToRemove(), context, targetType); + } + + /** + * Performs batch authorization for a given field (e.g., "policiesToAdd" or "policiesToRemove") + * containing an array of tag names. + * + * @param policies policies + * @param context The shared authorization request context. + * @param targetType The entity type being authorized (expected to be TAG). + * @return {@code true} if all policies in the field pass authorization; {@code false} otherwise. + */ + private boolean authorizePolicy( + String[] policies, AuthorizationRequestContext context, Entity.EntityType targetType) { + + // Treat null or empty arrays as no-op (implicitly authorized) + if (policies == null) { + return true; + } + + for (String policy : policies) { + // Use a fresh context copy for each tag to avoid cross-contamination + Map<Entity.EntityType, NameIdentifier> currentContext = new HashMap<>(this.metadataContext); + buildNameIdentifierForBatchAuthorization(currentContext, policy, targetType); + + boolean authorized = + authorizationExpressionEvaluator.evaluate( + currentContext, pathParams, context, Optional.ofNullable(entityType)); + + if (!authorized) { + return false; // Fail fast on first unauthorized tag Review Comment: Comment says 'first unauthorized tag' but should say 'first unauthorized policy' since this is policy authorization code. ```suggestion return false; // Fail fast on first unauthorized policy ``` ########## core/src/main/java/org/apache/gravitino/utils/NameIdentifierUtil.java: ########## @@ -392,6 +392,15 @@ public static void checkTag(NameIdentifier ident) { namespace); } + public static void checkPolicy(NameIdentifier ident) { + NameIdentifier.check(ident != null, "Policy identifier must not be null"); + Namespace namespace = ident.namespace(); + Namespace.check( + namespace != null && !namespace.isEmpty() && namespace.length() == 3, + "Tag namespace must be 3 level, the input namespace is %s", Review Comment: The error message says 'Tag namespace must be 3 level' but this is in the `checkPolicy` method, so it should say 'Policy namespace must be 3 level'. ```suggestion "Policy namespace must be 3 level, the input namespace is %s", ``` ########## server/src/main/java/org/apache/gravitino/server/web/filter/authorization/AssociatePolicyAuthorizationExecutor.java: ########## @@ -0,0 +1,111 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.server.web.filter.authorization; + +import static org.apache.gravitino.server.web.filter.ParameterUtil.buildNameIdentifierForBatchAuthorization; +import static org.apache.gravitino.server.web.filter.ParameterUtil.extractFromParameters; + +import com.google.common.base.Preconditions; +import java.lang.reflect.Parameter; +import java.util.HashMap; +import java.util.Map; +import java.util.Optional; +import org.apache.gravitino.Entity; +import org.apache.gravitino.NameIdentifier; +import org.apache.gravitino.authorization.AuthorizationRequestContext; +import org.apache.gravitino.dto.requests.PoliciesAssociateRequest; +import org.apache.gravitino.server.authorization.expression.AuthorizationExpressionEvaluator; + +/** + * Metadata object authorization for {@link + * org.apache.gravitino.server.web.rest.MetadataObjectPolicyOperations#associatePoliciesForObject(String, + * String, String, PoliciesAssociateRequest)} + */ +public class AssociatePolicyAuthorizationExecutor extends CommonAuthorizerExecutor + implements AuthorizationExecutor { + + private final Parameter[] parameters; + private final Object[] args; + + public AssociatePolicyAuthorizationExecutor( + String expression, + Parameter[] parameters, + Object[] args, + Map<Entity.EntityType, NameIdentifier> metadataContext, + AuthorizationExpressionEvaluator authorizationExpressionEvaluator, + Map<String, Object> pathParams, + String entityType) { + super(expression, metadataContext, authorizationExpressionEvaluator, pathParams, entityType); + this.parameters = parameters; + this.args = args; + } + + @Override + public boolean execute() throws Exception { + Object request = extractFromParameters(parameters, args); + if (request == null) { + return false; + } + + AuthorizationRequestContext context = new AuthorizationRequestContext(); + context.setOriginalAuthorizationExpression(expression); + Entity.EntityType targetType = + Entity.EntityType.POLICY; // policies are the only supported batch target here + Preconditions.checkArgument( + request instanceof PoliciesAssociateRequest, + "Only tag can use AssociatePolicyAuthorizationExecutor, please contact the administrator."); + PoliciesAssociateRequest policiesAssociateRequest = (PoliciesAssociateRequest) request; + policiesAssociateRequest.validate(); + // Authorize both 'policiesToAdd' and 'policiesToRemove' fields. + return authorizePolicy(policiesAssociateRequest.getPoliciesToAdd(), context, targetType) + && authorizePolicy(policiesAssociateRequest.getPoliciesToRemove(), context, targetType); + } + + /** + * Performs batch authorization for a given field (e.g., "policiesToAdd" or "policiesToRemove") + * containing an array of tag names. + * + * @param policies policies + * @param context The shared authorization request context. + * @param targetType The entity type being authorized (expected to be TAG). + * @return {@code true} if all policies in the field pass authorization; {@code false} otherwise. + */ + private boolean authorizePolicy( + String[] policies, AuthorizationRequestContext context, Entity.EntityType targetType) { + + // Treat null or empty arrays as no-op (implicitly authorized) + if (policies == null) { + return true; + } + + for (String policy : policies) { + // Use a fresh context copy for each tag to avoid cross-contamination Review Comment: Comment says 'for each tag' but should say 'for each policy' since this code handles policies, not tags. ```suggestion // Use a fresh context copy for each policy to avoid cross-contamination ``` ########## clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/PolicyAuthorizationIT.java: ########## @@ -0,0 +1,386 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.client.integration.test.authorization; + +import static org.junit.Assert.assertThrows; +import static org.junit.jupiter.api.Assertions.assertEquals; + +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Maps; +import java.io.IOException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; +import org.apache.gravitino.Catalog; +import org.apache.gravitino.MetadataObject; +import org.apache.gravitino.MetadataObjects; +import org.apache.gravitino.NameIdentifier; +import org.apache.gravitino.authorization.Privileges; +import org.apache.gravitino.authorization.SecurableObject; +import org.apache.gravitino.authorization.SecurableObjects; +import org.apache.gravitino.client.GravitinoMetalake; +import org.apache.gravitino.exceptions.ForbiddenException; +import org.apache.gravitino.integration.test.container.ContainerSuite; +import org.apache.gravitino.integration.test.container.HiveContainer; +import org.apache.gravitino.policy.PolicyChange; +import org.apache.gravitino.policy.PolicyContents; +import org.apache.gravitino.policy.SupportsPolicies; +import org.apache.gravitino.rel.Column; +import org.apache.gravitino.rel.TableCatalog; +import org.apache.gravitino.rel.types.Types; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.MethodOrderer; +import org.junit.jupiter.api.Order; +import org.junit.jupiter.api.Tag; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.TestMethodOrder; + +@Tag("gravitino-docker-test") +@TestMethodOrder(MethodOrderer.OrderAnnotation.class) +public class PolicyAuthorizationIT extends BaseRestApiAuthorizationIT { + + private static final String CATALOG = "catalog"; + private static final String SCHEMA = "schema"; + private static final ContainerSuite containerSuite = ContainerSuite.getInstance(); + private static String hmsUri; + private static String role = "role"; + + @BeforeAll + public void startIntegrationTest() throws Exception { + containerSuite.startHiveContainer(); + super.startIntegrationTest(); + hmsUri = + String.format( + "thrift://%s:%d", + containerSuite.getHiveContainer().getContainerIpAddress(), + HiveContainer.HIVE_METASTORE_PORT); + Map<String, String> properties = Maps.newHashMap(); + properties.put("metastore.uris", hmsUri); + client + .loadMetalake(METALAKE) + .createCatalog(CATALOG, Catalog.Type.RELATIONAL, "hive", "comment", properties) + .asSchemas() + .createSchema(SCHEMA, "test", new HashMap<>()); + // try to load the schema as normal user, expect failure + assertThrows( + "Can not access metadata.{" + CATALOG + "." + SCHEMA + "}.", + RuntimeException.class, + () -> { + normalUserClient + .loadMetalake(METALAKE) + .loadCatalog(CATALOG) + .asSchemas() + .loadSchema(SCHEMA); + }); + // grant tester privilege + List<SecurableObject> securableObjects = new ArrayList<>(); + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + SecurableObject catalogObject = + SecurableObjects.ofCatalog(CATALOG, ImmutableList.of(Privileges.UseCatalog.allow())); + securableObjects.add(catalogObject); + gravitinoMetalake.createRole(role, new HashMap<>(), securableObjects); + gravitinoMetalake.grantRolesToUser(ImmutableList.of(role), NORMAL_USER); + // normal user can load the catalog but not the schema + Catalog catalogLoadByNormalUser = normalUserClient.loadMetalake(METALAKE).loadCatalog(CATALOG); + assertEquals(CATALOG, catalogLoadByNormalUser.name()); + assertThrows( + "Can not access metadata.{" + CATALOG + "." + SCHEMA + "}.", + ForbiddenException.class, + () -> { + catalogLoadByNormalUser.asSchemas().loadSchema(SCHEMA); + }); + TableCatalog tableCatalog = client.loadMetalake(METALAKE).loadCatalog(CATALOG).asTableCatalog(); + tableCatalog.createTable( + NameIdentifier.of(SCHEMA, "table1"), createColumns(), "test", new HashMap<>()); + } + + private Column[] createColumns() { + return new Column[] {Column.of("col1", Types.StringType.get())}; + } + + @AfterAll + public void stopIntegrationTest() throws IOException, InterruptedException { + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + gravitinoMetalake.loadCatalog(CATALOG).asSchemas().dropSchema(SCHEMA, true); + gravitinoMetalake.dropCatalog(CATALOG, true); + super.stopIntegrationTest(); + } + + @Test + @Order(1) + public void createPolicy() { + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + Set<MetadataObject.Type> supportedTypes = ImmutableSet.of(MetadataObject.Type.TABLE); + gravitinoMetalake.createPolicy( + "policy1", "custom", "policy1", true, PolicyContents.custom(null, supportedTypes, null)); + GravitinoMetalake metalakeLoadByNormalUser = normalUserClient.loadMetalake(METALAKE); + assertThrows( + "Can not access metadata.{" + CATALOG + "." + SCHEMA + "}.", + ForbiddenException.class, + () -> { + metalakeLoadByNormalUser.createPolicy( + "policy2", + "custom", + "policy2", + true, + PolicyContents.custom(null, supportedTypes, null)); + }); + gravitinoMetalake.grantPrivilegesToRole( + role, + MetadataObjects.of(ImmutableList.of(METALAKE), MetadataObject.Type.METALAKE), + ImmutableSet.of(Privileges.CreatePolicy.allow())); + metalakeLoadByNormalUser.createPolicy( + "policy2", "custom", "policy2", true, PolicyContents.custom(null, supportedTypes, null)); + gravitinoMetalake.createPolicy( + "policy3", "custom", "policy3", true, PolicyContents.custom(null, supportedTypes, null)); + } + + @Test + @Order(2) + public void listPolicy() { + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + String[] policies = gravitinoMetalake.listPolicies(); + Assertions.assertArrayEquals(new String[] {"policy1", "policy2", "policy3"}, policies); + policies = normalUserClient.loadMetalake(METALAKE).listPolicies(); + Assertions.assertArrayEquals(new String[] {"policy2"}, policies); + } + + @Test + @Order(3) + public void testGetPolicy() { + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + gravitinoMetalake.getPolicy("policy1"); + gravitinoMetalake.getPolicy("policy2"); + gravitinoMetalake.getPolicy("policy3"); + GravitinoMetalake metalakeLoadByNormalUser = normalUserClient.loadMetalake(METALAKE); + assertThrows( + "Can not access metadata.{" + CATALOG + "." + SCHEMA + "}.", + ForbiddenException.class, + () -> { + metalakeLoadByNormalUser.getPolicy("policy1"); + }); + metalakeLoadByNormalUser.getPolicy("policy2"); + assertThrows( + "Can not access metadata.{" + CATALOG + "." + SCHEMA + "}.", + ForbiddenException.class, + () -> { + metalakeLoadByNormalUser.getPolicy("policy3"); + }); + + gravitinoMetalake.grantPrivilegesToRole( + role, + MetadataObjects.of(ImmutableList.of("policy3"), MetadataObject.Type.POLICY), + ImmutableSet.of(Privileges.ApplyPolicy.allow())); + metalakeLoadByNormalUser.getPolicy("policy3"); + String[] policies = metalakeLoadByNormalUser.listPolicies(); + Assertions.assertArrayEquals(new String[] {"policy2", "policy3"}, policies); + } + + @Test + @Order(4) + public void testAlterPolicy() { + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + GravitinoMetalake metalakeLoadByNormalUser = normalUserClient.loadMetalake(METALAKE); + gravitinoMetalake.alterPolicy("policy1", PolicyChange.updateComment("222")); + assertThrows( + "Can not access metadata.{" + CATALOG + "." + SCHEMA + "}.", + ForbiddenException.class, + () -> { + metalakeLoadByNormalUser.alterPolicy("policy3", PolicyChange.updateComment("222")); + }); + metalakeLoadByNormalUser.alterPolicy("policy2", PolicyChange.updateComment("222")); + } + + @Test + @Order(6) + public void testAssociatePolicy() { + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + GravitinoMetalake metalakeLoadByNormalUser = normalUserClient.loadMetalake(METALAKE); + SupportsPolicies supportsPolicies = + gravitinoMetalake + .loadCatalog(CATALOG) + .asTableCatalog() + .loadTable(NameIdentifier.of(SCHEMA, "table1")) + .supportsPolicies(); + gravitinoMetalake.grantPrivilegesToRole( + role, + MetadataObjects.of(ImmutableList.of(CATALOG, SCHEMA), MetadataObject.Type.SCHEMA), + ImmutableList.of(Privileges.SelectTable.allow(), Privileges.UseSchema.allow())); + SupportsPolicies supportsPoliciesByNormalUser = + metalakeLoadByNormalUser + .loadCatalog(CATALOG) + .asTableCatalog() + .loadTable(NameIdentifier.of(SCHEMA, "table1")) + .supportsPolicies(); + supportsPolicies.associatePolicies(new String[] {"policy1"}, new String[] {}); + assertThrows( + "Can not access metadata.", + ForbiddenException.class, + () -> { + supportsPoliciesByNormalUser.associatePolicies(new String[] {"policy1"}, new String[] {}); + }); + gravitinoMetalake.grantPrivilegesToRole( + role, + MetadataObjects.of(ImmutableList.of(METALAKE), MetadataObject.Type.METALAKE), + ImmutableSet.of(Privileges.CreateTable.allow())); + TableCatalog tableCatalog = + normalUserClient.loadMetalake(METALAKE).loadCatalog(CATALOG).asTableCatalog(); + tableCatalog.createTable( + NameIdentifier.of(SCHEMA, "table2"), createColumns(), "test", new HashMap<>()); + tableCatalog.createTable( + NameIdentifier.of(SCHEMA, "table3"), createColumns(), "test", new HashMap<>()); + metalakeLoadByNormalUser + .loadCatalog(CATALOG) + .asTableCatalog() + .loadTable(NameIdentifier.of(SCHEMA, "table2")) + .supportsPolicies() + .associatePolicies(new String[] {"policy2"}, new String[] {}); + ; + metalakeLoadByNormalUser + .loadCatalog(CATALOG) + .asTableCatalog() + .loadTable(NameIdentifier.of(SCHEMA, "table3")) + .supportsPolicies() + .associatePolicies(new String[] {"policy2"}, new String[] {}); + ; Review Comment: Remove unnecessary semicolon on this standalone line. This appears to be leftover from refactoring. ```suggestion metalakeLoadByNormalUser .loadCatalog(CATALOG) .asTableCatalog() .loadTable(NameIdentifier.of(SCHEMA, "table3")) .supportsPolicies() .associatePolicies(new String[] {"policy2"}, new String[] {}); ``` ########## clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/PolicyAuthorizationIT.java: ########## @@ -0,0 +1,386 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.client.integration.test.authorization; + +import static org.junit.Assert.assertThrows; +import static org.junit.jupiter.api.Assertions.assertEquals; + +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Maps; +import java.io.IOException; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Set; +import org.apache.gravitino.Catalog; +import org.apache.gravitino.MetadataObject; +import org.apache.gravitino.MetadataObjects; +import org.apache.gravitino.NameIdentifier; +import org.apache.gravitino.authorization.Privileges; +import org.apache.gravitino.authorization.SecurableObject; +import org.apache.gravitino.authorization.SecurableObjects; +import org.apache.gravitino.client.GravitinoMetalake; +import org.apache.gravitino.exceptions.ForbiddenException; +import org.apache.gravitino.integration.test.container.ContainerSuite; +import org.apache.gravitino.integration.test.container.HiveContainer; +import org.apache.gravitino.policy.PolicyChange; +import org.apache.gravitino.policy.PolicyContents; +import org.apache.gravitino.policy.SupportsPolicies; +import org.apache.gravitino.rel.Column; +import org.apache.gravitino.rel.TableCatalog; +import org.apache.gravitino.rel.types.Types; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.MethodOrderer; +import org.junit.jupiter.api.Order; +import org.junit.jupiter.api.Tag; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.TestMethodOrder; + +@Tag("gravitino-docker-test") +@TestMethodOrder(MethodOrderer.OrderAnnotation.class) +public class PolicyAuthorizationIT extends BaseRestApiAuthorizationIT { + + private static final String CATALOG = "catalog"; + private static final String SCHEMA = "schema"; + private static final ContainerSuite containerSuite = ContainerSuite.getInstance(); + private static String hmsUri; + private static String role = "role"; + + @BeforeAll + public void startIntegrationTest() throws Exception { + containerSuite.startHiveContainer(); + super.startIntegrationTest(); + hmsUri = + String.format( + "thrift://%s:%d", + containerSuite.getHiveContainer().getContainerIpAddress(), + HiveContainer.HIVE_METASTORE_PORT); + Map<String, String> properties = Maps.newHashMap(); + properties.put("metastore.uris", hmsUri); + client + .loadMetalake(METALAKE) + .createCatalog(CATALOG, Catalog.Type.RELATIONAL, "hive", "comment", properties) + .asSchemas() + .createSchema(SCHEMA, "test", new HashMap<>()); + // try to load the schema as normal user, expect failure + assertThrows( + "Can not access metadata.{" + CATALOG + "." + SCHEMA + "}.", + RuntimeException.class, + () -> { + normalUserClient + .loadMetalake(METALAKE) + .loadCatalog(CATALOG) + .asSchemas() + .loadSchema(SCHEMA); + }); + // grant tester privilege + List<SecurableObject> securableObjects = new ArrayList<>(); + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + SecurableObject catalogObject = + SecurableObjects.ofCatalog(CATALOG, ImmutableList.of(Privileges.UseCatalog.allow())); + securableObjects.add(catalogObject); + gravitinoMetalake.createRole(role, new HashMap<>(), securableObjects); + gravitinoMetalake.grantRolesToUser(ImmutableList.of(role), NORMAL_USER); + // normal user can load the catalog but not the schema + Catalog catalogLoadByNormalUser = normalUserClient.loadMetalake(METALAKE).loadCatalog(CATALOG); + assertEquals(CATALOG, catalogLoadByNormalUser.name()); + assertThrows( + "Can not access metadata.{" + CATALOG + "." + SCHEMA + "}.", + ForbiddenException.class, + () -> { + catalogLoadByNormalUser.asSchemas().loadSchema(SCHEMA); + }); + TableCatalog tableCatalog = client.loadMetalake(METALAKE).loadCatalog(CATALOG).asTableCatalog(); + tableCatalog.createTable( + NameIdentifier.of(SCHEMA, "table1"), createColumns(), "test", new HashMap<>()); + } + + private Column[] createColumns() { + return new Column[] {Column.of("col1", Types.StringType.get())}; + } + + @AfterAll + public void stopIntegrationTest() throws IOException, InterruptedException { + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + gravitinoMetalake.loadCatalog(CATALOG).asSchemas().dropSchema(SCHEMA, true); + gravitinoMetalake.dropCatalog(CATALOG, true); + super.stopIntegrationTest(); + } + + @Test + @Order(1) + public void createPolicy() { + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + Set<MetadataObject.Type> supportedTypes = ImmutableSet.of(MetadataObject.Type.TABLE); + gravitinoMetalake.createPolicy( + "policy1", "custom", "policy1", true, PolicyContents.custom(null, supportedTypes, null)); + GravitinoMetalake metalakeLoadByNormalUser = normalUserClient.loadMetalake(METALAKE); + assertThrows( + "Can not access metadata.{" + CATALOG + "." + SCHEMA + "}.", + ForbiddenException.class, + () -> { + metalakeLoadByNormalUser.createPolicy( + "policy2", + "custom", + "policy2", + true, + PolicyContents.custom(null, supportedTypes, null)); + }); + gravitinoMetalake.grantPrivilegesToRole( + role, + MetadataObjects.of(ImmutableList.of(METALAKE), MetadataObject.Type.METALAKE), + ImmutableSet.of(Privileges.CreatePolicy.allow())); + metalakeLoadByNormalUser.createPolicy( + "policy2", "custom", "policy2", true, PolicyContents.custom(null, supportedTypes, null)); + gravitinoMetalake.createPolicy( + "policy3", "custom", "policy3", true, PolicyContents.custom(null, supportedTypes, null)); + } + + @Test + @Order(2) + public void listPolicy() { + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + String[] policies = gravitinoMetalake.listPolicies(); + Assertions.assertArrayEquals(new String[] {"policy1", "policy2", "policy3"}, policies); + policies = normalUserClient.loadMetalake(METALAKE).listPolicies(); + Assertions.assertArrayEquals(new String[] {"policy2"}, policies); + } + + @Test + @Order(3) + public void testGetPolicy() { + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + gravitinoMetalake.getPolicy("policy1"); + gravitinoMetalake.getPolicy("policy2"); + gravitinoMetalake.getPolicy("policy3"); + GravitinoMetalake metalakeLoadByNormalUser = normalUserClient.loadMetalake(METALAKE); + assertThrows( + "Can not access metadata.{" + CATALOG + "." + SCHEMA + "}.", + ForbiddenException.class, + () -> { + metalakeLoadByNormalUser.getPolicy("policy1"); + }); + metalakeLoadByNormalUser.getPolicy("policy2"); + assertThrows( + "Can not access metadata.{" + CATALOG + "." + SCHEMA + "}.", + ForbiddenException.class, + () -> { + metalakeLoadByNormalUser.getPolicy("policy3"); + }); + + gravitinoMetalake.grantPrivilegesToRole( + role, + MetadataObjects.of(ImmutableList.of("policy3"), MetadataObject.Type.POLICY), + ImmutableSet.of(Privileges.ApplyPolicy.allow())); + metalakeLoadByNormalUser.getPolicy("policy3"); + String[] policies = metalakeLoadByNormalUser.listPolicies(); + Assertions.assertArrayEquals(new String[] {"policy2", "policy3"}, policies); + } + + @Test + @Order(4) + public void testAlterPolicy() { + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + GravitinoMetalake metalakeLoadByNormalUser = normalUserClient.loadMetalake(METALAKE); + gravitinoMetalake.alterPolicy("policy1", PolicyChange.updateComment("222")); + assertThrows( + "Can not access metadata.{" + CATALOG + "." + SCHEMA + "}.", + ForbiddenException.class, + () -> { + metalakeLoadByNormalUser.alterPolicy("policy3", PolicyChange.updateComment("222")); + }); + metalakeLoadByNormalUser.alterPolicy("policy2", PolicyChange.updateComment("222")); + } + + @Test + @Order(6) + public void testAssociatePolicy() { + GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE); + GravitinoMetalake metalakeLoadByNormalUser = normalUserClient.loadMetalake(METALAKE); + SupportsPolicies supportsPolicies = + gravitinoMetalake + .loadCatalog(CATALOG) + .asTableCatalog() + .loadTable(NameIdentifier.of(SCHEMA, "table1")) + .supportsPolicies(); + gravitinoMetalake.grantPrivilegesToRole( + role, + MetadataObjects.of(ImmutableList.of(CATALOG, SCHEMA), MetadataObject.Type.SCHEMA), + ImmutableList.of(Privileges.SelectTable.allow(), Privileges.UseSchema.allow())); + SupportsPolicies supportsPoliciesByNormalUser = + metalakeLoadByNormalUser + .loadCatalog(CATALOG) + .asTableCatalog() + .loadTable(NameIdentifier.of(SCHEMA, "table1")) + .supportsPolicies(); + supportsPolicies.associatePolicies(new String[] {"policy1"}, new String[] {}); + assertThrows( + "Can not access metadata.", + ForbiddenException.class, + () -> { + supportsPoliciesByNormalUser.associatePolicies(new String[] {"policy1"}, new String[] {}); + }); + gravitinoMetalake.grantPrivilegesToRole( + role, + MetadataObjects.of(ImmutableList.of(METALAKE), MetadataObject.Type.METALAKE), + ImmutableSet.of(Privileges.CreateTable.allow())); + TableCatalog tableCatalog = + normalUserClient.loadMetalake(METALAKE).loadCatalog(CATALOG).asTableCatalog(); + tableCatalog.createTable( + NameIdentifier.of(SCHEMA, "table2"), createColumns(), "test", new HashMap<>()); + tableCatalog.createTable( + NameIdentifier.of(SCHEMA, "table3"), createColumns(), "test", new HashMap<>()); + metalakeLoadByNormalUser + .loadCatalog(CATALOG) + .asTableCatalog() + .loadTable(NameIdentifier.of(SCHEMA, "table2")) + .supportsPolicies() + .associatePolicies(new String[] {"policy2"}, new String[] {}); + ; + metalakeLoadByNormalUser + .loadCatalog(CATALOG) + .asTableCatalog() + .loadTable(NameIdentifier.of(SCHEMA, "table3")) + .supportsPolicies() + .associatePolicies(new String[] {"policy2"}, new String[] {}); + ; Review Comment: Remove unnecessary semicolon on this standalone line. This appears to be leftover from refactoring. ```suggestion metalakeLoadByNormalUser .loadCatalog(CATALOG) .asTableCatalog() .loadTable(NameIdentifier.of(SCHEMA, "table3")) .supportsPolicies() .associatePolicies(new String[] {"policy2"}, new String[] {}); ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
