Re: [PR] [#9266] feat(authz): Support filter MetadataObject [gravitino]

Tue, 02 Dec 2025 04:05:12 -0800 


hdygxsj commented on code in PR #9290:
URL: https://github.com/apache/gravitino/pull/9290#discussion_r2580884010


##########
server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java:
##########
@@ -213,6 +237,26 @@ private static <E> E[] doFilter(
       GravitinoAuthorizer authorizer,
       AuthorizationRequestContext authorizationRequestContext,
       Function<E, Map<Entity.EntityType, NameIdentifier>> 
extractMetadataNamesMap) {
+    return doFilter(
+        expression,
+        entities,
+        authorizer,
+        authorizationRequestContext,
+        extractMetadataNamesMap,
+        (any) -> null);
+  }
+
+  private static <E> E[] doFilter(
+      String expression,
+      E[] entities,
+      GravitinoAuthorizer authorizer,
+      AuthorizationRequestContext authorizationRequestContext,
+      Function<E, Map<Entity.EntityType, NameIdentifier>> 
extractMetadataNamesMap,
+      Function<E, Entity.EntityType> extractEntityType) {

Review Comment:
   To ensure functionality works correctly when authorization is disabled, the 
existing unit tests do not support enabling authorization; the correctness of 
features with authorization enabled is guaranteed by integration tests (IT).
   
   



##########
server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java:
##########
@@ -108,6 +105,37 @@ public static Metalake[] filterMetalakes(Metalake[] 
metalakes, String expression
               NameIdentifierUtil.ofMetalake(metalakeName));
         });
   }
+
+  public static MetadataObjectDTO[] filterMetadataObject(
+      String metalake, MetadataObjectDTO[] metadataObjects) {
+    return doFilter(
+        AuthorizationExpressionConstants.CAN_ACCESS_METADATA,
+        metadataObjects,
+        GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer(),
+        new AuthorizationRequestContext(),
+        metadataObject ->
+            splitMetadataNames(
+                metalake,
+                MetadataObjectUtil.toEntityType(metadataObject.type()),
+                MetadataObjectUtil.toEntityIdent(metalake, metadataObject)),
+        metadataObject -> 
MetadataObjectUtil.toEntityType(metadataObject.type()));
+  }

Review Comment:
   To ensure functionality works correctly when authorization is disabled, the 
existing unit tests do not support enabling authorization; the correctness of 
features with authorization enabled is guaranteed by integration tests (IT).
   
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to