(gravitino) branch main updated: [#9337] improvement: Plan scan API supports access control (#9361)

Tue, 02 Dec 2025 22:39:57 -0800 

This is an automated email from the ASF dual-hosted git repository.

fanng pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git


The following commit(s) were added to refs/heads/main by this push:
     new 28ccb5c109 [#9337] improvement: Plan scan API supports access control 
(#9361)
28ccb5c109 is described below

commit 28ccb5c1097ecdfa95cedc14353ccf867d0075df
Author: roryqi <[email protected]>
AuthorDate: Wed Dec 3 14:39:45 2025 +0800

    [#9337] improvement: Plan scan API supports access control (#9361)
    
    ### What changes were proposed in this pull request?
    
    Plan scan API supports access control
    
    ### Why are the changes needed?
    
    Fix: #9337
    
    ### Does this PR introduce _any_ user-facing change?
    
    No need.
    
    ### How was this patch tested?
    
    Iceberg client don't support remote plan scan now. Now we can't test it
    yet. You can see https://github.com/apache/iceberg/pull/13400
---
 .../iceberg/service/rest/IcebergTableOperations.java        | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git 
a/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/rest/IcebergTableOperations.java
 
b/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/rest/IcebergTableOperations.java
index 53f7b73f01..429a3e0d28 100644
--- 
a/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/rest/IcebergTableOperations.java
+++ 
b/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/iceberg/service/rest/IcebergTableOperations.java
@@ -460,10 +460,17 @@ public class IcebergTableOperations {
   @Consumes(MediaType.APPLICATION_JSON)
   @Timed(name = "plan-table-scan." + MetricNames.HTTP_PROCESS_DURATION, 
absolute = true)
   @ResponseMetered(name = "plan-table-scan", absolute = true)
+  @AuthorizationExpression(
+      expression =
+          "ANY(OWNER, METALAKE, CATALOG) || "
+              + "SCHEMA_OWNER_WITH_USE_CATALOG || "
+              + "ANY_USE_CATALOG && ANY_USE_SCHEMA  && (TABLE::OWNER || 
ANY_SELECT_TABLE|| ANY_MODIFY_TABLE)",
+      accessMetadataType = MetadataObject.Type.TABLE)
   public Response planTableScan(
-      @PathParam("prefix") String prefix,
-      @Encoded() @PathParam("namespace") String namespace,
-      @PathParam("table") String table,
+      @PathParam("prefix") @AuthorizationMetadata(type = EntityType.CATALOG) 
String prefix,
+      @Encoded() @PathParam("namespace") @AuthorizationMetadata(type = 
EntityType.SCHEMA)
+          String namespace,
+      @PathParam("table") @AuthorizationMetadata(type = EntityType.TABLE) 
String table,
       PlanTableScanRequest scanRequest) {
     String catalogName = IcebergRESTUtils.getCatalogName(prefix);
     Namespace icebergNS = RESTUtil.decodeNamespace(namespace);

Reply via email to