Copilot commented on code in PR #9391:
URL: https://github.com/apache/gravitino/pull/9391#discussion_r2592230992
##########
server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java:
##########
@@ -35,7 +35,6 @@
import java.util.concurrent.Executors;
import java.util.concurrent.ThreadPoolExecutor;
import org.apache.commons.io.IOUtils;
Review Comment:
The removal of `StringUtils` import should be verified - ensure that
`StringUtils` is not used elsewhere in this file.
```suggestion
```
##########
server/src/main/java/org/apache/gravitino/server/web/rest/MetalakeOperations.java:
##########
@@ -138,7 +138,7 @@ public Response createMetalake(MetalakeCreateRequest
request) {
@Produces("application/vnd.gravitino.v1+json")
@Timed(name = "load-metalake." + MetricNames.HTTP_PROCESS_DURATION, absolute
= true)
@ResponseMetered(name = "load-metalake", absolute = true)
Review Comment:
Using an empty authorization expression removes all access control for the
`loadMetalake` endpoint. This should be explicitly documented or use a more
explicit authorization strategy to clarify that this endpoint is intentionally
unrestricted.
```suggestion
@ResponseMetered(name = "load-metalake", absolute = true)
// WARNING: This endpoint is intentionally left without access control.
// Anyone can access the loadMetalake endpoint. If this is not intended,
// please add an appropriate authorization expression.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
