This is an automated email from the ASF dual-hosted git repository.
mchades pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new 095b9cd2f1 [MINOR] polish(authz): polish authz codes for easier reuse
(#9402)
095b9cd2f1 is described below
commit 095b9cd2f1982e15a070efc92980157441104cba
Author: mchades <[email protected]>
AuthorDate: Tue Dec 9 14:00:31 2025 +0800
[MINOR] polish(authz): polish authz codes for easier reuse (#9402)
### What changes were proposed in this pull request?
can specify a principal
### Why are the changes needed?
polish authz codes for easier reuse
### Does this PR introduce _any_ user-facing change?
no
### How was this patch tested?
CI passed
---
.../server/authorization/MetadataAuthzHelper.java | 51 +++++++++++++---------
1 file changed, 30 insertions(+), 21 deletions(-)
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java
b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java
index ffa32bc294..15d5f542ad 100644
---
a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java
+++
b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java
@@ -64,6 +64,7 @@ public class MetadataAuthzHelper {
return doFilter(
expression,
metalakes,
+ PrincipalUtils.getCurrentPrincipal(),
GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer(),
authorizationRequestContext,
metalake -> {
@@ -72,7 +73,8 @@ public class MetadataAuthzHelper {
metalakeName,
Entity.EntityType.METALAKE,
NameIdentifierUtil.ofMetalake(metalakeName));
- });
+ },
+ (unused) -> null);
}
/**
@@ -87,6 +89,7 @@ public class MetadataAuthzHelper {
return doFilter(
AuthorizationExpressionConstants.CAN_ACCESS_METADATA,
metadataObjects,
+ PrincipalUtils.getCurrentPrincipal(),
GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer(),
new AuthorizationRequestContext(),
metadataObject ->
@@ -109,6 +112,7 @@ public class MetadataAuthzHelper {
return doFilter(
AuthorizationExpressionConstants.CAN_ACCESS_METADATA,
metadataObjects,
+ PrincipalUtils.getCurrentPrincipal(),
GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer(),
new AuthorizationRequestContext(),
metadataObject ->
@@ -178,8 +182,18 @@ public class MetadataAuthzHelper {
Function<E, NameIdentifier> toNameIdentifier) {
GravitinoAuthorizer authorizer =
GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer();
- return filterByExpression(
- metalake, expression, entityType, entities, toNameIdentifier,
authorizer);
+ AuthorizationRequestContext authorizationRequestContext = new
AuthorizationRequestContext();
+ return doFilter(
+ expression,
+ entities,
+ PrincipalUtils.getCurrentPrincipal(),
+ authorizer,
+ authorizationRequestContext,
+ (entity) -> {
+ NameIdentifier nameIdentifier = toNameIdentifier.apply(entity);
+ return splitMetadataNames(metalake, entityType, nameIdentifier);
+ },
+ (unused) -> null);
}
/**
@@ -191,7 +205,12 @@ public class MetadataAuthzHelper {
* @param entityType entity type
* @param entities metadata entities
* @param toNameIdentifier function to convert entity to NameIdentifier
- * @param authorizer authorizer to filter metadata
+ * @param currentPrincipal The principal to perform the authorization check
as. This is intended
+ * as an extension point for external modules to inject a specific
security context, so please
+ * do not remove it.
+ * @param authorizer The authorizer to use for the authorization check. This
is intended as an
+ * extension point for external modules to inject a specific
authorization mechanism, so
+ * please do not remove it.
* @return Filtered Metadata Entity
* @param <E> Entity class
*/
@@ -201,17 +220,20 @@ public class MetadataAuthzHelper {
Entity.EntityType entityType,
E[] entities,
Function<E, NameIdentifier> toNameIdentifier,
+ Principal currentPrincipal,
GravitinoAuthorizer authorizer) {
AuthorizationRequestContext authorizationRequestContext = new
AuthorizationRequestContext();
return doFilter(
expression,
entities,
+ currentPrincipal,
authorizer,
authorizationRequestContext,
(entity) -> {
NameIdentifier nameIdentifier = toNameIdentifier.apply(entity);
return splitMetadataNames(metalake, entityType, nameIdentifier);
- });
+ },
+ (unused) -> null);
}
/**
@@ -219,30 +241,18 @@ public class MetadataAuthzHelper {
*
* @param expression The authorization expression to evaluate
* @param entities The array of entities to filter
+ * @param currentPrincipal The principal used to evaluate permissions
* @param authorizer The authorizer used to evaluate permissions
* @param authorizationRequestContext The context of the authorization
request
* @param extractMetadataNamesMap Function to extract metadata names map
from entity
+ * @param extractEntityType Function to extract entity type from entity
* @param <E> The type of entity
* @return Filtered array of entities that passed authorization check
*/
private static <E> E[] doFilter(
String expression,
E[] entities,
- GravitinoAuthorizer authorizer,
- AuthorizationRequestContext authorizationRequestContext,
- Function<E, Map<Entity.EntityType, NameIdentifier>>
extractMetadataNamesMap) {
- return doFilter(
- expression,
- entities,
- authorizer,
- authorizationRequestContext,
- extractMetadataNamesMap,
- (unused) -> null);
- }
-
- private static <E> E[] doFilter(
- String expression,
- E[] entities,
+ Principal currentPrincipal,
GravitinoAuthorizer authorizer,
AuthorizationRequestContext authorizationRequestContext,
Function<E, Map<Entity.EntityType, NameIdentifier>>
extractMetadataNamesMap,
@@ -251,7 +261,6 @@ public class MetadataAuthzHelper {
return entities;
}
checkExecutor();
- Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal();
authorizationRequestContext.setOriginalAuthorizationExpression(expression);
List<CompletableFuture<E>> futures = new ArrayList<>();
for (E entity : entities) {
