Re: [PR] [#9381] improvement(authz): Rename the model privilege names [gravitino]

Tue, 09 Dec 2025 03:28:56 -0800 


jerqi commented on code in PR #9384:
URL: https://github.com/apache/gravitino/pull/9384#discussion_r2602240128


##########
core/src/main/java/org/apache/gravitino/authorization/PermissionManager.java:
##########
@@ -636,8 +637,31 @@ private static SecurableObject 
updateRevokedSecurableObject(
     // Use set to deduplicate the privileges
     Set<Privilege> updatePrivileges = Sets.newHashSet();
     updatePrivileges.addAll(targetObject.privileges());
+    // Remove the privileges that are being revoked from the current privilege 
set
     privileges.forEach(updatePrivileges::remove);
 
+    // Handle backward compatibility for model privilege revocation
+    // Gravitino renamed model privileges: CREATE_MODEL -> REGISTER_MODEL,
+    // CREATE_MODEL_VERSION -> LINK_MODEL_VERSION
+    // When revoking privileges, we need to handle both old and new privilege 
names to ensure
+    // complete removal regardless of which name was used when granting the 
privilege.
+    for (Privilege privilege : privileges) {
+      // If revoking legacy privileges (CREATE_MODEL or CREATE_MODEL_VERSION),
+      // also remove their new equivalents (REGISTER_MODEL or 
LINK_MODEL_VERSION)
+      if (privilege.name() == Privilege.Name.CREATE_MODEL
+          || privilege.name() == Privilege.Name.CREATE_MODEL_VERSION) {
+        updatePrivileges.remove(
+            AuthorizationUtils.replaceLegacyPrivilege(privilege.name(), 
privilege.condition()));
+      }
+      // If revoking new privileges (REGISTER_MODEL or LINK_MODEL_VERSION),
+      // also remove their legacy equivalents (CREATE_MODEL or 
CREATE_MODEL_VERSION)
+      else if (privilege.name() == Privilege.Name.REGISTER_MODEL
+          || privilege.name() == Privilege.Name.LINK_MODEL_VERSION) {
+        updatePrivileges.remove(
+            AuthorizationUtils.getLegacyPrivilege(privilege.name(), 
privilege.condition()));

Review Comment:
   I have added the test cases in the ModelAuthorizationIT.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to