This is an automated email from the ASF dual-hosted git repository.
roryqi pushed a commit to branch branch-1.1
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/branch-1.1 by this push:
new 1f206020fd [#9381] improvement(authz): Rename the model privilege
names (#9434)
1f206020fd is described below
commit 1f206020fd1ed366bc34da19412d6db30791bc57
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Wed Dec 10 11:26:12 2025 +0800
[#9381] improvement(authz): Rename the model privilege names (#9434)
### What changes were proposed in this pull request?
Rename the model privilege names to follow the operation name styles.
### Why are the changes needed?
Fix: #9381
### Does this PR introduce _any_ user-facing change?
Changed the documents.
### How was this patch tested?
Added new compatible cases.
Co-authored-by: roryqi <[email protected]>
---
.../apache/gravitino/authorization/Privilege.java | 37 ++++++++-
.../apache/gravitino/authorization/Privileges.java | 90 ++++++++++++++++++---
.../authorization/TestSecurableObjects.java | 4 +-
.../test/authorization/AccessControlIT.java | 45 ++++++++---
.../test/authorization/ModelAuthorizationIT.java | 88 ++++++++++++++++++--
.../authorization/AuthorizationUtils.java | 61 +++++++++++++-
.../gravitino/authorization/PermissionManager.java | 25 ++++++
docs/security/access-control.md | 22 +++--
.../AuthorizationExpressionConverter.java | 12 +--
.../authorization/jcasbin/JcasbinAuthorizer.java | 11 ++-
.../gravitino/server/web/rest/ModelOperations.java | 4 +-
.../TestModelAuthorizationExpression.java | 94 ++++++++++++----------
12 files changed, 399 insertions(+), 94 deletions(-)
diff --git
a/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
b/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
index 332ff3be58..ea94c30b4b 100644
--- a/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
+++ b/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
@@ -89,9 +89,42 @@ public interface Privilege {
CREATE_ROLE(0L, 1L << 16),
/** The privilege to grant or revoke a role for the user or the group. */
MANAGE_GRANTS(0L, 1L << 17),
- /** The privilege to create a model */
+ /** The privilege to register a model */
+ REGISTER_MODEL(0L, 1L << 18),
+ /**
+ * The privilege to create a model. This is deprecated. Please use
REGISTER_MODEL.
+ *
+ * <p>Note: This enum shares the same bit value (1L << 18) as
REGISTER_MODEL for backward
+ * compatibility. This unconventional design allows legacy privilege names
to be treated as
+ * equivalent to new privilege names without requiring runtime privilege
translation in the
+ * authorization engine. However, this means:
+ *
+ * <ul>
+ * <li>The bit fields do not uniquely identify an enum value
+ * <li>Converting from bits to enum name is ambiguous
+ * <li>Both CREATE_MODEL and REGISTER_MODEL are functionally identical
at the bit level
+ * </ul>
+ */
+ @Deprecated
CREATE_MODEL(0L, 1L << 18),
- /** The privilege to create a model version */
+ /** The privilege to link a model version */
+ LINK_MODEL_VERSION(0L, 1L << 19),
+ /**
+ * The privilege to create a model version. This is deprecated. Please use
LINK_MODEL_VERSION.
+ *
+ * <p>Note: This enum shares the same bit value (1L << 19) as
LINK_MODEL_VERSION for
+ * backward compatibility. This unconventional design allows legacy
privilege names to be
+ * treated as equivalent to new privilege names without requiring runtime
privilege translation
+ * in the authorization engine. However, this means:
+ *
+ * <ul>
+ * <li>The bit fields do not uniquely identify an enum value
+ * <li>Converting from bits to enum name is ambiguous
+ * <li>Both CREATE_MODEL_VERSION and LINK_MODEL_VERSION are functionally
identical at the bit
+ * level
+ * </ul>
+ */
+ @Deprecated
CREATE_MODEL_VERSION(0L, 1L << 19),
/** The privilege to view the metadata of the model and download all the
model versions */
USE_MODEL(0L, 1L << 20),
diff --git
a/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
b/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
index b499069a7d..45e40f5268 100644
--- a/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
+++ b/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
@@ -127,8 +127,12 @@ public class Privileges {
return ManageGrants.allow();
// Model
+ case REGISTER_MODEL:
+ return RegisterModel.allow();
case CREATE_MODEL:
return CreateModel.allow();
+ case LINK_MODEL_VERSION:
+ return LinkModelVersion.allow();
case CREATE_MODEL_VERSION:
return CreateModelVersion.allow();
case USE_MODEL:
@@ -231,8 +235,12 @@ public class Privileges {
return ManageGrants.deny();
// Model
+ case REGISTER_MODEL:
+ return RegisterModel.deny();
case CREATE_MODEL:
return CreateModel.deny();
+ case LINK_MODEL_VERSION:
+ return LinkModelVersion.deny();
case CREATE_MODEL_VERSION:
return CreateModelVersion.deny();
case USE_MODEL:
@@ -839,28 +847,28 @@ public class Privileges {
}
}
- /** The privilege to create a model */
- public static class CreateModel extends GenericPrivilege<CreateModel> {
- private static final CreateModel ALLOW_INSTANCE =
- new CreateModel(Condition.ALLOW, Name.CREATE_MODEL);
- private static final CreateModel DENY_INSTANCE =
- new CreateModel(Condition.DENY, Name.CREATE_MODEL);
+ /** The privilege to register a model */
+ public static class RegisterModel extends GenericPrivilege<RegisterModel> {
+ private static final RegisterModel ALLOW_INSTANCE =
+ new RegisterModel(Condition.ALLOW, Name.REGISTER_MODEL);
+ private static final RegisterModel DENY_INSTANCE =
+ new RegisterModel(Condition.DENY, Name.REGISTER_MODEL);
- private CreateModel(Condition condition, Name name) {
+ private RegisterModel(Condition condition, Name name) {
super(condition, name);
}
/**
* @return The instance with allow condition of the privilege.
*/
- public static CreateModel allow() {
+ public static RegisterModel allow() {
return ALLOW_INSTANCE;
}
/**
* @return The instance with deny condition of the privilege.
*/
- public static CreateModel deny() {
+ public static RegisterModel deny() {
return DENY_INSTANCE;
}
@@ -899,7 +907,71 @@ public class Privileges {
}
}
+ /** The privilege to link a model version */
+ public static class LinkModelVersion extends
GenericPrivilege<LinkModelVersion> {
+ private static final LinkModelVersion ALLOW_INSTANCE =
+ new LinkModelVersion(Condition.ALLOW, Name.LINK_MODEL_VERSION);
+ private static final LinkModelVersion DENY_INSTANCE =
+ new LinkModelVersion(Condition.DENY, Name.LINK_MODEL_VERSION);
+
+ private LinkModelVersion(Condition condition, Name name) {
+ super(condition, name);
+ }
+
+ /**
+ * @return The instance with allow condition of the privilege.
+ */
+ public static LinkModelVersion allow() {
+ return ALLOW_INSTANCE;
+ }
+
+ /**
+ * @return The instance with deny condition of the privilege.
+ */
+ public static LinkModelVersion deny() {
+ return DENY_INSTANCE;
+ }
+
+ @Override
+ public boolean canBindTo(MetadataObject.Type type) {
+ return MODEL_SUPPORTED_TYPES.contains(type);
+ }
+ }
+
+ /** The privilege to create a model. */
+ @Deprecated
+ public static class CreateModel extends GenericPrivilege<CreateModel> {
+ private static final CreateModel ALLOW_INSTANCE =
+ new CreateModel(Condition.ALLOW, Name.CREATE_MODEL);
+ private static final CreateModel DENY_INSTANCE =
+ new CreateModel(Condition.DENY, Name.CREATE_MODEL);
+
+ private CreateModel(Condition condition, Name name) {
+ super(condition, name);
+ }
+
+ /**
+ * @return The instance with allow condition of the privilege.
+ */
+ public static CreateModel allow() {
+ return ALLOW_INSTANCE;
+ }
+
+ /**
+ * @return The instance with deny condition of the privilege.
+ */
+ public static CreateModel deny() {
+ return DENY_INSTANCE;
+ }
+
+ @Override
+ public boolean canBindTo(MetadataObject.Type type) {
+ return SCHEMA_SUPPORTED_TYPES.contains(type);
+ }
+ }
+
/** The privilege to create a model version */
+ @Deprecated
public static class CreateModelVersion extends
GenericPrivilege<CreateModelVersion> {
private static final CreateModelVersion ALLOW_INSTANCE =
new CreateModelVersion(Condition.ALLOW, Name.CREATE_MODEL_VERSION);
diff --git
a/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java
b/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java
index b05b52a326..d6c4d592ee 100644
---
a/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java
+++
b/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java
@@ -177,8 +177,8 @@ public class TestSecurableObjects {
Privilege manageUsers = Privileges.ManageUsers.allow();
Privilege manageGroups = Privileges.ManageGroups.allow();
Privilege manageGrants = Privileges.ManageGrants.allow();
- Privilege createModel = Privileges.CreateModel.allow();
- Privilege createModelVersion = Privileges.CreateModelVersion.allow();
+ Privilege createModel = Privileges.RegisterModel.allow();
+ Privilege createModelVersion = Privileges.LinkModelVersion.allow();
Privilege useModel = Privileges.UseModel.allow();
Privilege createTag = Privileges.CreateTag.allow();
Privilege applyTag = Privileges.ApplyTag.allow();
diff --git
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/AccessControlIT.java
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/AccessControlIT.java
index 75262bb3c3..dfcb0f8516 100644
---
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/AccessControlIT.java
+++
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/AccessControlIT.java
@@ -203,6 +203,7 @@ public class AccessControlIT extends BaseIT {
}
@Test
+ @SuppressWarnings("deprecation")
void testManageRoles() {
String roleName = "role#123";
Map<String, String> properties = Maps.newHashMap();
@@ -232,8 +233,8 @@ public class AccessControlIT extends BaseIT {
SecurableObjects.ofMetalake(
metalakeName,
Lists.newArrayList(
- Privileges.CreateModel.allow(),
- Privileges.CreateModelVersion.allow(),
+ Privileges.RegisterModel.allow(),
+ Privileges.LinkModelVersion.allow(),
Privileges.UseModel.allow()));
role =
@@ -248,8 +249,8 @@ public class AccessControlIT extends BaseIT {
SecurableObjects.ofCatalog(
"model_catalog",
Lists.newArrayList(
- Privileges.CreateModel.allow(),
- Privileges.CreateModelVersion.allow(),
+ Privileges.RegisterModel.allow(),
+ Privileges.LinkModelVersion.allow(),
Privileges.UseModel.allow()));
role =
metalake.createRole(
@@ -263,8 +264,8 @@ public class AccessControlIT extends BaseIT {
catalogObjectWithModelPrivs,
"model_schema",
Lists.newArrayList(
- Privileges.CreateModel.allow(),
- Privileges.CreateModelVersion.allow(),
+ Privileges.RegisterModel.allow(),
+ Privileges.LinkModelVersion.allow(),
Privileges.UseModel.allow()));
role =
metalake.createRole(
@@ -277,7 +278,7 @@ public class AccessControlIT extends BaseIT {
SecurableObjects.ofModel(
schemaObjectWithModelPrivs,
"model",
- Lists.newArrayList(Privileges.CreateModelVersion.allow(),
Privileges.UseModel.allow()));
+ Lists.newArrayList(Privileges.LinkModelVersion.allow(),
Privileges.UseModel.allow()));
role =
metalake.createRole(
"model_name", properties,
Lists.newArrayList(modelObjectWithCorrectPriv));
@@ -285,11 +286,37 @@ public class AccessControlIT extends BaseIT {
Assertions.assertEquals(properties, role.properties());
metalake.deleteRole("model_name");
+ // Test legacy privilege name
+ SecurableObject modelObjectWithLegacyPriv =
+ SecurableObjects.ofSchema(
+ catalogObjectWithModelPrivs,
+ "model_schema",
+ Lists.newArrayList(
+ Privileges.CreateModel.allow(),
Privileges.CreateModelVersion.allow()));
+ role =
+ metalake.createRole(
+ "model_name", properties,
Lists.newArrayList(modelObjectWithLegacyPriv));
+ Assertions.assertEquals("model_name", role.name());
+ Assertions.assertEquals(properties, role.properties());
+ // Verify privileges - test legacy privilege compatibility
+ Assertions.assertEquals(1, role.securableObjects().size());
+ List<Privilege> actualPrivileges =
+ Lists.newArrayList(role.securableObjects().get(0).privileges());
+ Assertions.assertEquals(2, actualPrivileges.size());
+ // Sort privileges by name to ensure consistent ordering
+ actualPrivileges.sort(Comparator.comparing(p -> p.name().name()));
+ // After sorting: CREATE_MODEL comes before CREATE_MODEL_VERSION
alphabetically
+ Assertions.assertEquals(Privilege.Name.CREATE_MODEL,
actualPrivileges.get(0).name());
+ Assertions.assertEquals(Privilege.Condition.ALLOW,
actualPrivileges.get(0).condition());
+ Assertions.assertEquals(Privilege.Name.CREATE_MODEL_VERSION,
actualPrivileges.get(1).name());
+ Assertions.assertEquals(Privilege.Condition.ALLOW,
actualPrivileges.get(1).condition());
+ metalake.deleteRole("model_name");
+
SecurableObject modelObjectWithWrongPriv =
SecurableObjects.ofModel(
schemaObjectWithModelPrivs,
"model",
- Lists.newArrayList(Privileges.CreateModel.allow()));
+ Lists.newArrayList(Privileges.RegisterModel.allow()));
Assertions.assertThrows(
IllegalArgumentException.class,
() ->
@@ -338,7 +365,7 @@ public class AccessControlIT extends BaseIT {
// Create a role with wrong model privilege
SecurableObject wrongCatalogObject2 =
SecurableObjects.ofCatalog(
- "fileset_catalog",
Lists.newArrayList(Privileges.CreateModel.allow()));
+ "fileset_catalog",
Lists.newArrayList(Privileges.RegisterModel.allow()));
Assertions.assertThrows(
IllegalArgumentException.class,
() ->
diff --git
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/ModelAuthorizationIT.java
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/ModelAuthorizationIT.java
index 1f39f43419..7231c6efab 100644
---
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/ModelAuthorizationIT.java
+++
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/ModelAuthorizationIT.java
@@ -100,6 +100,7 @@ public class ModelAuthorizationIT extends
BaseRestApiAuthorizationIT {
@Test
@Order(1)
+ @SuppressWarnings("deprecation")
public void testCreateModel() {
ModelCatalog modelCatalog =
client.loadMetalake(METALAKE).loadCatalog(CATALOG).asModelCatalog();
modelCatalog.registerModel(NameIdentifier.of(SCHEMA, "model1"), "", new
HashMap<>());
@@ -120,12 +121,33 @@ public class ModelAuthorizationIT extends
BaseRestApiAuthorizationIT {
});
GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE);
- // test grant create schema privilege
+ // Test Case 1: Grant using NEW privilege name (REGISTER_MODEL)
+ // This should allow the user to create models
gravitinoMetalake.grantPrivilegesToRole(
role,
MetadataObjects.of(null, CATALOG, MetadataObject.Type.CATALOG),
- ImmutableList.of(Privileges.UseSchema.allow(),
Privileges.CreateModel.allow()));
+ ImmutableList.of(Privileges.UseSchema.allow(),
Privileges.RegisterModel.allow()));
normalUserCatalog.registerModel(NameIdentifier.of(SCHEMA, "model2"), "",
new HashMap<>());
+
+ // Test Case 2: Revoke using LEGACY privilege name (CREATE_MODEL)
+ // This should successfully revoke the permission, proving that
CREATE_MODEL and REGISTER_MODEL
+ // are treated as equivalent by the authorization system
+ gravitinoMetalake.revokePrivilegesFromRole(
+ role,
+ MetadataObjects.of(null, CATALOG, MetadataObject.Type.CATALOG),
+ ImmutableSet.of(Privileges.CreateModel.allow()));
+ assertThrows(
+ ForbiddenException.class,
+ () -> {
+ normalUserCatalog.registerModel(NameIdentifier.of(SCHEMA, "model3"),
"", new HashMap<>());
+ });
+
+ // Test Case 3: Grant using LEGACY privilege name (CREATE_MODEL)
+ // This should work, proving backward compatibility is maintained
+ gravitinoMetalake.grantPrivilegesToRole(
+ role,
+ MetadataObjects.of(null, CATALOG, MetadataObject.Type.CATALOG),
+ ImmutableList.of(Privileges.CreateModel.allow()));
normalUserCatalog.registerModel(NameIdentifier.of(SCHEMA, "model3"), "",
new HashMap<>());
}
@@ -222,15 +244,12 @@ public class ModelAuthorizationIT extends
BaseRestApiAuthorizationIT {
@Test
@Order(6)
+ @SuppressWarnings("deprecation")
public void testLinkModel() {
ModelCatalog modelCatalog =
client.loadMetalake(METALAKE).loadCatalog(CATALOG).asModelCatalog();
Catalog catalogEntityLoadByNormalUser =
normalUserClient.loadMetalake(METALAKE).loadCatalog(CATALOG);
ModelCatalog modelCatalogLoadByNormalUser =
catalogEntityLoadByNormalUser.asModelCatalog();
- modelCatalog.linkModelVersion(
- NameIdentifier.of(SCHEMA, "model1"), "uri1", new String[] {"alias1"},
"comment2", null);
- modelCatalog.linkModelVersion(
- NameIdentifier.of(SCHEMA, "model1"), "uri2", new String[] {"alias2"},
"comment2", null);
assertThrows(
"Can not access metadata {" + METALAKE + "," + CATALOG + "." + SCHEMA
+ "model1" + "}.",
ForbiddenException.class,
@@ -242,6 +261,63 @@ public class ModelAuthorizationIT extends
BaseRestApiAuthorizationIT {
"comment2",
null);
});
+ GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE);
+
+ // Test Case 1: Grant using NEW privilege name (LINK_MODEL_VERSION)
+ // This should allow the user to link model versions
+ gravitinoMetalake.grantPrivilegesToRole(
+ role,
+ MetadataObjects.of(ImmutableList.of(CATALOG, SCHEMA, "model1"),
MetadataObject.Type.MODEL),
+ ImmutableSet.of(Privileges.UseModel.allow(),
Privileges.LinkModelVersion.allow()));
+
+ modelCatalogLoadByNormalUser.linkModelVersion(
+ NameIdentifier.of(SCHEMA, "model1"), "uri2", new String[] {"alias2"},
"comment2", null);
+
+ // Test Case 2: Revoke using LEGACY privilege name (CREATE_MODEL_VERSION)
+ // This should successfully revoke the permission, proving that
CREATE_MODEL_VERSION and
+ // LINK_MODEL_VERSION are treated as equivalent by the authorization system
+ gravitinoMetalake.revokePrivilegesFromRole(
+ role,
+ MetadataObjects.of(ImmutableList.of(CATALOG, SCHEMA, "model1"),
MetadataObject.Type.MODEL),
+ ImmutableSet.of(Privileges.CreateModelVersion.allow()));
+ assertThrows(
+ ForbiddenException.class,
+ () -> {
+ modelCatalogLoadByNormalUser.linkModelVersion(
+ NameIdentifier.of(SCHEMA, "model1"),
+ "uri3",
+ new String[] {"alias3"},
+ "comment3",
+ null);
+ });
+
+ // Test Case 3: Grant using LEGACY privilege name (CREATE_MODEL_VERSION)
+ // This should work, proving backward compatibility is maintained
+ gravitinoMetalake.grantPrivilegesToRole(
+ role,
+ MetadataObjects.of(ImmutableList.of(CATALOG, SCHEMA, "model1"),
MetadataObject.Type.MODEL),
+ ImmutableSet.of(Privileges.CreateModelVersion.allow()));
+ modelCatalog.linkModelVersion(
+ NameIdentifier.of(SCHEMA, "model1"), "uri1", new String[] {"alias1"},
"comment2", null);
+
+ // Test Case 4: Revoke using NEW privilege name (LINK_MODEL_VERSION)
+ // This should successfully revoke the permission that was granted using
the legacy name,
+ // further proving bidirectional equivalence between old and new privilege
names
+ gravitinoMetalake.revokePrivilegesFromRole(
+ role,
+ MetadataObjects.of(ImmutableList.of(CATALOG, SCHEMA, "model1"),
MetadataObject.Type.MODEL),
+ ImmutableSet.of(Privileges.LinkModelVersion.allow(),
Privileges.UseModel.allow()));
+
+ assertThrows(
+ ForbiddenException.class,
+ () -> {
+ modelCatalogLoadByNormalUser.linkModelVersion(
+ NameIdentifier.of(SCHEMA, "model1"),
+ "uri4",
+ new String[] {"alias4"},
+ "comment4",
+ null);
+ });
}
@Test
diff --git
a/core/src/main/java/org/apache/gravitino/authorization/AuthorizationUtils.java
b/core/src/main/java/org/apache/gravitino/authorization/AuthorizationUtils.java
index cd15d98904..d1db956d20 100644
---
a/core/src/main/java/org/apache/gravitino/authorization/AuthorizationUtils.java
+++
b/core/src/main/java/org/apache/gravitino/authorization/AuthorizationUtils.java
@@ -19,6 +19,7 @@
package org.apache.gravitino.authorization;
import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableBiMap;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.util.ArrayList;
@@ -66,6 +67,28 @@ public class AuthorizationUtils {
static final String USER_DOES_NOT_EXIST_MSG = "User %s does not exist in the
metalake %s";
static final String GROUP_DOES_NOT_EXIST_MSG = "Group %s does not exist in
the metalake %s";
static final String ROLE_DOES_NOT_EXIST_MSG = "Role %s does not exist in the
metalake %s";
+
+ /**
+ * Bidirectional map of deprecated privilege names to their new equivalents.
This map is used for
+ * backward compatibility when handling legacy privilege names.
+ *
+ * <p>When adding new deprecated privileges, simply add an entry to this
BiMap rather than adding
+ * more if-else conditions in the conversion methods.
+ *
+ * <p>This BiMap is public to allow other classes to:
+ *
+ * <ul>
+ * <li>Check if a privilege is deprecated: {@code
DEPRECATED_PRIVILEGE_MAP.containsKey(name)}
+ * <li>Get the new equivalent: {@code
DEPRECATED_PRIVILEGE_MAP.get(deprecatedName)}
+ * <li>Get the deprecated equivalent: {@code
DEPRECATED_PRIVILEGE_MAP.inverse().get(newName)}
+ * </ul>
+ */
+ @SuppressWarnings("deprecation")
+ public static final ImmutableBiMap<Privilege.Name, Privilege.Name>
DEPRECATED_PRIVILEGE_MAP =
+ ImmutableBiMap.of(
+ Privilege.Name.CREATE_MODEL, Privilege.Name.REGISTER_MODEL,
+ Privilege.Name.CREATE_MODEL_VERSION,
Privilege.Name.LINK_MODEL_VERSION);
+
private static final Set<MetadataObject.Type> SKIP_APPLY_TYPES =
Sets.newHashSet(
MetadataObject.Type.ROLE,
@@ -87,9 +110,9 @@ public class AuthorizationUtils {
private static final Set<Privilege.Name> MODEL_PRIVILEGES =
Sets.immutableEnumSet(
- Privilege.Name.CREATE_MODEL,
+ Privilege.Name.REGISTER_MODEL,
Privilege.Name.USE_MODEL,
- Privilege.Name.CREATE_MODEL_VERSION);
+ Privilege.Name.LINK_MODEL_VERSION);
private AuthorizationUtils() {}
@@ -224,12 +247,42 @@ public class AuthorizationUtils {
public static void checkDuplicatedNamePrivilege(Collection<Privilege>
privileges) {
Set<Privilege.Name> privilegeNameSet = Sets.newHashSet();
for (Privilege privilege : privileges) {
- if (privilegeNameSet.contains(privilege.name())) {
+ Privilege.Name replacePrivilegeName =
replaceLegacyPrivilegeName(privilege.name());
+ if (privilegeNameSet.contains(replacePrivilegeName)) {
throw new IllegalPrivilegeException(
"Doesn't support duplicated privilege name %s with different
condition",
privilege.name());
}
- privilegeNameSet.add(privilege.name());
+ privilegeNameSet.add(replacePrivilegeName);
+ }
+ }
+
+ @SuppressWarnings("deprecation")
+ public static Privilege.Name replaceLegacyPrivilegeName(Privilege.Name
privilegeName) {
+ return DEPRECATED_PRIVILEGE_MAP.getOrDefault(privilegeName, privilegeName);
+ }
+
+ public static Privilege replaceLegacyPrivilege(
+ Privilege.Name privilege, Privilege.Condition condition) {
+ Privilege.Name replacedPrivilegeName =
replaceLegacyPrivilegeName(privilege);
+ if (condition == Privilege.Condition.ALLOW) {
+ return Privileges.allow(replacedPrivilegeName);
+ } else {
+ return Privileges.deny(replacedPrivilegeName);
+ }
+ }
+
+ public static Privilege getLegacyPrivilege(
+ Privilege.Name privilegeName, Privilege.Condition condition) {
+ Privilege.Name legacyPrivilegeName =
DEPRECATED_PRIVILEGE_MAP.inverse().get(privilegeName);
+ if (legacyPrivilegeName == null) {
+ throw new UnsupportedOperationException(
+ "The privilege " + privilegeName + " is not a legacy privilege");
+ }
+ if (condition == Privilege.Condition.ALLOW) {
+ return Privileges.allow(legacyPrivilegeName);
+ } else {
+ return Privileges.deny(legacyPrivilegeName);
}
}
diff --git
a/core/src/main/java/org/apache/gravitino/authorization/PermissionManager.java
b/core/src/main/java/org/apache/gravitino/authorization/PermissionManager.java
index dff9f0747e..138ee77f5a 100644
---
a/core/src/main/java/org/apache/gravitino/authorization/PermissionManager.java
+++
b/core/src/main/java/org/apache/gravitino/authorization/PermissionManager.java
@@ -625,6 +625,7 @@ class PermissionManager {
return securableObject;
}
+ @SuppressWarnings("deprecation")
private static SecurableObject updateRevokedSecurableObject(
String metalake,
String role,
@@ -636,8 +637,32 @@ class PermissionManager {
// Use set to deduplicate the privileges
Set<Privilege> updatePrivileges = Sets.newHashSet();
updatePrivileges.addAll(targetObject.privileges());
+ // Remove the privileges that are being revoked from the current privilege
set
privileges.forEach(updatePrivileges::remove);
+ // Handle backward compatibility for model privilege revocation
+ // When revoking privileges, we need to handle both old and new privilege
names to ensure
+ // complete removal regardless of which name was used when granting the
privilege.
+ for (Privilege privilege : privileges) {
+ // Check if this is a deprecated privilege and remove its new equivalent
+ Privilege.Name newPrivilegeName =
+ AuthorizationUtils.DEPRECATED_PRIVILEGE_MAP.get(privilege.name());
+ if (newPrivilegeName != null) {
+ // This is a deprecated privilege, remove its new equivalent
+ updatePrivileges.remove(
+ AuthorizationUtils.replaceLegacyPrivilege(privilege.name(),
privilege.condition()));
+ }
+
+ // Check if this privilege has a deprecated equivalent and remove it
+ Privilege.Name deprecatedPrivilegeName =
+
AuthorizationUtils.DEPRECATED_PRIVILEGE_MAP.inverse().get(privilege.name());
+ if (deprecatedPrivilegeName != null) {
+ // This privilege has a deprecated equivalent, remove it
+ updatePrivileges.remove(
+ AuthorizationUtils.getLegacyPrivilege(privilege.name(),
privilege.condition()));
+ }
+ }
+
// If the object still contains privilege, we should update the object
// with new privileges
if (!updatePrivileges.isEmpty()) {
diff --git a/docs/security/access-control.md b/docs/security/access-control.md
index 2c38887051..f32aa2da01 100644
--- a/docs/security/access-control.md
+++ b/docs/security/access-control.md
@@ -261,11 +261,17 @@ DENY `WRITE_FILESET` won‘t deny the `READ_FILESET`
operation if the user has t
### Model privileges
-| Name | Supports Securable Object | Operation
|
-|----------------------|----------------------------------|--------------------------------------------------------------------|
-| CREATE_MODEL | Metalake, Catalog, Schema | Create a model
|
-| CREATE_MODEL_VERSION | Metalake, Catalog, Schema, Model | Create a model
version |
-| USE_MODEL | Metalake, Catalog, Schema, Model | View the metadata
of the model and download all the model versions |
+:::caution Deprecated Privileges
+The privileges `CREATE_MODEL` and `CREATE_MODEL_VERSION` are deprecated and
will be removed in a future release. Please use `REGISTER_MODEL` and
`LINK_MODEL_VERSION` instead. The deprecated privileges still work for backward
compatibility.
+:::
+
+| Name | Supports Securable Object | Operation
|
+|----------------------|----------------------------------|------------------------------------------------------------------------------------|
+| REGISTER_MODEL | Metalake, Catalog, Schema | Register a model
|
+| LINK_MODEL_VERSION | Metalake, Catalog, Schema, Model | Link a model
version |
+| USE_MODEL | Metalake, Catalog, Schema, Model | View the metadata
of the model and download all the model versions |
+| CREATE_MODEL | Metalake, Catalog, Schema | Register a model,
this is deprecated. Please use `REGISTER_MODEL` instead. |
+| CREATE_MODEL_VERSION | Metalake, Catalog, Schema, Model | Link a model
version, this is deprecated. Please use `LINK_MODEL_VERSION` instead. |
### Tag privileges
@@ -1025,9 +1031,9 @@ The following table lists the required privileges for
each API.
| drop fileset | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the
fileset, schema, catalog, metalake
|
| list fileset | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the schema,
catalog, metalake can see all the filesets, others can see the filesets which
they can load |
| load fileset | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the
fileset, schema, metalake, catalog or have either `READ_FILESET` or
`WRITE_FILESET` on the fileset, schema, catalog, metalake |
-| list file | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the
fileset, schema, metalake, catalog or have either `READ_FILESET` or
`WRITE_FILESET` on the fileset, schema, catalog, metalake |
-| register model | First, you should have the privilege to
load the catalog and the schema. Then, you have `CREATE_MODEL` on the metalake,
catalog, schema or are the owner of the metalake, catalog, schema
|
-| link model version | First, you should have the privilege to
load the catalog, the schema and the model. Then, you have
`CREATE_MODEL_VERSION` on the metalake, catalog, schema, model or are the owner
of the metalake, catalog, schema, model |
+| list fileset | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the
fileset, schema, metalake, catalog or have either `READ_FILESET` or
`WRITE_FILESET` on the fileset, schema, catalog, metalake |
+| register model | First, you should have the privilege to
load the catalog and the schema. Then, you have `REGISTER_MODEL` on the
metalake, catalog, schema or are the owner of the metalake, catalog, schema
|
+| link model version | First, you should have the privilege to
load the catalog, the schema and the model. Then, you have `LINK_MODEL_VERSION`
on the metalake, catalog, schema, model or are the owner of the metalake,
catalog, schema, model |
| alter model | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, catalog, metalake
|
| drop model | First, you should have the privilege to
load the catalog and the schema. Then, you are one of the owners of the model,
schema, catalog, metalake
|
| list model | First, you should have the privilege to
load the catalog and the schema. Then the owner of the schema, catalog,
metalake can see all the models, others can see the models which they can load
|
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConverter.java
b/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConverter.java
index 58eb7b3a67..160f22069f 100644
---
a/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConverter.java
+++
b/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConverter.java
@@ -255,14 +255,14 @@ public class AuthorizationExpressionConverter {
+ "!(ANY(DENY_USE_MODEL, METALAKE, CATALOG, SCHEMA, MODEL)))");
expression =
expression.replaceAll(
- "ANY_CREATE_MODEL_VERSION",
- "((ANY(CREATE_MODEL_VERSION, METALAKE, CATALOG, SCHEMA, MODEL)) "
- + "&& !(ANY(DENY_CREATE_MODEL_VERSION, METALAKE, CATALOG,
SCHEMA, MODEL)))");
+ "ANY_LINK_MODEL_VERSION",
+ "((ANY(LINK_MODEL_VERSION, METALAKE, CATALOG, SCHEMA, MODEL)) "
+ + "&& !(ANY(DENY_LINK_MODEL_VERSION, METALAKE, CATALOG,
SCHEMA, MODEL)))");
expression =
expression.replaceAll(
- "ANY_CREATE_MODEL",
- "((ANY(CREATE_MODEL, METALAKE, CATALOG, SCHEMA)) "
- + "&& !(ANY(DENY_CREATE_MODEL, METALAKE, CATALOG, SCHEMA)))");
+ "ANY_REGISTER_MODEL",
+ "((ANY(REGISTER_MODEL, METALAKE, CATALOG, SCHEMA)) "
+ + "&& !(ANY(DENY_REGISTER_MODEL, METALAKE, CATALOG,
SCHEMA)))");
expression =
expression.replaceAll(
"ANY_CREATE_TOPIC",
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java
b/server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java
index d7ea252d07..034a742c48 100644
---
a/server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java
+++
b/server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java
@@ -46,6 +46,7 @@ import org.apache.gravitino.NameIdentifier;
import org.apache.gravitino.SupportsRelationOperations;
import org.apache.gravitino.auth.AuthConstants;
import org.apache.gravitino.authorization.AuthorizationRequestContext;
+import org.apache.gravitino.authorization.AuthorizationUtils;
import org.apache.gravitino.authorization.GravitinoAuthorizer;
import org.apache.gravitino.authorization.Privilege;
import org.apache.gravitino.authorization.SecurableObject;
@@ -529,15 +530,19 @@ public class JcasbinAuthorizer implements
GravitinoAuthorizer {
String.valueOf(roleEntity.id()),
securableObject.type().name(),
String.valueOf(MetadataIdConverter.getID(securableObject,
metalake)),
- privilege.name().name().toUpperCase(),
+ AuthorizationUtils.replaceLegacyPrivilegeName(privilege.name())
+ .name()
+ .toUpperCase(java.util.Locale.ROOT),
AuthConstants.ALLOW);
}
allowEnforcer.addPolicy(
String.valueOf(roleEntity.id()),
securableObject.type().name(),
String.valueOf(MetadataIdConverter.getID(securableObject,
metalake)),
- privilege.name().name().toUpperCase(),
- condition.name().toLowerCase());
+ AuthorizationUtils.replaceLegacyPrivilegeName(privilege.name())
+ .name()
+ .toUpperCase(java.util.Locale.ROOT),
+ condition.name().toLowerCase(java.util.Locale.ROOT));
}
}
}
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/ModelOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/ModelOperations.java
index b3b21b1854..9d8b041ed7 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/ModelOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/ModelOperations.java
@@ -163,7 +163,7 @@ public class ModelOperations {
"""
ANY(OWNER, METALAKE, CATALOG) ||
SCHEMA_OWNER_WITH_USE_CATALOG ||
- ANY_USE_CATALOG && ANY_USE_SCHEMA && ANY_CREATE_MODEL
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && ANY_REGISTER_MODEL
""",
accessMetadataType = MetadataObject.Type.SCHEMA)
public Response registerModel(
@@ -408,7 +408,7 @@ public class ModelOperations {
"""
ANY(OWNER, METALAKE, CATALOG) ||
SCHEMA_OWNER_WITH_USE_CATALOG ||
- ANY_USE_CATALOG && ANY_USE_SCHEMA && (MODEL::OWNER ||
ANY_USE_MODEL && ANY_CREATE_MODEL_VERSION)
+ ANY_USE_CATALOG && ANY_USE_SCHEMA && (MODEL::OWNER ||
ANY_USE_MODEL && ANY_LINK_MODEL_VERSION)
""",
accessMetadataType = MetadataObject.Type.MODEL)
public Response linkModelVersion(
diff --git
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestModelAuthorizationExpression.java
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestModelAuthorizationExpression.java
index 46643485c3..660e634bcc 100644
---
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestModelAuthorizationExpression.java
+++
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestModelAuthorizationExpression.java
@@ -51,32 +51,33 @@ public class TestModelAuthorizationExpression {
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER")));
assertTrue(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER",
"CATALOG::USE_CATALOG")));
assertTrue(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER",
"METALAKE::USE_CATALOG")));
-
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL")));
+
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL")));
assertFalse(
- mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL",
"SCHEMA::USE_SCHEMA")));
+ mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL",
"SCHEMA::USE_SCHEMA")));
assertTrue(
mockEvaluator.getResult(
- ImmutableSet.of("SCHEMA::CREATE_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
+ ImmutableSet.of(
+ "SCHEMA::REGISTER_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertTrue(
mockEvaluator.getResult(
ImmutableSet.of(
- "CATALOG::CREATE_MODEL", "CATALOG::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
+ "CATALOG::REGISTER_MODEL", "CATALOG::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertTrue(
mockEvaluator.getResult(
ImmutableSet.of(
- "METALAKE::CREATE_MODEL", "METALAKE::USE_SCHEMA",
"METALAKE::USE_CATALOG")));
+ "METALAKE::REGISTER_MODEL", "METALAKE::USE_SCHEMA",
"METALAKE::USE_CATALOG")));
assertFalse(
mockEvaluator.getResult(
ImmutableSet.of(
- "METALAKE::CREATE_MODEL",
- "CATALOG::DENY_CREATE_MODEL",
+ "METALAKE::REGISTER_MODEL",
+ "CATALOG::DENY_REGISTER_MODEL",
"METALAKE::USE_SCHEMA",
"METALAKE::USE_CATALOG")));
assertFalse(
mockEvaluator.getResult(
ImmutableSet.of(
- "METALAKE::DENY_CREATE_MODEL",
- "CATALOG::CREATE_MODEL",
+ "METALAKE::DENY_REGISTER_MODEL",
+ "CATALOG::REGISTER_MODEL",
"METALAKE::USE_SCHEMA",
"METALAKE::USE_CATALOG")));
}
@@ -95,12 +96,13 @@ public class TestModelAuthorizationExpression {
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER")));
assertTrue(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER",
"CATALOG::USE_CATALOG")));
assertTrue(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER",
"METALAKE::USE_CATALOG")));
-
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL")));
+
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL")));
assertFalse(
- mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL",
"SCHEMA::USE_SCHEMA")));
+ mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL",
"SCHEMA::USE_SCHEMA")));
assertFalse(
mockEvaluator.getResult(
- ImmutableSet.of("SCHEMA::CREATE_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
+ ImmutableSet.of(
+ "SCHEMA::REGISTER_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::USE_MODEL")));
assertFalse(
mockEvaluator.getResult(ImmutableSet.of("SCHEMA::USE_MODEL",
"SCHEMA::USE_SCHEMA")));
@@ -158,12 +160,13 @@ public class TestModelAuthorizationExpression {
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER")));
assertTrue(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER",
"CATALOG::USE_CATALOG")));
assertTrue(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER",
"METALAKE::USE_CATALOG")));
-
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL")));
+
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL")));
assertFalse(
- mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL",
"SCHEMA::USE_SCHEMA")));
+ mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL",
"SCHEMA::USE_SCHEMA")));
assertFalse(
mockEvaluator.getResult(
- ImmutableSet.of("SCHEMA::CREATE_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
+ ImmutableSet.of(
+ "SCHEMA::REGISTER_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::OWNER")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::OWNER",
"SCHEMA::USE_SCHEMA")));
assertTrue(
@@ -203,12 +206,13 @@ public class TestModelAuthorizationExpression {
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER")));
assertTrue(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER",
"CATALOG::USE_CATALOG")));
assertTrue(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER",
"METALAKE::USE_CATALOG")));
-
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL")));
+
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL")));
assertFalse(
- mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL",
"SCHEMA::USE_SCHEMA")));
+ mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL",
"SCHEMA::USE_SCHEMA")));
assertFalse(
mockEvaluator.getResult(
- ImmutableSet.of("SCHEMA::CREATE_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
+ ImmutableSet.of(
+ "SCHEMA::REGISTER_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::OWNER")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::OWNER",
"SCHEMA::USE_SCHEMA")));
assertTrue(
@@ -253,18 +257,18 @@ public class TestModelAuthorizationExpression {
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER")));
assertTrue(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER",
"CATALOG::USE_CATALOG")));
assertTrue(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::OWNER",
"METALAKE::USE_CATALOG")));
-
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::CREATE_MODEL_VERSION")));
+
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::LINK_MODEL_VERSION")));
assertFalse(
mockEvaluator.getResult(
- ImmutableSet.of("MODEL::CREATE_MODEL_VERSION",
"SCHEMA::USE_SCHEMA")));
+ ImmutableSet.of("MODEL::LINK_MODEL_VERSION",
"SCHEMA::USE_SCHEMA")));
assertFalse(
mockEvaluator.getResult(
ImmutableSet.of(
- "MODEL::CREATE_MODEL_VERSION", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
+ "MODEL::LINK_MODEL_VERSION", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertTrue(
mockEvaluator.getResult(
ImmutableSet.of(
- "MODEL::CREATE_MODEL_VERSION",
+ "MODEL::LINK_MODEL_VERSION",
"MODEL::USE_MODEL",
"SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
@@ -272,37 +276,37 @@ public class TestModelAuthorizationExpression {
assertTrue(
mockEvaluator.getResult(
ImmutableSet.of(
- "SCHEMA::CREATE_MODEL_VERSION",
+ "SCHEMA::LINK_MODEL_VERSION",
"MODEL::USE_MODEL",
"SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertTrue(
mockEvaluator.getResult(
ImmutableSet.of(
- "CATALOG::CREATE_MODEL_VERSION",
+ "CATALOG::LINK_MODEL_VERSION",
"MODEL::USE_MODEL",
"CATALOG::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertTrue(
mockEvaluator.getResult(
ImmutableSet.of(
- "METALAKE::CREATE_MODEL_VERSION",
+ "METALAKE::LINK_MODEL_VERSION",
"MODEL::USE_MODEL",
"METALAKE::USE_SCHEMA",
"METALAKE::USE_CATALOG")));
assertFalse(
mockEvaluator.getResult(
ImmutableSet.of(
- "METALAKE::CREATE_MODEL_VERSION",
- "CATALOG::DENY_CREATE_MODEL_VERSION",
+ "METALAKE::LINK_MODEL_VERSION",
+ "CATALOG::DENY_LINK_MODEL_VERSION",
"MODEL::USE_MODEL",
"METALAKE::USE_SCHEMA",
"METALAKE::USE_CATALOG")));
assertFalse(
mockEvaluator.getResult(
ImmutableSet.of(
- "METALAKE::DENY_CREATE_MODEL_VERSION",
- "CATALOG::CREATE_MODEL_VERSION",
+ "METALAKE::DENY_LINK_MODEL_VERSION",
+ "CATALOG::LINK_MODEL_VERSION",
"MODEL::USE_MODEL",
"METALAKE::USE_SCHEMA",
"METALAKE::USE_CATALOG")));
@@ -318,14 +322,14 @@ public class TestModelAuthorizationExpression {
assertTrue(
mockEvaluator.getResult(
ImmutableSet.of(
- "CATALOG::CREATE_MODEL_VERSION",
+ "CATALOG::LINK_MODEL_VERSION",
"MODEL::USE_MODEL",
"CATALOG::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertTrue(
mockEvaluator.getResult(
ImmutableSet.of(
- "METALAKE::CREATE_MODEL_VERSION",
+ "METALAKE::LINK_MODEL_VERSION",
"MODEL::USE_MODEL",
"METALAKE::USE_SCHEMA",
"METALAKE::USE_CATALOG")));
@@ -357,12 +361,13 @@ public class TestModelAuthorizationExpression {
mockEvaluator.getResult(
ImmutableSet.of(
"SCHEMA::OWNER", "METALAKE::USE_CATALOG",
"CATALOG::DENY_USE_CATALOG")));
-
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL")));
+
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL")));
assertFalse(
- mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL",
"SCHEMA::USE_SCHEMA")));
+ mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL",
"SCHEMA::USE_SCHEMA")));
assertFalse(
mockEvaluator.getResult(
- ImmutableSet.of("SCHEMA::CREATE_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
+ ImmutableSet.of(
+ "SCHEMA::REGISTER_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::OWNER")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::OWNER",
"SCHEMA::USE_SCHEMA")));
assertTrue(
@@ -404,12 +409,13 @@ public class TestModelAuthorizationExpression {
mockEvaluator.getResult(
ImmutableSet.of(
"SCHEMA::OWNER", "METALAKE::USE_CATALOG",
"CATALOG::DENY_USE_CATALOG")));
-
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL")));
+
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL")));
assertFalse(
- mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL",
"SCHEMA::USE_SCHEMA")));
+ mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL",
"SCHEMA::USE_SCHEMA")));
assertFalse(
mockEvaluator.getResult(
- ImmutableSet.of("SCHEMA::CREATE_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
+ ImmutableSet.of(
+ "SCHEMA::REGISTER_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::OWNER")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::OWNER",
"SCHEMA::USE_SCHEMA")));
assertTrue(
@@ -450,12 +456,13 @@ public class TestModelAuthorizationExpression {
mockEvaluator.getResult(
ImmutableSet.of(
"SCHEMA::OWNER", "METALAKE::USE_CATALOG",
"CATALOG::DENY_USE_CATALOG")));
-
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL")));
+
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL")));
assertFalse(
- mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL",
"SCHEMA::USE_SCHEMA")));
+ mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL",
"SCHEMA::USE_SCHEMA")));
assertFalse(
mockEvaluator.getResult(
- ImmutableSet.of("SCHEMA::CREATE_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
+ ImmutableSet.of(
+ "SCHEMA::REGISTER_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::OWNER")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::OWNER",
"SCHEMA::USE_SCHEMA")));
assertTrue(
@@ -496,12 +503,13 @@ public class TestModelAuthorizationExpression {
mockEvaluator.getResult(
ImmutableSet.of(
"SCHEMA::OWNER", "METALAKE::USE_CATALOG",
"CATALOG::DENY_USE_CATALOG")));
-
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL")));
+
assertFalse(mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL")));
assertFalse(
- mockEvaluator.getResult(ImmutableSet.of("SCHEMA::CREATE_MODEL",
"SCHEMA::USE_SCHEMA")));
+ mockEvaluator.getResult(ImmutableSet.of("SCHEMA::REGISTER_MODEL",
"SCHEMA::USE_SCHEMA")));
assertFalse(
mockEvaluator.getResult(
- ImmutableSet.of("SCHEMA::CREATE_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
+ ImmutableSet.of(
+ "SCHEMA::REGISTER_MODEL", "SCHEMA::USE_SCHEMA",
"CATALOG::USE_CATALOG")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::OWNER")));
assertFalse(mockEvaluator.getResult(ImmutableSet.of("MODEL::OWNER",
"SCHEMA::USE_SCHEMA")));
assertTrue(
