zhaohehuhu commented on code in PR #11629: URL: https://github.com/apache/gravitino/pull/11629#discussion_r3402490548
########## design-docs/starrocks-authorization-pushdown.md: ########## @@ -0,0 +1,248 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> + +# Design: StarRocks Authorization Pushdown + +## 1. Problem Statement and Goals + +### 1.1 Problem + +Apache Gravitino supports metadata management for StarRocks through the `jdbc-starrocks` +catalog, but it does not yet push Gravitino authorization changes into StarRocks native +authorization. When users create roles, grant privileges or assign roles to users or groups, +StarRocks does not automatically receive the corresponding users, roles, grants, revokes, +or ownership changes. + +This creates a gap between the Gravitino authorization model and the access control that +StarRocks enforces when users query StarRocks directly. StarRocks already has a SQL-based +authorization model with users, roles, catalog privileges, database privileges, and table +privileges. Gravitino should translate supported Gravitino authorization operations into +StarRocks SQL statements. + +### 1.2 Goals + +1. Implement a StarRocks authorization pushdown plugin based on the existing JDBC + authorization plugin framework. +2. Translate supported Gravitino securable objects and privileges into StarRocks native + authorization objects and privileges. +3. Keep the implementation aligned with the existing authorization provider model. +4. Support user, group, role, privilege grant, privilege revoke pushdown for StarRocks catalogs. + +### 1.3 Non-goals + +1. This design does not add new Gravitino privilege types. +2. This design does not implement StarRocks column-level privileges. +3. This design does not implement StarRocks view, materialized view, resource, storage + volume, system, or function privileges. +4. This design does not push down Gravitino deny privileges. +5. This design does not manage StarRocks external catalogs. + +## 2. Background + +### 2.1 Gravitino Authorization Pushdown + +Gravitino's authorization pushdown mechanism lets a catalog load an `AuthorizationPlugin` +based on the catalog property `authorization-provider`. The provider is loaded from an +isolated package, and `BaseAuthorization.newPlugin(metalake, catalogProvider, config)` +creates a catalog-specific plugin instance. + +The existing JDBC authorization base class, `JdbcAuthorizationPlugin`, already implements +the common hook flow: + +1. Create or drop users. +2. Create or drop roles. +3. Grant or revoke roles to users and groups. +4. Translate Gravitino securable objects into JDBC authorization objects. +5. Generate and execute SQL statements for grants, revokes relative changes. + + +### 2.2 StarRocks Authorization Model + +StarRocks 3.0 and later provide a role-based authorization model. The objects relevant to +this design are: + +| StarRocks object | Relevant privileges | +|------------------|---------------------| +| Catalog | `USAGE`, `CREATE DATABASE` | +| Database | `CREATE TABLE`, `ALTER`, `DROP` | +| Table | `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `ALTER`, `DROP` | + + +### 2.3 StarRocks Catalog Mapping + +The existing `jdbc-starrocks` catalog maps Gravitino metadata to StarRocks metadata as +follows: + +| Gravitino object | StarRocks object | +|------------------|------------------| +| Metalake | Not represented in StarRocks | +| Catalog | StarRocks internal catalog `default_catalog` | +| Schema | Database under `default_catalog` | +| Table | Table under a database | +| Column | Column under a table | + + +## 3. Server-side Design + +### 3.1 Module Structure + +```text +authorizations/authorization-starrocks/ ++-- src/ + +-- main/ + +-- java/org/apache/gravitino/authorization/starrocks/ + | +-- StarRocksAuthorization.java + | +-- StarRocksAuthorizationPlugin.java + | +-- StarRocksSecurableObject.java + | +-- StarRocksSecurableObjectMappingProvider.java + | +-- StarRocksPrivilege.java +``` + +### 3.2 Provider + +Create a new module, `authorizations/authorization-starrocks`, with provider short name +`starrocks`. The `jdbc-starrocks` catalog enables it with: + +```properties +authorization-provider=starrocks +authorization.jdbc.url=jdbc:mysql://starrocks-fe:9030/default_catalog +authorization.jdbc.username=gravitino_auth_admin +authorization.jdbc.password=secret +authorization.jdbc.driver=com.mysql.cj.jdbc.Driver +``` + +```java +public class StarRocksAuthorization extends BaseAuthorization<StarRocksAuthorization> { + @Override + public String shortName() { + return "starrocks"; + } + + @Override + public AuthorizationPlugin newPlugin( + String metalake, String catalogProvider, Map<String, String> config) { + if (!"jdbc-starrocks".equals(catalogProvider)) { + throw new IllegalArgumentException("StarRocks authorization only supports jdbc-starrocks"); + } + return new StarRocksAuthorizationPlugin(config); + } +} +``` + + +## 5. Object Mapping and Privilege Mapping + +### 4.1 Securable Objects + +The StarRocks mapping provider translates Gravitino securable objects into StarRocks +authorization resources. + +| Gravitino object | StarRocks resource | +|------------------|--------------------| +| Metalake | `default_catalog`, all databases, all tables | +| Catalog | `default_catalog`, all databases, all tables | +| Schema | Database `{schema}`, all tables in `{schema}` | +| Table | Table `{schema}.{table}` | + + +### 4.2 Supported Privileges Review Comment: Could we grant all privileges (read and write) to the owner in StarRocks ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
