roryqi commented on code in PR #11629:
URL: https://github.com/apache/gravitino/pull/11629#discussion_r3403080798


##########
design-docs/starrocks-authorization-pushdown.md:
##########
@@ -0,0 +1,248 @@
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+
+# Design: StarRocks Authorization Pushdown
+
+## 1. Problem Statement and Goals
+
+### 1.1 Problem
+
+Apache Gravitino supports metadata management for StarRocks through the 
`jdbc-starrocks`
+catalog, but it does not yet push Gravitino authorization changes into 
StarRocks native
+authorization. When users create roles, grant privileges or assign roles to 
users or groups, 
+StarRocks does not automatically receive the corresponding users, roles, 
grants, revokes, 
+or ownership changes.
+
+This creates a gap between the Gravitino authorization model and the access 
control that
+StarRocks enforces when users query StarRocks directly. StarRocks already has 
a SQL-based
+authorization model with users, roles, catalog privileges, database 
privileges, and table
+privileges. Gravitino should translate supported Gravitino authorization 
operations into
+StarRocks SQL statements.
+
+### 1.2 Goals
+
+1. Implement a StarRocks authorization pushdown plugin based on the existing 
JDBC
+   authorization plugin framework.
+2. Translate supported Gravitino securable objects and privileges into 
StarRocks native
+   authorization objects and privileges.
+3. Keep the implementation aligned with the existing authorization provider 
model.
+4. Support user, group, role, privilege grant, privilege revoke pushdown for 
StarRocks catalogs.
+
+### 1.3 Non-goals
+
+1. This design does not add new Gravitino privilege types.
+2. This design does not implement StarRocks column-level privileges.
+3. This design does not implement StarRocks view, materialized view, resource, 
storage
+   volume, system, or function privileges.
+4. This design does not push down Gravitino deny privileges.
+5. This design does not manage StarRocks external catalogs.
+
+## 2. Background
+
+### 2.1 Gravitino Authorization Pushdown
+
+Gravitino's authorization pushdown mechanism lets a catalog load an 
`AuthorizationPlugin`
+based on the catalog property `authorization-provider`. The provider is loaded 
from an
+isolated package, and `BaseAuthorization.newPlugin(metalake, catalogProvider, 
config)`
+creates a catalog-specific plugin instance.
+
+The existing JDBC authorization base class, `JdbcAuthorizationPlugin`, already 
implements
+the common hook flow:
+
+1. Create or drop users.
+2. Create or drop roles.
+3. Grant or revoke roles to users and groups.
+4. Translate Gravitino securable objects into JDBC authorization objects.
+5. Generate and execute SQL statements for grants, revokes relative changes.
+
+
+### 2.2 StarRocks Authorization Model
+
+StarRocks 3.0 and later provide a role-based authorization model. The objects 
relevant to
+this design are:
+
+| StarRocks object | Relevant privileges |
+|------------------|---------------------|
+| Catalog          | `USAGE`, `CREATE DATABASE` |
+| Database         | `CREATE TABLE`, `ALTER`, `DROP` |
+| Table            | `SELECT`, `INSERT`, `UPDATE`, `DELETE`, `ALTER`, `DROP` |
+
+
+### 2.3  StarRocks Catalog Mapping
+
+The existing `jdbc-starrocks` catalog maps Gravitino metadata to StarRocks 
metadata as
+follows:
+
+| Gravitino object | StarRocks object |
+|------------------|------------------|
+| Metalake         | Not represented in StarRocks |
+| Catalog          | StarRocks internal catalog `default_catalog` |
+| Schema           | Database under `default_catalog` |
+| Table            | Table under a database |
+| Column           | Column under a table |
+
+
+## 3. Server-side Design
+
+### 3.1 Module Structure
+
+```text
+authorizations/authorization-starrocks/
++-- src/
+    +-- main/
+        +-- java/org/apache/gravitino/authorization/starrocks/
+        |   +-- StarRocksAuthorization.java
+        |   +-- StarRocksAuthorizationPlugin.java
+        |   +-- StarRocksSecurableObject.java
+        |   +-- StarRocksSecurableObjectMappingProvider.java
+        |   +-- StarRocksPrivilege.java
+```
+
+### 3.2 Provider
+
+Create a new module, `authorizations/authorization-starrocks`, with provider 
short name
+`starrocks`. The `jdbc-starrocks` catalog enables it with:
+
+```properties
+authorization-provider=starrocks
+authorization.jdbc.url=jdbc:mysql://starrocks-fe:9030/default_catalog
+authorization.jdbc.username=gravitino_auth_admin
+authorization.jdbc.password=secret
+authorization.jdbc.driver=com.mysql.cj.jdbc.Driver
+```
+
+```java
+public class StarRocksAuthorization extends 
BaseAuthorization<StarRocksAuthorization> {
+  @Override
+  public String shortName() {
+    return "starrocks";
+  }
+
+  @Override
+  public AuthorizationPlugin newPlugin(
+      String metalake, String catalogProvider, Map<String, String> config) {
+    if (!"jdbc-starrocks".equals(catalogProvider)) {
+      throw new IllegalArgumentException("StarRocks authorization only 
supports jdbc-starrocks");
+    }
+    return new StarRocksAuthorizationPlugin(config);
+  }
+}
+```
+
+
+## 5. Object Mapping and Privilege Mapping
+
+### 4.1 Securable Objects
+
+The StarRocks mapping provider translates Gravitino securable objects into 
StarRocks
+authorization resources.
+
+| Gravitino object | StarRocks resource |
+|------------------|--------------------|
+| Metalake         | `default_catalog`, all databases, all tables |
+| Catalog          | `default_catalog`, all databases, all tables |
+| Schema           | Database `{schema}`, all tables in `{schema}` |
+| Table            | Table `{schema}.{table}` |
+
+
+### 4.2 Supported Privileges
+
+| Gravitino object | Gravitino privilege | StarRocks privilege                 
            | StarRocks resource                 |
+|------------------|---------------------|-------------------------------------------------|------------------------------------|
+| Catalog          | `USE_CATALOG`       | `USAGE`                             
            | `default_catalog`                  |
+| Catalog          | `USE_SCHEMA`        | `USAGE`                             
            | `default_catalog`                  |

Review Comment:
   Why does use_schema map to `USAGE`?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to