Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerryshao merged PR #5403: URL: https://github.com/apache/gravitino/pull/5403 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
xunliu merged PR #5321: URL: https://github.com/apache/gravitino/pull/5321 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerryshao closed pull request #5403: [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin URL: https://github.com/apache/gravitino/pull/5403 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1824083714
##
core/src/main/java/org/apache/gravitino/hook/CatalogHookDispatcher.java:
##
@@ -104,17 +104,30 @@ public Catalog createCatalog(
@Override
public Catalog alterCatalog(NameIdentifier ident, CatalogChange... changes)
throws NoSuchCatalogException, IllegalArgumentException {
-return dispatcher.alterCatalog(ident, changes);
+Catalog alteredCatalog = dispatcher.alterCatalog(ident, changes);
+CatalogChange.RenameCatalog lastRenameChange = null;
+for (CatalogChange change : changes) {
+ if (change instanceof CatalogChange.RenameCatalog) {
+lastRenameChange = (CatalogChange.RenameCatalog) change;
+ }
+}
+if (lastRenameChange != null) {
+ AuthorizationUtils.authorizationPluginRenamePrivileges(
+ ident, Entity.EntityType.CATALOG, lastRenameChange.getNewName());
+}
+return alteredCatalog;
}
@Override
public boolean dropCatalog(NameIdentifier ident) {
+AuthorizationUtils.authorizationPluginRemovePrivileges(ident,
Entity.EntityType.CATALOG);
return dispatcher.dropCatalog(ident);
Review Comment:
OK.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1824102541
##
core/src/main/java/org/apache/gravitino/hook/TableHookDispatcher.java:
##
@@ -96,17 +96,35 @@ public Table createTable(
@Override
public Table alterTable(NameIdentifier ident, TableChange... changes)
throws NoSuchTableException, IllegalArgumentException {
-return dispatcher.alterTable(ident, changes);
+
+Table alteredTable = dispatcher.alterTable(ident, changes);
+TableChange.RenameTable lastRenameChange = null;
+for (TableChange change : changes) {
+ if (change instanceof TableChange.RenameTable) {
+lastRenameChange = (TableChange.RenameTable) change;
+ }
+}
+
+if (lastRenameChange != null) {
+ AuthorizationUtils.authorizationPluginRenamePrivileges(
+ ident, Entity.EntityType.TABLE, lastRenameChange.getNewName());
+}
+
+return alteredTable;
}
@Override
public boolean dropTable(NameIdentifier ident) {
-return dispatcher.dropTable(ident);
+boolean dropped = dispatcher.dropTable(ident);
+AuthorizationUtils.authorizationPluginRemovePrivileges(ident,
Entity.EntityType.TABLE);
Review Comment:
If we succeed to delete the table but fail to delete the policy in the
authorization plugin. We can repeat to execute the operation to delete the
policy but dispatcher may return zero.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
xunliu commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1824035897
##
core/src/main/java/org/apache/gravitino/hook/TableHookDispatcher.java:
##
@@ -96,17 +96,35 @@ public Table createTable(
@Override
public Table alterTable(NameIdentifier ident, TableChange... changes)
throws NoSuchTableException, IllegalArgumentException {
-return dispatcher.alterTable(ident, changes);
+
+Table alteredTable = dispatcher.alterTable(ident, changes);
+TableChange.RenameTable lastRenameChange = null;
+for (TableChange change : changes) {
+ if (change instanceof TableChange.RenameTable) {
+lastRenameChange = (TableChange.RenameTable) change;
+ }
+}
+
+if (lastRenameChange != null) {
+ AuthorizationUtils.authorizationPluginRenamePrivileges(
+ ident, Entity.EntityType.TABLE, lastRenameChange.getNewName());
+}
+
+return alteredTable;
}
@Override
public boolean dropTable(NameIdentifier ident) {
-return dispatcher.dropTable(ident);
+boolean dropped = dispatcher.dropTable(ident);
+AuthorizationUtils.authorizationPluginRemovePrivileges(ident,
Entity.EntityType.TABLE);
Review Comment:
Maybe we needs add judgement in here
```
if (dropped) {
AuthorizationUtils.authorizationPluginRemovePrivileges(ident,
Entity.EntityType.TABLE);
}
```
Also other place have same problem.
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -337,10 +350,80 @@ void testReadWriteTable() throws InterruptedException {
// case 6: Fail to drop the table
Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_DROP_TABLE));
+// case 7: If we don't have the role, we can't insert and select from data.
+metalake.deleteRole(readWriteRole);
+waitForUpdatingPolicies();
+Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_INSERT_TABLE));
+Assertions.assertThrows(
+AccessControlException.class, () ->
sparkSession.sql(SQL_SELECT_TABLE).collectAsList());
+
+// Clean up
+catalog.asTableCatalog().dropTable(NameIdentifier.of(schemaName,
tableName));
+catalog.asSchemas().dropSchema(schemaName, true);
+ }
+
+ @Test
+ void testReadWriteTableWithTableLevelRole() throws InterruptedException {
+// First, create a role for creating a database and grant role to the user
+String roleName = currentFunName();
+SecurableObject securableObject =
+SecurableObjects.ofMetalake(
+metalakeName,
+Lists.newArrayList(
+Privileges.UseSchema.allow(),
+Privileges.CreateSchema.allow(),
+Privileges.CreateTable.allow()));
+String userName1 = System.getenv(HADOOP_USER_NAME);
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+waitForUpdatingPolicies();
+// Second, create a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
+
+// Third, create a table
+sparkSession.sql(SQL_USE_SCHEMA);
+sparkSession.sql(SQL_CREATE_TABLE);
+
+// Fourth, revoke and grant a table level role
+metalake.deleteRole(roleName);
+securableObject =
+SecurableObjects.parse(
+String.format("%s.%s.%s", catalogName, schemaName, tableName),
+MetadataObject.Type.TABLE,
+Lists.newArrayList(Privileges.ModifyTable.allow(),
Privileges.SelectTable.allow()));
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+waitForUpdatingPolicies();
+
+// case 1: Succeed to insert data into table
+sparkSession.sql(SQL_INSERT_TABLE);
+
+// case 2: Succeed to select data from the table
+sparkSession.sql(SQL_SELECT_TABLE).collectAsList();
+
+// case 3: Fail to update data in the table, Because Hive doesn't support.
+Assertions.assertThrows(
+SparkUnsupportedOperationException.class, () ->
sparkSession.sql(SQL_UPDATE_TABLE));
+
+// case 4: Fail to delete data from the table, Because Hive doesn't
support.
+Assertions.assertThrows(AnalysisException.class, () ->
sparkSession.sql(SQL_DELETE_TABLE));
+
+// case 5: Succeed to alter the table
+sparkSession.sql(SQL_ALTER_TABLE);
+
+// case 6: Fail to drop the table
+Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_DROP_TABLE));
+
+// case 7: If we don't have the role, we can't insert and select from data.
+metalake.deleteRole(roleName);
+waitForUpdatingPolicies();
+Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_INSERT_TABLE));
+Assertions.assertThrows(
+Ac
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1824089677
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -337,10 +350,80 @@ void testReadWriteTable() throws InterruptedException {
// case 6: Fail to drop the table
Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_DROP_TABLE));
+// case 7: If we don't have the role, we can't insert and select from data.
+metalake.deleteRole(readWriteRole);
+waitForUpdatingPolicies();
+Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_INSERT_TABLE));
+Assertions.assertThrows(
+AccessControlException.class, () ->
sparkSession.sql(SQL_SELECT_TABLE).collectAsList());
Review Comment:
OK.
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -337,10 +350,80 @@ void testReadWriteTable() throws InterruptedException {
// case 6: Fail to drop the table
Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_DROP_TABLE));
+// case 7: If we don't have the role, we can't insert and select from data.
+metalake.deleteRole(readWriteRole);
+waitForUpdatingPolicies();
+Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_INSERT_TABLE));
+Assertions.assertThrows(
+AccessControlException.class, () ->
sparkSession.sql(SQL_SELECT_TABLE).collectAsList());
+
+// Clean up
+catalog.asTableCatalog().dropTable(NameIdentifier.of(schemaName,
tableName));
+catalog.asSchemas().dropSchema(schemaName, true);
+ }
+
+ @Test
+ void testReadWriteTableWithTableLevelRole() throws InterruptedException {
+// First, create a role for creating a database and grant role to the user
+String roleName = currentFunName();
+SecurableObject securableObject =
+SecurableObjects.ofMetalake(
+metalakeName,
+Lists.newArrayList(
+Privileges.UseSchema.allow(),
+Privileges.CreateSchema.allow(),
+Privileges.CreateTable.allow()));
+String userName1 = System.getenv(HADOOP_USER_NAME);
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+waitForUpdatingPolicies();
+// Second, create a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
+
+// Third, create a table
+sparkSession.sql(SQL_USE_SCHEMA);
+sparkSession.sql(SQL_CREATE_TABLE);
+
+// Fourth, revoke and grant a table level role
+metalake.deleteRole(roleName);
+securableObject =
+SecurableObjects.parse(
+String.format("%s.%s.%s", catalogName, schemaName, tableName),
+MetadataObject.Type.TABLE,
+Lists.newArrayList(Privileges.ModifyTable.allow(),
Privileges.SelectTable.allow()));
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+waitForUpdatingPolicies();
+
+// case 1: Succeed to insert data into table
+sparkSession.sql(SQL_INSERT_TABLE);
+
+// case 2: Succeed to select data from the table
+sparkSession.sql(SQL_SELECT_TABLE).collectAsList();
+
+// case 3: Fail to update data in the table, Because Hive doesn't support.
+Assertions.assertThrows(
+SparkUnsupportedOperationException.class, () ->
sparkSession.sql(SQL_UPDATE_TABLE));
+
+// case 4: Fail to delete data from the table, Because Hive doesn't
support.
+Assertions.assertThrows(AnalysisException.class, () ->
sparkSession.sql(SQL_DELETE_TABLE));
+
+// case 5: Succeed to alter the table
+sparkSession.sql(SQL_ALTER_TABLE);
+
+// case 6: Fail to drop the table
+Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_DROP_TABLE));
+
+// case 7: If we don't have the role, we can't insert and select from data.
+metalake.deleteRole(roleName);
+waitForUpdatingPolicies();
+Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_INSERT_TABLE));
+Assertions.assertThrows(
+AccessControlException.class, () ->
sparkSession.sql(SQL_SELECT_TABLE).collectAsList());
+
Review Comment:
OK.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1824085608
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -527,6 +625,271 @@ void testDeleteAndRecreateRole() throws
InterruptedException {
metalake.deleteRole(roleName);
}
+ @Test
+ void testDeleteAndRecreateMetadataObject() throws InterruptedException {
+// Create a role with CREATE_SCHEMA privilege
+String roleName = currentFunName();
+SecurableObject securableObject =
+SecurableObjects.parse(
+String.format("%s", catalogName),
+MetadataObject.Type.CATALOG,
+Lists.newArrayList(Privileges.CreateSchema.allow()));
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+
+// Granted this role to the spark execution user `HADOOP_USER_NAME`
+String userName1 = System.getenv(HADOOP_USER_NAME);
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+waitForUpdatingPolicies();
+
+// Create a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
+
+Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_DROP_SCHEMA));
+
+// Set owner
+MetadataObject schemaObject =
+MetadataObjects.of(catalogName, schemaName,
MetadataObject.Type.SCHEMA);
+metalake.setOwner(schemaObject, userName1, Owner.Type.USER);
+waitForUpdatingPolicies();
+
+// Delete a schema
+sparkSession.sql(SQL_DROP_SCHEMA);
+catalog.asSchemas().dropSchema(schemaName, true);
+waitForUpdatingPolicies();
+
+// Recreate a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
+
+Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_DROP_SCHEMA));
+
+// Set owner
+schemaObject = MetadataObjects.of(catalogName, schemaName,
MetadataObject.Type.SCHEMA);
+metalake.setOwner(schemaObject, userName1, Owner.Type.USER);
+waitForUpdatingPolicies();
+sparkSession.sql(SQL_DROP_SCHEMA);
+
+// Delete the role and fail to create schema
+metalake.deleteRole(roleName);
+waitForUpdatingPolicies();
+;
Review Comment:
OK.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1822717897
##
core/src/main/java/org/apache/gravitino/hook/SchemaHookDispatcher.java:
##
@@ -82,12 +82,16 @@ public Schema loadSchema(NameIdentifier ident) throws
NoSuchSchemaException {
@Override
public Schema alterSchema(NameIdentifier ident, SchemaChange... changes)
throws NoSuchSchemaException {
+// Schema doesn't support to rename operation now. So we don't need to
change
+// authorization plugin privileges, too.
Review Comment:
Schema doesn't support to rename.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1822662366
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -527,6 +536,208 @@ void testDeleteAndRecreateRole() throws
InterruptedException {
metalake.deleteRole(roleName);
}
+ @Test
+ void testDeleteAndRecreateMetadataObject() throws InterruptedException {
+// Create a role with CREATE_SCHEMA privilege
+String roleName = currentFunName();
+SecurableObject securableObject =
+SecurableObjects.parse(
+String.format("%s", catalogName),
+MetadataObject.Type.CATALOG,
+Lists.newArrayList(Privileges.CreateSchema.allow()));
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+
+// Granted this role to the spark execution user `HADOOP_USER_NAME`
+String userName1 = System.getenv(HADOOP_USER_NAME);
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+waitForUpdatingPolicies();
+
+// Create a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
+
+// Set owner
+MetadataObject schemaObject =
+MetadataObjects.of(catalogName, schemaName,
MetadataObject.Type.SCHEMA);
+metalake.setOwner(schemaObject, userName1, Owner.Type.USER);
+waitForUpdatingPolicies();
+
+// Delete a schema
+sparkSession.sql(SQL_DROP_SCHEMA);
+
+// Recreate a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
+
+// Clean up
+catalog.asSchemas().dropSchema(schemaName, true);
+metalake.deleteRole(roleName);
+ }
+
+ @Test
+ void testRenameMetadataObject() throws InterruptedException {
+// Create a role with CREATE_SCHEMA and CREATE_TABLE privilege
+String roleName = currentFunName();
+SecurableObject securableObject =
+SecurableObjects.parse(
+String.format("%s", catalogName),
+MetadataObject.Type.CATALOG,
+Lists.newArrayList(
+Privileges.UseCatalog.allow(),
+Privileges.CreateSchema.allow(),
+Privileges.CreateTable.allow(),
+Privileges.ModifyTable.allow()));
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+// Granted this role to the spark execution user `HADOOP_USER_NAME`
+String userName1 = System.getenv(HADOOP_USER_NAME);
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+
+waitForUpdatingPolicies();
+
+// Create a schema and a table
+sparkSession.sql(SQL_CREATE_SCHEMA);
+sparkSession.sql(SQL_USE_SCHEMA);
+sparkSession.sql(SQL_CREATE_TABLE);
Review Comment:
I added another test case.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1822655669
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -527,6 +536,208 @@ void testDeleteAndRecreateRole() throws
InterruptedException {
metalake.deleteRole(roleName);
}
+ @Test
+ void testDeleteAndRecreateMetadataObject() throws InterruptedException {
+// Create a role with CREATE_SCHEMA privilege
Review Comment:
Done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1822720317
##
core/src/main/java/org/apache/gravitino/hook/TableHookDispatcher.java:
##
@@ -96,17 +96,35 @@ public Table createTable(
@Override
public Table alterTable(NameIdentifier ident, TableChange... changes)
throws NoSuchTableException, IllegalArgumentException {
-return dispatcher.alterTable(ident, changes);
+
+Table alteredTable = dispatcher.alterTable(ident, changes);
+TableChange.RenameTable lastRenameChange = null;
+for (TableChange change : changes) {
+ if (change instanceof TableChange.RenameTable) {
+lastRenameChange = (TableChange.RenameTable) change;
+ }
+}
+
+if (lastRenameChange != null) {
+ AuthorizationUtils.renameAuthorizationPluginPrivileges(
+ ident, Entity.EntityType.TABLE, lastRenameChange.getNewName());
+}
+
+return alteredTable;
}
@Override
public boolean dropTable(NameIdentifier ident) {
-return dispatcher.dropTable(ident);
+boolean dropped = dispatcher.dropTable(ident);
+AuthorizationUtils.removeAuthorizationPluginPrivileges(ident,
Entity.EntityType.TABLE);
Review Comment:
prefer option 1.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
xunliu commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1822690785
##
core/src/main/java/org/apache/gravitino/hook/TableHookDispatcher.java:
##
@@ -96,17 +96,35 @@ public Table createTable(
@Override
public Table alterTable(NameIdentifier ident, TableChange... changes)
throws NoSuchTableException, IllegalArgumentException {
-return dispatcher.alterTable(ident, changes);
+
+Table alteredTable = dispatcher.alterTable(ident, changes);
+TableChange.RenameTable lastRenameChange = null;
+for (TableChange change : changes) {
+ if (change instanceof TableChange.RenameTable) {
+lastRenameChange = (TableChange.RenameTable) change;
+ }
+}
+
+if (lastRenameChange != null) {
+ AuthorizationUtils.renameAuthorizationPluginPrivileges(
+ ident, Entity.EntityType.TABLE, lastRenameChange.getNewName());
+}
+
+return alteredTable;
}
@Override
public boolean dropTable(NameIdentifier ident) {
-return dispatcher.dropTable(ident);
+boolean dropped = dispatcher.dropTable(ident);
+AuthorizationUtils.removeAuthorizationPluginPrivileges(ident,
Entity.EntityType.TABLE);
Review Comment:
`removeAuthorizationPluginPrivileges` look like `remove
AuthorizationPlugin's Privileges`, maybe can change to
`authorizationPluginRemovePrivileges` or
`removePrivilegesInAuthorizationPlugin`?
##
core/src/main/java/org/apache/gravitino/hook/SchemaHookDispatcher.java:
##
@@ -82,12 +82,16 @@ public Schema loadSchema(NameIdentifier ident) throws
NoSuchSchemaException {
@Override
public Schema alterSchema(NameIdentifier ident, SchemaChange... changes)
throws NoSuchSchemaException {
+// Schema doesn't support to rename operation now. So we don't need to
change
+// authorization plugin privileges, too.
Review Comment:
I think need call authorization plugin interface in the here.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1822670397
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -527,6 +536,208 @@ void testDeleteAndRecreateRole() throws
InterruptedException {
metalake.deleteRole(roleName);
}
+ @Test
+ void testDeleteAndRecreateMetadataObject() throws InterruptedException {
+// Create a role with CREATE_SCHEMA privilege
+String roleName = currentFunName();
+SecurableObject securableObject =
+SecurableObjects.parse(
+String.format("%s", catalogName),
+MetadataObject.Type.CATALOG,
+Lists.newArrayList(Privileges.CreateSchema.allow()));
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+
+// Granted this role to the spark execution user `HADOOP_USER_NAME`
+String userName1 = System.getenv(HADOOP_USER_NAME);
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+waitForUpdatingPolicies();
+
+// Create a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
+
+// Set owner
+MetadataObject schemaObject =
+MetadataObjects.of(catalogName, schemaName,
MetadataObject.Type.SCHEMA);
+metalake.setOwner(schemaObject, userName1, Owner.Type.USER);
+waitForUpdatingPolicies();
+
+// Delete a schema
+sparkSession.sql(SQL_DROP_SCHEMA);
+
+// Recreate a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
+
+// Clean up
+catalog.asSchemas().dropSchema(schemaName, true);
+metalake.deleteRole(roleName);
Review Comment:
Done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1822661015
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -527,6 +536,208 @@ void testDeleteAndRecreateRole() throws
InterruptedException {
metalake.deleteRole(roleName);
}
+ @Test
+ void testDeleteAndRecreateMetadataObject() throws InterruptedException {
+// Create a role with CREATE_SCHEMA privilege
+String roleName = currentFunName();
+SecurableObject securableObject =
+SecurableObjects.parse(
+String.format("%s", catalogName),
+MetadataObject.Type.CATALOG,
+Lists.newArrayList(Privileges.CreateSchema.allow()));
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+
+// Granted this role to the spark execution user `HADOOP_USER_NAME`
+String userName1 = System.getenv(HADOOP_USER_NAME);
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+waitForUpdatingPolicies();
+
+// Create a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
+
+// Set owner
Review Comment:
Done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1822656441
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -527,6 +536,208 @@ void testDeleteAndRecreateRole() throws
InterruptedException {
metalake.deleteRole(roleName);
}
+ @Test
+ void testDeleteAndRecreateMetadataObject() throws InterruptedException {
+// Create a role with CREATE_SCHEMA privilege
+String roleName = currentFunName();
+SecurableObject securableObject =
+SecurableObjects.parse(
+String.format("%s", catalogName),
+MetadataObject.Type.CATALOG,
+Lists.newArrayList(Privileges.CreateSchema.allow()));
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+
+// Granted this role to the spark execution user `HADOOP_USER_NAME`
+String userName1 = System.getenv(HADOOP_USER_NAME);
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+waitForUpdatingPolicies();
+
+// Create a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
Review Comment:
Done.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
xunliu commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1822497002
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -527,6 +536,208 @@ void testDeleteAndRecreateRole() throws
InterruptedException {
metalake.deleteRole(roleName);
}
+ @Test
+ void testDeleteAndRecreateMetadataObject() throws InterruptedException {
+// Create a role with CREATE_SCHEMA privilege
Review Comment:
I think need to add `sparkSession.sql(SQL_CREATE_SCHEMA);` in the here to
throw doesn't have permission.
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -527,6 +536,208 @@ void testDeleteAndRecreateRole() throws
InterruptedException {
metalake.deleteRole(roleName);
}
+ @Test
+ void testDeleteAndRecreateMetadataObject() throws InterruptedException {
+// Create a role with CREATE_SCHEMA privilege
+String roleName = currentFunName();
+SecurableObject securableObject =
+SecurableObjects.parse(
+String.format("%s", catalogName),
+MetadataObject.Type.CATALOG,
+Lists.newArrayList(Privileges.CreateSchema.allow()));
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+
+// Granted this role to the spark execution user `HADOOP_USER_NAME`
+String userName1 = System.getenv(HADOOP_USER_NAME);
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+waitForUpdatingPolicies();
+
+// Create a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
+
+// Set owner
+MetadataObject schemaObject =
+MetadataObjects.of(catalogName, schemaName,
MetadataObject.Type.SCHEMA);
+metalake.setOwner(schemaObject, userName1, Owner.Type.USER);
+waitForUpdatingPolicies();
+
+// Delete a schema
+sparkSession.sql(SQL_DROP_SCHEMA);
+
+// Recreate a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
+
+// Clean up
+catalog.asSchemas().dropSchema(schemaName, true);
+metalake.deleteRole(roleName);
Review Comment:
I think need to add these tests in the here to throw doesn't have permission.
1. SQL_CREATE_SCHEMA
2. SQL_DROP_SCHEMA
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -527,6 +536,208 @@ void testDeleteAndRecreateRole() throws
InterruptedException {
metalake.deleteRole(roleName);
}
+ @Test
+ void testDeleteAndRecreateMetadataObject() throws InterruptedException {
+// Create a role with CREATE_SCHEMA privilege
+String roleName = currentFunName();
+SecurableObject securableObject =
+SecurableObjects.parse(
+String.format("%s", catalogName),
+MetadataObject.Type.CATALOG,
+Lists.newArrayList(Privileges.CreateSchema.allow()));
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+
+// Granted this role to the spark execution user `HADOOP_USER_NAME`
+String userName1 = System.getenv(HADOOP_USER_NAME);
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+waitForUpdatingPolicies();
+
+// Create a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
+
+// Set owner
Review Comment:
I think need to add `sparkSession.sql(SQL_DROP_SCHEMA);` in the here to
throw doesn't have permission.
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -527,6 +536,208 @@ void testDeleteAndRecreateRole() throws
InterruptedException {
metalake.deleteRole(roleName);
}
+ @Test
+ void testDeleteAndRecreateMetadataObject() throws InterruptedException {
+// Create a role with CREATE_SCHEMA privilege
+String roleName = currentFunName();
+SecurableObject securableObject =
+SecurableObjects.parse(
+String.format("%s", catalogName),
+MetadataObject.Type.CATALOG,
+Lists.newArrayList(Privileges.CreateSchema.allow()));
+metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+
+// Granted this role to the spark execution user `HADOOP_USER_NAME`
+String userName1 = System.getenv(HADOOP_USER_NAME);
+metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+waitForUpdatingPolicies();
+
+// Create a schema
+sparkSession.sql(SQL_CREATE_SCHEMA);
Review Comment:
I think need to add `sparkSession.sql(SQL_CREATA_TABLE);` in the here to
throw doesn't have permission.
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -527,6
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1822264209
##
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##
@@ -588,6 +798,67 @@ void testAllowUseSchemaPrivilege() throws
InterruptedException {
metalake.deleteRole(roleName);
}
+ @Test
+ void testDenyPrivileges() throws InterruptedException {
Review Comment:
cc @xunliu
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]
jerqi closed pull request #5321: [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin URL: https://github.com/apache/gravitino/pull/5321 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
