This is an automated email from the ASF dual-hosted git repository. jshao pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push: new f8a472916 [#4128] improvement(core): Remove privileges of metalakes (#4139) f8a472916 is described below commit f8a472916f3d58640cbbd9bf8b9cbc284d960e0b Author: roryqi <ror...@apache.org> AuthorDate: Wed Jul 17 20:48:40 2024 +0800 [#4128] improvement(core): Remove privileges of metalakes (#4139) ### What changes were proposed in this pull request? Remove privileges of metalakes. We use the ownership instead of metalake privileges. ### Why are the changes needed? Fix: #4128 ### Does this PR introduce _any_ user-facing change? Modify APIs. But this feature isn't released yet. ### How was this patch tested? Existing UTs --- .../java/org/apache/gravitino/MetadataObjects.java | 13 +- .../apache/gravitino/authorization/Privilege.java | 28 +-- .../apache/gravitino/authorization/Privileges.java | 229 ++++++--------------- .../gravitino/authorization/SecurableObjects.java | 24 --- .../authorization/TestSecurableObjects.java | 24 --- .../src/main/java/org/apache/gravitino/Entity.java | 12 -- .../relational/service/MetadataObjectService.java | 11 - .../relational/service/RoleMetaService.java | 8 - .../relational/service/TestSecurableObjects.java | 9 +- .../gravitino/server/web/rest/RoleOperations.java | 5 - .../server/web/rest/TestRoleOperations.java | 21 -- 11 files changed, 71 insertions(+), 313 deletions(-) diff --git a/api/src/main/java/org/apache/gravitino/MetadataObjects.java b/api/src/main/java/org/apache/gravitino/MetadataObjects.java index 70f795fa0..5136164c9 100644 --- a/api/src/main/java/org/apache/gravitino/MetadataObjects.java +++ b/api/src/main/java/org/apache/gravitino/MetadataObjects.java @@ -27,11 +27,7 @@ import org.apache.commons.lang3.StringUtils; /** The helper class for {@link MetadataObject}. */ public class MetadataObjects { - /** - * The reserved name for the metadata object. - * - * <p>It is used to represent the root metadata object of all metalakes. - */ + /** The reserved name for the metadata object. */ public static final String METADATA_OBJECT_RESERVED_NAME = "*"; private static final Splitter DOT_SPLITTER = Splitter.on('.'); @@ -106,13 +102,6 @@ public class MetadataObjects { * @return The parsed metadata object */ public static MetadataObject parse(String fullName, MetadataObject.Type type) { - if (METADATA_OBJECT_RESERVED_NAME.equals(fullName)) { - if (type != MetadataObject.Type.METALAKE) { - throw new IllegalArgumentException("If metadata object isn't metalake, it can't be `*`"); - } - return new MetadataObjectImpl(null, METADATA_OBJECT_RESERVED_NAME, type); - } - Preconditions.checkArgument( StringUtils.isNotBlank(fullName), "Metadata object full name cannot be blank"); diff --git a/api/src/main/java/org/apache/gravitino/authorization/Privilege.java b/api/src/main/java/org/apache/gravitino/authorization/Privilege.java index 36229c8fc..5cb7b3214 100644 --- a/api/src/main/java/org/apache/gravitino/authorization/Privilege.java +++ b/api/src/main/java/org/apache/gravitino/authorization/Privilege.java @@ -81,34 +81,28 @@ public interface Privilege { WRITE_TOPIC(0L, 1L << 18), /** The privilege to read a topic. */ READ_TOPIC(0L, 1L << 19), - /** The privilege to create a metalake. */ - CREATE_METALAKE(0L, 1L << 20), - /** The privilege to manage a metalake, including drop and alter a metalake. */ - MANAGE_METALAKE(0L, 1L << 21), - /** The privilege to use a metalake, the user can load the information of the metalake. */ - USE_METALAKE(0L, 1L << 22), /** The privilege to add a user */ - ADD_USER(0L, 1L << 23), + ADD_USER(0L, 1L << 20), /** The privilege to remove a user */ - REMOVE_USER(0L, 1L << 24), + REMOVE_USER(0L, 1L << 21), /** The privilege to get a user */ - GET_USER(0L, 1L << 25), + GET_USER(0L, 1L << 22), /** The privilege to add a group */ - ADD_GROUP(0L, 1L << 26), + ADD_GROUP(0L, 1L << 23), /** The privilege to remove a group */ - REMOVE_GROUP(0L, 1L << 27), + REMOVE_GROUP(0L, 1L << 24), /** The privilege to get a group */ - GET_GROUP(0L, 1L << 28), + GET_GROUP(0L, 1L << 25), /** The privilege to create a role */ - CREATE_ROLE(0L, 1L << 29), + CREATE_ROLE(0L, 1L << 26), /** The privilege to delete a role */ - DELETE_ROLE(0L, 1L << 30), + DELETE_ROLE(0L, 1L << 27), /** The privilege to grant a role to the user or the group. */ - GRANT_ROLE(0L, 1L << 31), + GRANT_ROLE(0L, 1L << 28), /** The privilege to revoke a role from the user or the group. */ - REVOKE_ROLE(0L, 1L << 32), + REVOKE_ROLE(0L, 1L << 29), /** The privilege to get a role */ - GET_ROLE(0L, 1L << 33); + GET_ROLE(0L, 1L << 30); private final long highBits; private final long lowBits; diff --git a/api/src/main/java/org/apache/gravitino/authorization/Privileges.java b/api/src/main/java/org/apache/gravitino/authorization/Privileges.java index b500e956b..cd6e5210e 100644 --- a/api/src/main/java/org/apache/gravitino/authorization/Privileges.java +++ b/api/src/main/java/org/apache/gravitino/authorization/Privileges.java @@ -92,14 +92,6 @@ public class Privileges { case READ_TOPIC: return ReadTopic.allow(); - // Metalake - case CREATE_METALAKE: - return CreateMetalake.allow(); - case MANAGE_METALAKE: - return ManageMetalake.allow(); - case USE_METALAKE: - return UseMetalake.allow(); - // User case ADD_USER: return AddUser.allow(); @@ -202,14 +194,6 @@ public class Privileges { case READ_TOPIC: return ReadTopic.deny(); - // Metalake - case CREATE_METALAKE: - return CreateMetalake.deny(); - case MANAGE_METALAKE: - return ManageMetalake.deny(); - case USE_METALAKE: - return UseMetalake.deny(); - // User case ADD_USER: return AddUser.deny(); @@ -250,24 +234,6 @@ public class Privileges { */ public abstract static class GenericPrivilege<T extends GenericPrivilege<T>> implements Privilege { - - /** - * Functional interface for creating instances of GenericPrivilege. - * - * @param <T> the type of the privilege - */ - @FunctionalInterface - public interface GenericPrivilegeFactory<T extends GenericPrivilege<T>> { - /** - * Creates a new instance of the privilege. - * - * @param condition the condition of the privilege - * @param name the name of the privilege - * @return the created privilege instance - */ - T create(Condition condition, Name name); - } - private final Condition condition; private final Name name; @@ -336,9 +302,9 @@ public class Privileges { /** The privilege to alter a catalog. */ public static class AlterCatalog extends GenericPrivilege<AlterCatalog> { private static final AlterCatalog ALLOW_INSTANCE = - new AlterCatalog(Condition.ALLOW, Name.CREATE_CATALOG); + new AlterCatalog(Condition.ALLOW, Name.ALTER_CATALOG); private static final AlterCatalog DENY_INSTANCE = - new AlterCatalog(Condition.DENY, Name.CREATE_CATALOG); + new AlterCatalog(Condition.DENY, Name.ALTER_CATALOG); private AlterCatalog(Condition condition, Name name) { super(condition, name); @@ -358,9 +324,9 @@ public class Privileges { /** The privilege to drop a catalog. */ public static class DropCatalog extends GenericPrivilege<DropCatalog> { private static final DropCatalog ALLOW_INSTANCE = - new DropCatalog(Condition.ALLOW, Name.CREATE_CATALOG); + new DropCatalog(Condition.ALLOW, Name.DROP_CATALOG); private static final DropCatalog DENY_INSTANCE = - new DropCatalog(Condition.DENY, Name.CREATE_CATALOG); + new DropCatalog(Condition.DENY, Name.DROP_CATALOG); private DropCatalog(Condition condition, Name name) { super(condition, name); @@ -380,9 +346,9 @@ public class Privileges { /** The privilege to use a catalog. */ public static class UseCatalog extends GenericPrivilege<UseCatalog> { private static final UseCatalog ALLOW_INSTANCE = - new UseCatalog(Condition.ALLOW, Name.CREATE_CATALOG); + new UseCatalog(Condition.ALLOW, Name.USE_CATALOG); private static final UseCatalog DENY_INSTANCE = - new UseCatalog(Condition.DENY, Name.CREATE_CATALOG); + new UseCatalog(Condition.DENY, Name.USE_CATALOG); private UseCatalog(Condition condition, Name name) { super(condition, name); @@ -401,10 +367,8 @@ public class Privileges { /** The privilege to use a schema. */ public static class UseSchema extends GenericPrivilege<UseSchema> { - private static final UseSchema ALLOW_INSTANCE = - new UseSchema(Condition.ALLOW, Name.CREATE_CATALOG); - private static final UseSchema DENY_INSTANCE = - new UseSchema(Condition.DENY, Name.CREATE_CATALOG); + private static final UseSchema ALLOW_INSTANCE = new UseSchema(Condition.ALLOW, Name.USE_SCHEMA); + private static final UseSchema DENY_INSTANCE = new UseSchema(Condition.DENY, Name.USE_SCHEMA); private UseSchema(Condition condition, Name name) { super(condition, name); @@ -424,9 +388,9 @@ public class Privileges { /** The privilege to create a schema. */ public static class CreateSchema extends GenericPrivilege<CreateSchema> { private static final CreateSchema ALLOW_INSTANCE = - new CreateSchema(Condition.ALLOW, Name.CREATE_CATALOG); + new CreateSchema(Condition.ALLOW, Name.CREATE_SCHEMA); private static final CreateSchema DENY_INSTANCE = - new CreateSchema(Condition.DENY, Name.CREATE_CATALOG); + new CreateSchema(Condition.DENY, Name.CREATE_SCHEMA); private CreateSchema(Condition condition, Name name) { super(condition, name); @@ -446,9 +410,9 @@ public class Privileges { /** The privilege to alter a schema. */ public static class AlterSchema extends GenericPrivilege<AlterSchema> { private static final AlterSchema ALLOW_INSTANCE = - new AlterSchema(Condition.ALLOW, Name.CREATE_CATALOG); + new AlterSchema(Condition.ALLOW, Name.ALTER_SCHEMA); private static final AlterSchema DENY_INSTANCE = - new AlterSchema(Condition.DENY, Name.CREATE_CATALOG); + new AlterSchema(Condition.DENY, Name.ALTER_SCHEMA); private AlterSchema(Condition condition, Name name) { super(condition, name); @@ -468,9 +432,9 @@ public class Privileges { /** The privilege to drop a schema. */ public static class DropSchema extends GenericPrivilege<DropSchema> { private static final DropSchema ALLOW_INSTANCE = - new DropSchema(Condition.ALLOW, Name.CREATE_CATALOG); + new DropSchema(Condition.ALLOW, Name.DROP_SCHEMA); private static final DropSchema DENY_INSTANCE = - new DropSchema(Condition.DENY, Name.CREATE_CATALOG); + new DropSchema(Condition.DENY, Name.DROP_SCHEMA); private DropSchema(Condition condition, Name name) { super(condition, name); @@ -490,9 +454,9 @@ public class Privileges { /** The privilege to create a table. */ public static class CreateTable extends GenericPrivilege<CreateTable> { private static final CreateTable ALLOW_INSTANCE = - new CreateTable(Condition.ALLOW, Name.CREATE_CATALOG); + new CreateTable(Condition.ALLOW, Name.CREATE_TABLE); private static final CreateTable DENY_INSTANCE = - new CreateTable(Condition.DENY, Name.CREATE_CATALOG); + new CreateTable(Condition.DENY, Name.CREATE_TABLE); private CreateTable(Condition condition, Name name) { super(condition, name); @@ -511,10 +475,8 @@ public class Privileges { /** The privilege to drop a table. */ public static class DropTable extends GenericPrivilege<DropTable> { - private static final DropTable ALLOW_INSTANCE = - new DropTable(Condition.ALLOW, Name.CREATE_CATALOG); - private static final DropTable DENY_INSTANCE = - new DropTable(Condition.DENY, Name.CREATE_CATALOG); + private static final DropTable ALLOW_INSTANCE = new DropTable(Condition.ALLOW, Name.DROP_TABLE); + private static final DropTable DENY_INSTANCE = new DropTable(Condition.DENY, Name.DROP_TABLE); private DropTable(Condition condition, Name name) { super(condition, name); @@ -533,10 +495,8 @@ public class Privileges { /** The privilege to read a table. */ public static class ReadTable extends GenericPrivilege<ReadTable> { - private static final ReadTable ALLOW_INSTANCE = - new ReadTable(Condition.ALLOW, Name.CREATE_CATALOG); - private static final ReadTable DENY_INSTANCE = - new ReadTable(Condition.DENY, Name.CREATE_CATALOG); + private static final ReadTable ALLOW_INSTANCE = new ReadTable(Condition.ALLOW, Name.READ_TABLE); + private static final ReadTable DENY_INSTANCE = new ReadTable(Condition.DENY, Name.READ_TABLE); private ReadTable(Condition condition, Name name) { super(condition, name); @@ -556,9 +516,9 @@ public class Privileges { /** The privilege to write a table. */ public static class WriteTable extends GenericPrivilege<WriteTable> { private static final WriteTable ALLOW_INSTANCE = - new WriteTable(Condition.ALLOW, Name.CREATE_CATALOG); + new WriteTable(Condition.ALLOW, Name.WRITE_TABLE); private static final WriteTable DENY_INSTANCE = - new WriteTable(Condition.DENY, Name.CREATE_CATALOG); + new WriteTable(Condition.DENY, Name.WRITE_TABLE); private WriteTable(Condition condition, Name name) { super(condition, name); @@ -578,9 +538,9 @@ public class Privileges { /** The privilege to create a fileset. */ public static class CreateFileset extends GenericPrivilege<CreateFileset> { private static final CreateFileset ALLOW_INSTANCE = - new CreateFileset(Condition.ALLOW, Name.CREATE_CATALOG); + new CreateFileset(Condition.ALLOW, Name.CREATE_FILESET); private static final CreateFileset DENY_INSTANCE = - new CreateFileset(Condition.DENY, Name.CREATE_CATALOG); + new CreateFileset(Condition.DENY, Name.CREATE_FILESET); private CreateFileset(Condition condition, Name name) { super(condition, name); @@ -600,9 +560,9 @@ public class Privileges { /** The privilege to drop a fileset. */ public static class DropFileset extends GenericPrivilege<DropFileset> { private static final DropFileset ALLOW_INSTANCE = - new DropFileset(Condition.ALLOW, Name.CREATE_CATALOG); + new DropFileset(Condition.ALLOW, Name.DROP_FILESET); private static final DropFileset DENY_INSTANCE = - new DropFileset(Condition.DENY, Name.CREATE_CATALOG); + new DropFileset(Condition.DENY, Name.DROP_FILESET); private DropFileset(Condition condition, Name name) { super(condition, name); @@ -622,9 +582,9 @@ public class Privileges { /** The privilege to read a fileset. */ public static class ReadFileset extends GenericPrivilege<ReadFileset> { private static final ReadFileset ALLOW_INSTANCE = - new ReadFileset(Condition.ALLOW, Name.CREATE_CATALOG); + new ReadFileset(Condition.ALLOW, Name.READ_FILESET); private static final ReadFileset DENY_INSTANCE = - new ReadFileset(Condition.DENY, Name.CREATE_CATALOG); + new ReadFileset(Condition.DENY, Name.READ_FILESET); private ReadFileset(Condition condition, Name name) { super(condition, name); @@ -644,9 +604,9 @@ public class Privileges { /** The privilege to write a fileset. */ public static class WriteFileset extends GenericPrivilege<WriteFileset> { private static final WriteFileset ALLOW_INSTANCE = - new WriteFileset(Condition.ALLOW, Name.CREATE_CATALOG); + new WriteFileset(Condition.ALLOW, Name.WRITE_FILESET); private static final WriteFileset DENY_INSTANCE = - new WriteFileset(Condition.DENY, Name.CREATE_CATALOG); + new WriteFileset(Condition.DENY, Name.WRITE_FILESET); private WriteFileset(Condition condition, Name name) { super(condition, name); @@ -666,9 +626,9 @@ public class Privileges { /** The privilege to create a topic. */ public static class CreateTopic extends GenericPrivilege<CreateTopic> { private static final CreateTopic ALLOW_INSTANCE = - new CreateTopic(Condition.ALLOW, Name.CREATE_CATALOG); + new CreateTopic(Condition.ALLOW, Name.CREATE_TOPIC); private static final CreateTopic DENY_INSTANCE = - new CreateTopic(Condition.DENY, Name.CREATE_CATALOG); + new CreateTopic(Condition.DENY, Name.CREATE_TOPIC); private CreateTopic(Condition condition, Name name) { super(condition, name); @@ -687,10 +647,8 @@ public class Privileges { /** The privilege to drop a topic. */ public static class DropTopic extends GenericPrivilege<DropTopic> { - private static final DropTopic ALLOW_INSTANCE = - new DropTopic(Condition.ALLOW, Name.CREATE_CATALOG); - private static final DropTopic DENY_INSTANCE = - new DropTopic(Condition.DENY, Name.CREATE_CATALOG); + private static final DropTopic ALLOW_INSTANCE = new DropTopic(Condition.ALLOW, Name.DROP_TOPIC); + private static final DropTopic DENY_INSTANCE = new DropTopic(Condition.DENY, Name.DROP_TOPIC); private DropTopic(Condition condition, Name name) { super(condition, name); @@ -709,10 +667,8 @@ public class Privileges { /** The privilege to read a topic. */ public static class ReadTopic extends GenericPrivilege<ReadTopic> { - private static final ReadTopic ALLOW_INSTANCE = - new ReadTopic(Condition.ALLOW, Name.CREATE_CATALOG); - private static final ReadTopic DENY_INSTANCE = - new ReadTopic(Condition.DENY, Name.CREATE_CATALOG); + private static final ReadTopic ALLOW_INSTANCE = new ReadTopic(Condition.ALLOW, Name.READ_TOPIC); + private static final ReadTopic DENY_INSTANCE = new ReadTopic(Condition.DENY, Name.READ_TOPIC); private ReadTopic(Condition condition, Name name) { super(condition, name); @@ -732,9 +688,9 @@ public class Privileges { /** The privilege to write a topic. */ public static class WriteTopic extends GenericPrivilege<WriteTopic> { private static final WriteTopic ALLOW_INSTANCE = - new WriteTopic(Condition.ALLOW, Name.CREATE_CATALOG); + new WriteTopic(Condition.ALLOW, Name.WRITE_TOPIC); private static final WriteTopic DENY_INSTANCE = - new WriteTopic(Condition.DENY, Name.CREATE_CATALOG); + new WriteTopic(Condition.DENY, Name.WRITE_TOPIC); private WriteTopic(Condition condition, Name name) { super(condition, name); @@ -751,76 +707,10 @@ public class Privileges { } } - /** The privilege to manage a metalake. */ - public static class ManageMetalake extends GenericPrivilege<ManageMetalake> { - private static final ManageMetalake ALLOW_INSTANCE = - new ManageMetalake(Condition.ALLOW, Name.CREATE_CATALOG); - private static final ManageMetalake DENY_INSTANCE = - new ManageMetalake(Condition.DENY, Name.CREATE_CATALOG); - - private ManageMetalake(Condition condition, Name name) { - super(condition, name); - } - - /** @return The instance with allow condition of the privilege. */ - public static ManageMetalake allow() { - return ALLOW_INSTANCE; - } - - /** @return The instance with deny condition of the privilege. */ - public static ManageMetalake deny() { - return DENY_INSTANCE; - } - } - - /** The privilege to create a metalake. */ - public static class CreateMetalake extends GenericPrivilege<CreateMetalake> { - private static final CreateMetalake ALLOW_INSTANCE = - new CreateMetalake(Condition.ALLOW, Name.CREATE_CATALOG); - private static final CreateMetalake DENY_INSTANCE = - new CreateMetalake(Condition.DENY, Name.CREATE_CATALOG); - - private CreateMetalake(Condition condition, Name name) { - super(condition, name); - } - - /** @return The instance with allow condition of the privilege. */ - public static CreateMetalake allow() { - return ALLOW_INSTANCE; - } - - /** @return The instance with deny condition of the privilege. */ - public static CreateMetalake deny() { - return DENY_INSTANCE; - } - } - - /** The privilege to use a metalake. */ - public static class UseMetalake extends GenericPrivilege<UseMetalake> { - private static final UseMetalake ALLOW_INSTANCE = - new UseMetalake(Condition.ALLOW, Name.CREATE_CATALOG); - private static final UseMetalake DENY_INSTANCE = - new UseMetalake(Condition.DENY, Name.CREATE_CATALOG); - - private UseMetalake(Condition condition, Name name) { - super(condition, name); - } - - /** @return The instance with allow condition of the privilege. */ - public static UseMetalake allow() { - return ALLOW_INSTANCE; - } - - /** @return The instance with deny condition of the privilege. */ - public static UseMetalake deny() { - return DENY_INSTANCE; - } - } - /** The privilege to get a user. */ public static class GetUser extends GenericPrivilege<GetUser> { - private static final GetUser ALLOW_INSTANCE = new GetUser(Condition.ALLOW, Name.CREATE_CATALOG); - private static final GetUser DENY_INSTANCE = new GetUser(Condition.DENY, Name.CREATE_CATALOG); + private static final GetUser ALLOW_INSTANCE = new GetUser(Condition.ALLOW, Name.GET_USER); + private static final GetUser DENY_INSTANCE = new GetUser(Condition.DENY, Name.GET_USER); private GetUser(Condition condition, Name name) { super(condition, name); @@ -839,8 +729,8 @@ public class Privileges { /** The privilege to add a user. */ public static class AddUser extends GenericPrivilege<AddUser> { - private static final AddUser ALLOW_INSTANCE = new AddUser(Condition.ALLOW, Name.CREATE_CATALOG); - private static final AddUser DENY_INSTANCE = new AddUser(Condition.DENY, Name.CREATE_CATALOG); + private static final AddUser ALLOW_INSTANCE = new AddUser(Condition.ALLOW, Name.ADD_USER); + private static final AddUser DENY_INSTANCE = new AddUser(Condition.DENY, Name.ADD_USER); private AddUser(Condition condition, Name name) { super(condition, name); @@ -860,9 +750,9 @@ public class Privileges { /** The privilege to remove a user. */ public static class RemoveUser extends GenericPrivilege<RemoveUser> { private static final RemoveUser ALLOW_INSTANCE = - new RemoveUser(Condition.ALLOW, Name.CREATE_CATALOG); + new RemoveUser(Condition.ALLOW, Name.REMOVE_USER); private static final RemoveUser DENY_INSTANCE = - new RemoveUser(Condition.DENY, Name.CREATE_CATALOG); + new RemoveUser(Condition.DENY, Name.REMOVE_USER); private RemoveUser(Condition condition, Name name) { super(condition, name); @@ -881,9 +771,8 @@ public class Privileges { /** The privilege to add a group. */ public static class AddGroup extends GenericPrivilege<AddGroup> { - private static final AddGroup ALLOW_INSTANCE = - new AddGroup(Condition.ALLOW, Name.CREATE_CATALOG); - private static final AddGroup DENY_INSTANCE = new AddGroup(Condition.DENY, Name.CREATE_CATALOG); + private static final AddGroup ALLOW_INSTANCE = new AddGroup(Condition.ALLOW, Name.ADD_GROUP); + private static final AddGroup DENY_INSTANCE = new AddGroup(Condition.DENY, Name.ADD_GROUP); private AddGroup(Condition condition, Name name) { super(condition, name); @@ -903,9 +792,9 @@ public class Privileges { /** The privilege to remove a group. */ public static class RemoveGroup extends GenericPrivilege<RemoveGroup> { private static final RemoveGroup ALLOW_INSTANCE = - new RemoveGroup(Condition.ALLOW, Name.CREATE_CATALOG); + new RemoveGroup(Condition.ALLOW, Name.REMOVE_GROUP); private static final RemoveGroup DENY_INSTANCE = - new RemoveGroup(Condition.DENY, Name.CREATE_CATALOG); + new RemoveGroup(Condition.DENY, Name.REMOVE_GROUP); private RemoveGroup(Condition condition, Name name) { super(condition, name); @@ -946,9 +835,9 @@ public class Privileges { /** The privilege to create a role. */ public static class CreateRole extends GenericPrivilege<CreateRole> { private static final CreateRole ALLOW_INSTANCE = - new CreateRole(Condition.ALLOW, Name.CREATE_CATALOG); + new CreateRole(Condition.ALLOW, Name.CREATE_ROLE); private static final CreateRole DENY_INSTANCE = - new CreateRole(Condition.DENY, Name.CREATE_CATALOG); + new CreateRole(Condition.DENY, Name.CREATE_ROLE); private CreateRole(Condition condition, Name name) { super(condition, name); @@ -967,8 +856,8 @@ public class Privileges { /** The privilege to get a role. */ public static class GetRole extends GenericPrivilege<GetRole> { - private static final GetRole ALLOW_INSTANCE = new GetRole(Condition.ALLOW, Name.CREATE_CATALOG); - private static final GetRole DENY_INSTANCE = new GetRole(Condition.DENY, Name.CREATE_CATALOG); + private static final GetRole ALLOW_INSTANCE = new GetRole(Condition.ALLOW, Name.GET_ROLE); + private static final GetRole DENY_INSTANCE = new GetRole(Condition.DENY, Name.GET_ROLE); private GetRole(Condition condition, Name name) { super(condition, name); @@ -988,9 +877,9 @@ public class Privileges { /** The privilege to delete a role. */ public static class DeleteRole extends GenericPrivilege<DeleteRole> { private static final DeleteRole ALLOW_INSTANCE = - new DeleteRole(Condition.ALLOW, Name.CREATE_CATALOG); + new DeleteRole(Condition.ALLOW, Name.DELETE_ROLE); private static final DeleteRole DENY_INSTANCE = - new DeleteRole(Condition.DENY, Name.CREATE_CATALOG); + new DeleteRole(Condition.DENY, Name.DELETE_ROLE); private DeleteRole(Condition condition, Name name) { super(condition, name); @@ -1009,10 +898,8 @@ public class Privileges { /** The privilege to grant a role to the user or the group. */ public static class GrantRole extends GenericPrivilege<GrantRole> { - private static final GrantRole ALLOW_INSTANCE = - new GrantRole(Condition.ALLOW, Name.CREATE_CATALOG); - private static final GrantRole DENY_INSTANCE = - new GrantRole(Condition.DENY, Name.CREATE_CATALOG); + private static final GrantRole ALLOW_INSTANCE = new GrantRole(Condition.ALLOW, Name.GRANT_ROLE); + private static final GrantRole DENY_INSTANCE = new GrantRole(Condition.DENY, Name.GRANT_ROLE); private GrantRole(Condition condition, Name name) { super(condition, name); @@ -1032,9 +919,9 @@ public class Privileges { /** The privilege to revoke a role from the user or the group. */ public static class RevokeRole extends GenericPrivilege<RevokeRole> { private static final RevokeRole ALLOW_INSTANCE = - new RevokeRole(Condition.ALLOW, Name.CREATE_CATALOG); + new RevokeRole(Condition.ALLOW, Name.REVOKE_ROLE); private static final RevokeRole DENY_INSTANCE = - new RevokeRole(Condition.DENY, Name.CREATE_CATALOG); + new RevokeRole(Condition.DENY, Name.REVOKE_ROLE); private RevokeRole(Condition condition, Name name) { super(condition, name); diff --git a/api/src/main/java/org/apache/gravitino/authorization/SecurableObjects.java b/api/src/main/java/org/apache/gravitino/authorization/SecurableObjects.java index 4fcbb0a11..8378bb215 100644 --- a/api/src/main/java/org/apache/gravitino/authorization/SecurableObjects.java +++ b/api/src/main/java/org/apache/gravitino/authorization/SecurableObjects.java @@ -33,17 +33,6 @@ public class SecurableObjects { private static final Splitter DOT_SPLITTER = Splitter.on('.'); - /** - * Create the metalake {@link SecurableObject} with the given metalake name. - * - * @param metalake The metalake name - * @param privileges The privileges of the metalake - * @return The created metalake {@link SecurableObject} - */ - public static SecurableObject ofMetalake(String metalake, List<Privilege> privileges) { - return of(MetadataObject.Type.METALAKE, Lists.newArrayList(metalake), privileges); - } - /** * Create the catalog {@link SecurableObject} with the given catalog name. * @@ -116,19 +105,6 @@ public class SecurableObjects { return of(MetadataObject.Type.FILESET, names, privileges); } - /** - * All metalakes is a special securable object .You can give the securable object the privileges - * `CREATE METALAKE`, etc. It means that you can create any which doesn't exist. This securable - * object is only used for metalake admin. You can't grant any privilege to this securable object. - * You can't bind this securable object to any role, too. - * - * @param privileges The privileges of the all metalakes - * @return The created {@link SecurableObject} - */ - public static SecurableObject ofAllMetalakes(List<Privilege> privileges) { - return new SecurableObjectImpl(null, "*", MetadataObject.Type.METALAKE, privileges); - } - private static class SecurableObjectImpl extends MetadataObjectImpl implements SecurableObject { private List<Privilege> privileges; diff --git a/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java b/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java index 5fb7ebb04..230343679 100644 --- a/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java +++ b/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java @@ -27,30 +27,6 @@ public class TestSecurableObjects { @Test public void testSecurableObjects() { - SecurableObject allMetalakes = - SecurableObjects.ofAllMetalakes(Lists.newArrayList(Privileges.CreateMetalake.allow())); - Assertions.assertEquals("*", allMetalakes.fullName()); - Assertions.assertEquals(MetadataObject.Type.METALAKE, allMetalakes.type()); - - Assertions.assertThrows( - IllegalArgumentException.class, - () -> - SecurableObjects.of( - MetadataObject.Type.METALAKE, - Lists.newArrayList("*"), - Lists.newArrayList(Privileges.UseMetalake.allow()))); - - SecurableObject metalake = - SecurableObjects.ofMetalake("metalake", Lists.newArrayList(Privileges.UseMetalake.allow())); - Assertions.assertEquals("metalake", metalake.fullName()); - Assertions.assertEquals(MetadataObject.Type.METALAKE, metalake.type()); - SecurableObject anotherMetalake = - SecurableObjects.of( - MetadataObject.Type.METALAKE, - Lists.newArrayList("metalake"), - Lists.newArrayList(Privileges.UseMetalake.allow())); - Assertions.assertEquals(metalake, anotherMetalake); - SecurableObject catalog = SecurableObjects.ofCatalog("catalog", Lists.newArrayList(Privileges.UseCatalog.allow())); Assertions.assertEquals("catalog", catalog.fullName()); diff --git a/core/src/main/java/org/apache/gravitino/Entity.java b/core/src/main/java/org/apache/gravitino/Entity.java index 3d6cf5d0b..96ccc40ae 100644 --- a/core/src/main/java/org/apache/gravitino/Entity.java +++ b/core/src/main/java/org/apache/gravitino/Entity.java @@ -55,18 +55,6 @@ public interface Entity extends Serializable { /** The tag schema name in the system catalog. */ String TAG_SCHEMA_NAME = "tag"; - /** - * All metalakes are a virtual entity. It represents all the metalakes. We don't store it. We use - * a specific type to represent its entity type. - */ - String ALL_METALAKES_ENTITY_TYPE = "ROOT"; - - /** - * All metalakes are a virtual entity. It represents all the metalakes. We don't store it. We use - * a specific id to represent its entity id. - */ - long ALL_METALAKES_ENTITY_ID = 0; - /** Enumeration defining the types of entities in the Gravitino framework. */ @Getter enum EntityType { diff --git a/core/src/main/java/org/apache/gravitino/storage/relational/service/MetadataObjectService.java b/core/src/main/java/org/apache/gravitino/storage/relational/service/MetadataObjectService.java index 1fa5de878..fbde62ac7 100644 --- a/core/src/main/java/org/apache/gravitino/storage/relational/service/MetadataObjectService.java +++ b/core/src/main/java/org/apache/gravitino/storage/relational/service/MetadataObjectService.java @@ -22,9 +22,7 @@ import com.google.common.base.Joiner; import com.google.common.base.Splitter; import java.util.List; import javax.annotation.Nullable; -import org.apache.gravitino.Entity; import org.apache.gravitino.MetadataObject; -import org.apache.gravitino.MetadataObjects; import org.apache.gravitino.storage.relational.po.CatalogPO; import org.apache.gravitino.storage.relational.po.FilesetPO; import org.apache.gravitino.storage.relational.po.MetalakePO; @@ -46,11 +44,6 @@ public class MetadataObjectService { public static long getMetadataObjectId( long metalakeId, String fullName, MetadataObject.Type type) { - if (fullName.equals(MetadataObjects.METADATA_OBJECT_RESERVED_NAME) - && type == MetadataObject.Type.METALAKE) { - return Entity.ALL_METALAKES_ENTITY_ID; - } - if (type == MetadataObject.Type.METALAKE) { return MetalakeMetaService.getInstance().getMetalakeIdByName(fullName); } @@ -82,10 +75,6 @@ public class MetadataObjectService { // Metadata object may be null because the metadata object can be deleted asynchronously. @Nullable public static String getMetadataObjectFullName(String type, long metadataObjectId) { - if (type.equals(Entity.ALL_METALAKES_ENTITY_TYPE)) { - return MetadataObjects.METADATA_OBJECT_RESERVED_NAME; - } - MetadataObject.Type metadatatype = MetadataObject.Type.valueOf(type); if (metadatatype == MetadataObject.Type.METALAKE) { MetalakePO metalakePO = MetalakeMetaService.getInstance().getMetalakePOById(metadataObjectId); diff --git a/core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java b/core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java index cf8a5632a..1583a943b 100644 --- a/core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java +++ b/core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java @@ -23,7 +23,6 @@ import java.io.IOException; import java.util.List; import org.apache.gravitino.Entity; import org.apache.gravitino.MetadataObject; -import org.apache.gravitino.MetadataObjects; import org.apache.gravitino.NameIdentifier; import org.apache.gravitino.authorization.AuthorizationUtils; import org.apache.gravitino.authorization.SecurableObject; @@ -237,17 +236,10 @@ public class RoleMetaService { } private MetadataObject.Type getType(String type) { - if (Entity.ALL_METALAKES_ENTITY_TYPE.equals(type)) { - return MetadataObject.Type.METALAKE; - } return MetadataObject.Type.valueOf(type); } private String getEntityType(SecurableObject securableObject) { - if (securableObject.type() == MetadataObject.Type.METALAKE - && securableObject.name().equals(MetadataObjects.METADATA_OBJECT_RESERVED_NAME)) { - return Entity.ALL_METALAKES_ENTITY_TYPE; - } return securableObject.type().name(); } } diff --git a/core/src/test/java/org/apache/gravitino/storage/relational/service/TestSecurableObjects.java b/core/src/test/java/org/apache/gravitino/storage/relational/service/TestSecurableObjects.java index ac753c18d..629910682 100644 --- a/core/src/test/java/org/apache/gravitino/storage/relational/service/TestSecurableObjects.java +++ b/core/src/test/java/org/apache/gravitino/storage/relational/service/TestSecurableObjects.java @@ -104,8 +104,6 @@ public class TestSecurableObjects extends TestJDBCBackend { SecurableObject topicObject = SecurableObjects.ofTopic( schemaObject, "topic", Lists.newArrayList(Privileges.ReadTopic.deny())); - SecurableObject allMetalakesObject = - SecurableObjects.ofAllMetalakes(Lists.newArrayList(Privileges.UseMetalake.allow())); RoleEntity role1 = createRoleEntity( @@ -114,12 +112,7 @@ public class TestSecurableObjects extends TestJDBCBackend { "role1", auditInfo, Lists.newArrayList( - catalogObject, - schemaObject, - tableObject, - filesetObject, - topicObject, - allMetalakesObject), + catalogObject, schemaObject, tableObject, filesetObject, topicObject), ImmutableMap.of("k1", "v1")); Assertions.assertDoesNotThrow(() -> roleMetaService.insertRole(role1, false)); diff --git a/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java b/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java index 66393a0ea..18b74c84e 100644 --- a/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java +++ b/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java @@ -34,7 +34,6 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.Response; import org.apache.gravitino.GravitinoEnv; import org.apache.gravitino.MetadataObject; -import org.apache.gravitino.MetadataObjects; import org.apache.gravitino.NameIdentifier; import org.apache.gravitino.authorization.AccessControlManager; import org.apache.gravitino.authorization.AuthorizationUtils; @@ -175,10 +174,6 @@ public class RoleOperations { // Securable object ignores the metalake namespace, so we should add it back. if (object.type() == MetadataObject.Type.METALAKE) { - // All metalakes don't need to check the securable object whether exists. - if (object.name().equals(MetadataObjects.METADATA_OBJECT_RESERVED_NAME)) { - return; - } identifier = NameIdentifier.parse(object.fullName()); } else { identifier = NameIdentifier.parse(String.format("%s.%s", metalake, object.fullName())); diff --git a/server/src/test/java/org/apache/gravitino/server/web/rest/TestRoleOperations.java b/server/src/test/java/org/apache/gravitino/server/web/rest/TestRoleOperations.java index 34589717d..c99154eb8 100644 --- a/server/src/test/java/org/apache/gravitino/server/web/rest/TestRoleOperations.java +++ b/server/src/test/java/org/apache/gravitino/server/web/rest/TestRoleOperations.java @@ -394,27 +394,6 @@ public class TestRoleOperations extends JerseyTest { @Test public void testCheckSecurableObjects() { - // check all metalakes - SecurableObject allMetalake = - SecurableObjects.ofAllMetalakes(Lists.newArrayList(Privileges.UseMetalake.allow())); - when(metalakeDispatcher.metalakeExists(any())).thenReturn(true); - Assertions.assertDoesNotThrow( - () -> RoleOperations.checkSecurableObject("metalake", DTOConverters.toDTO(allMetalake))); - when(metalakeDispatcher.metalakeExists(any())).thenReturn(false); - Assertions.assertDoesNotThrow( - () -> RoleOperations.checkSecurableObject("metalake", DTOConverters.toDTO(allMetalake))); - - // check the metalake - SecurableObject metalake = - SecurableObjects.ofMetalake("metalake", Lists.newArrayList(Privileges.UseMetalake.allow())); - when(metalakeDispatcher.metalakeExists(any())).thenReturn(true); - Assertions.assertDoesNotThrow( - () -> RoleOperations.checkSecurableObject("metalake", DTOConverters.toDTO(metalake))); - when(metalakeDispatcher.metalakeExists(any())).thenReturn(false); - Assertions.assertThrows( - IllegalArgumentException.class, - () -> RoleOperations.checkSecurableObject("metalake", DTOConverters.toDTO(metalake))); - // check the catalog SecurableObject catalog = SecurableObjects.ofCatalog("catalog", Lists.newArrayList(Privileges.UseCatalog.allow()));