This is an automated email from the ASF dual-hosted git repository.
roryqi pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new 9526257c3d [#9104] improvement(authz): support list and get roles when
has manage_grants (#9114)
9526257c3d is described below
commit 9526257c3d4c104c81e3ce31fc1ef485e75ae5e7
Author: yangyang zhong <[email protected]>
AuthorDate: Tue Nov 18 17:35:51 2025 +0800
[#9104] improvement(authz): support list and get roles when has
manage_grants (#9114)
### What changes were proposed in this pull request?
support list and get roles when has manage_grants
### Why are the changes needed?
Fix: #9104
### Does this PR introduce _any_ user-facing change?
None
### How was this patch tested?
org.apache.gravitino.client.integration.test.authorization.RoleAuthorizationIT
---
.../test/authorization/RoleAuthorizationIT.java | 18 ++++++++++++++++++
docs/security/access-control.md | 4 ++--
.../expression/AuthorizationExpressionConstants.java | 6 +++++-
.../gravitino/server/web/rest/RoleOperations.java | 7 +++++--
4 files changed, 30 insertions(+), 5 deletions(-)
diff --git
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/RoleAuthorizationIT.java
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/RoleAuthorizationIT.java
index 3b7f4818ca..73daa1ce72 100644
---
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/RoleAuthorizationIT.java
+++
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/RoleAuthorizationIT.java
@@ -20,6 +20,7 @@ package
org.apache.gravitino.client.integration.test.authorization;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertThrows;
+import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import org.apache.gravitino.MetadataObject;
@@ -32,6 +33,7 @@ import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.TestMethodOrder;
import org.testcontainers.shaded.com.google.common.collect.ImmutableList;
+import org.testcontainers.shaded.com.google.common.collect.ImmutableSet;
@Tag("gravitino-docker-test")
@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
@@ -69,9 +71,25 @@ public class RoleAuthorizationIT extends
BaseRestApiAuthorizationIT {
@Order(2)
public void testListRole() {
String[] roleNames = client.loadMetalake(METALAKE).listRoleNames();
+ Arrays.sort(roleNames);
assertArrayEquals(new String[] {"role1", "role2", "role3", "role4"},
roleNames);
roleNames = normalUserClient.loadMetalake(METALAKE).listRoleNames();
+ Arrays.sort(roleNames);
assertArrayEquals(new String[] {"role1", "role4"}, roleNames);
+ client
+ .loadMetalake(METALAKE)
+ .grantPrivilegesToRole(
+ "role1",
+ MetadataObjects.of(ImmutableList.of(METALAKE),
MetadataObject.Type.METALAKE),
+ ImmutableSet.of(Privileges.ManageGrants.allow()));
+ roleNames = normalUserClient.loadMetalake(METALAKE).listRoleNames();
+ assertArrayEquals(new String[] {"role1", "role2", "role3", "role4"},
roleNames);
+ client
+ .loadMetalake(METALAKE)
+ .revokePrivilegesFromRole(
+ "role1",
+ MetadataObjects.of(ImmutableList.of(METALAKE),
MetadataObject.Type.METALAKE),
+ ImmutableSet.of(Privileges.ManageGrants.allow()));
}
@Test
diff --git a/docs/security/access-control.md b/docs/security/access-control.md
index 2f7de2c562..1a6d9a28a0 100644
--- a/docs/security/access-control.md
+++ b/docs/security/access-control.md
@@ -1026,8 +1026,8 @@ The following table lists the required privileges for
each API.
| list groups | `MANAGE_GROUPS` on the metalake or the
owner of the metalake can see all the groups, others can see his group
|
| create role | `CREATE_ROLE` on the metalake or the
owner of the metalake
|
| delete role | The owner of the metalake or the role
|
-| get role | The owner of the metalake or the role.
others can see his granted or owned roles.
|
-| list roles | The owner of the metalake can see all
the roles. Others can see his granted roles or owned roles.
|
+| get role | `MANAGE_GRANTS` on the metalake or the
owner of the metalake or the role. others can see his granted or owned roles.
|
+| list roles | `MANAGE_GRANTS` on the metalake or the
owner of the metalake can see all the roles. Others can see his granted roles
or owned roles.
|
| grant role | `MANAGE_GRANTS` on the metalake
|
| revoke role | `MANAGE_GRANTS` on the metalake
|
| grant privilege | `MANAGE_GRANTS` on the metalake or the
owner of the securable object
|
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConstants.java
b/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConstants.java
index 47dd6cb654..b898e4bd60 100644
---
a/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConstants.java
+++
b/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConstants.java
@@ -88,5 +88,9 @@ public class AuthorizationExpressionConstants {
ANY_WRITE_FILESET
""";
- public static final String getOwnerExpression = "CAN_GET_OWNER";
+ public static final String loadRoleAuthorizationExpression =
+ """
+ METALAKE::OWNER || METALAKE::MANAGE_GRANTS
+ || ROLE::OWNER || ROLE::SELF
+ """;
}
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java
index 934478c0dd..dae825806c 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java
@@ -58,6 +58,7 @@ import
org.apache.gravitino.server.authorization.MetadataFilterHelper;
import org.apache.gravitino.server.authorization.NameBindings;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationMetadata;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.Utils;
import org.apache.gravitino.utils.MetadataObjectUtil;
import org.apache.gravitino.utils.NameIdentifierUtil;
@@ -95,7 +96,8 @@ public class RoleOperations {
new NameIdentifier[]
{NameIdentifierUtil.ofRole(metalake, role)};
return MetadataFilterHelper.filterByExpression(
metalake,
- "METALAKE::OWNER || ROLE::OWNER ||
ROLE::SELF",
+ AuthorizationExpressionConstants
+ .loadRoleAuthorizationExpression,
Entity.EntityType.ROLE,
nameIdentifiers)
.length
@@ -115,7 +117,8 @@ public class RoleOperations {
@Produces("application/vnd.gravitino.v1+json")
@Timed(name = "get-role." + MetricNames.HTTP_PROCESS_DURATION, absolute =
true)
@ResponseMetered(name = "get-role", absolute = true)
- @AuthorizationExpression(expression = "METALAKE::OWNER || ROLE::OWNER ||
ROLE::SELF")
+ @AuthorizationExpression(
+ expression =
AuthorizationExpressionConstants.loadRoleAuthorizationExpression)
public Response getRole(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
String metalake,
