This is an automated email from the ASF dual-hosted git repository.
yuqi4733 pushed a commit to branch branch-1.1
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/branch-1.1 by this push:
new 3a230c3b7f [MINOR] polish(authz): polish authz codes for easier reuse
(#9419)
3a230c3b7f is described below
commit 3a230c3b7ffaef760a54b0cfeb783cf98625dd4e
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Tue Dec 9 15:37:09 2025 +0800
[MINOR] polish(authz): polish authz codes for easier reuse (#9419)
### What changes were proposed in this pull request?
can specify a principal
### Why are the changes needed?
polish authz codes for easier reuse
### Does this PR introduce _any_ user-facing change?
no
### How was this patch tested?
CI passed
Co-authored-by: mchades <[email protected]>
---
.../server/authorization/MetadataAuthzHelper.java | 51 +++++++++++++---------
1 file changed, 30 insertions(+), 21 deletions(-)
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java
b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java
index ffa32bc294..15d5f542ad 100644
---
a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java
+++
b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java
@@ -64,6 +64,7 @@ public class MetadataAuthzHelper {
return doFilter(
expression,
metalakes,
+ PrincipalUtils.getCurrentPrincipal(),
GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer(),
authorizationRequestContext,
metalake -> {
@@ -72,7 +73,8 @@ public class MetadataAuthzHelper {
metalakeName,
Entity.EntityType.METALAKE,
NameIdentifierUtil.ofMetalake(metalakeName));
- });
+ },
+ (unused) -> null);
}
/**
@@ -87,6 +89,7 @@ public class MetadataAuthzHelper {
return doFilter(
AuthorizationExpressionConstants.CAN_ACCESS_METADATA,
metadataObjects,
+ PrincipalUtils.getCurrentPrincipal(),
GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer(),
new AuthorizationRequestContext(),
metadataObject ->
@@ -109,6 +112,7 @@ public class MetadataAuthzHelper {
return doFilter(
AuthorizationExpressionConstants.CAN_ACCESS_METADATA,
metadataObjects,
+ PrincipalUtils.getCurrentPrincipal(),
GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer(),
new AuthorizationRequestContext(),
metadataObject ->
@@ -178,8 +182,18 @@ public class MetadataAuthzHelper {
Function<E, NameIdentifier> toNameIdentifier) {
GravitinoAuthorizer authorizer =
GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer();
- return filterByExpression(
- metalake, expression, entityType, entities, toNameIdentifier,
authorizer);
+ AuthorizationRequestContext authorizationRequestContext = new
AuthorizationRequestContext();
+ return doFilter(
+ expression,
+ entities,
+ PrincipalUtils.getCurrentPrincipal(),
+ authorizer,
+ authorizationRequestContext,
+ (entity) -> {
+ NameIdentifier nameIdentifier = toNameIdentifier.apply(entity);
+ return splitMetadataNames(metalake, entityType, nameIdentifier);
+ },
+ (unused) -> null);
}
/**
@@ -191,7 +205,12 @@ public class MetadataAuthzHelper {
* @param entityType entity type
* @param entities metadata entities
* @param toNameIdentifier function to convert entity to NameIdentifier
- * @param authorizer authorizer to filter metadata
+ * @param currentPrincipal The principal to perform the authorization check
as. This is intended
+ * as an extension point for external modules to inject a specific
security context, so please
+ * do not remove it.
+ * @param authorizer The authorizer to use for the authorization check. This
is intended as an
+ * extension point for external modules to inject a specific
authorization mechanism, so
+ * please do not remove it.
* @return Filtered Metadata Entity
* @param <E> Entity class
*/
@@ -201,17 +220,20 @@ public class MetadataAuthzHelper {
Entity.EntityType entityType,
E[] entities,
Function<E, NameIdentifier> toNameIdentifier,
+ Principal currentPrincipal,
GravitinoAuthorizer authorizer) {
AuthorizationRequestContext authorizationRequestContext = new
AuthorizationRequestContext();
return doFilter(
expression,
entities,
+ currentPrincipal,
authorizer,
authorizationRequestContext,
(entity) -> {
NameIdentifier nameIdentifier = toNameIdentifier.apply(entity);
return splitMetadataNames(metalake, entityType, nameIdentifier);
- });
+ },
+ (unused) -> null);
}
/**
@@ -219,30 +241,18 @@ public class MetadataAuthzHelper {
*
* @param expression The authorization expression to evaluate
* @param entities The array of entities to filter
+ * @param currentPrincipal The principal used to evaluate permissions
* @param authorizer The authorizer used to evaluate permissions
* @param authorizationRequestContext The context of the authorization
request
* @param extractMetadataNamesMap Function to extract metadata names map
from entity
+ * @param extractEntityType Function to extract entity type from entity
* @param <E> The type of entity
* @return Filtered array of entities that passed authorization check
*/
private static <E> E[] doFilter(
String expression,
E[] entities,
- GravitinoAuthorizer authorizer,
- AuthorizationRequestContext authorizationRequestContext,
- Function<E, Map<Entity.EntityType, NameIdentifier>>
extractMetadataNamesMap) {
- return doFilter(
- expression,
- entities,
- authorizer,
- authorizationRequestContext,
- extractMetadataNamesMap,
- (unused) -> null);
- }
-
- private static <E> E[] doFilter(
- String expression,
- E[] entities,
+ Principal currentPrincipal,
GravitinoAuthorizer authorizer,
AuthorizationRequestContext authorizationRequestContext,
Function<E, Map<Entity.EntityType, NameIdentifier>>
extractMetadataNamesMap,
@@ -251,7 +261,6 @@ public class MetadataAuthzHelper {
return entities;
}
checkExecutor();
- Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal();
authorizationRequestContext.setOriginalAuthorizationExpression(expression);
List<CompletableFuture<E>> futures = new ArrayList<>();
for (E entity : entities) {
