Re: [PR] [#10117] improvement(authz): Remove ownership relation cache [gravitino]

Thu, 05 Mar 2026 03:04:56 -0800 


roryqi commented on code in PR #10119:
URL: https://github.com/apache/gravitino/pull/10119#discussion_r2889276206


##########
server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java:
##########
@@ -517,11 +494,8 @@ private void loadRolePrivilege(
         });
   }
 
-  private void loadOwnerPolicy(String metalake, MetadataObject metadataObject, 
Long metadataId) {
-    if (ownerRel.getIfPresent(metadataId) != null) {
-      LOG.debug("Metadata {} OWNER has been loaded.", metadataId);
-      return;
-    }
+  private boolean checkOwner(String metalake, MetadataObject metadataObject, 
String userName) {
+

Review Comment:
   Done.



##########
server-common/src/test/java/org/apache/gravitino/server/authorization/jcasbin/TestJcasbinAuthorizer.java:
##########
@@ -36,7 +36,6 @@
 import java.io.IOException;
 import java.lang.reflect.Field;
 import java.security.Principal;
-import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;

Review Comment:
   Done.



##########
docs/security/access-control.md:
##########
@@ -456,10 +455,8 @@ Gravitino uses Caffeine caches to improve authorization 
performance by caching r
 
 - **`roleCacheSize`**: Controls the maximum number of role entries that can be 
cached. When the cache reaches this size, the least recently used entries are 
evicted.
 
-- **`ownerCacheSize`**: Controls the maximum number of owner relationship 
entries that can be cached. This cache maps metadata object IDs to their owner 
IDs.
-
 :::info
-When role privileges or ownership are changed through the Gravitino API, the 
corresponding cache entries are automatically invalidated to ensure 
authorization decisions reflect the latest state.
+When role privileges are changed through the Gravitino API, the corresponding 
cache entries are automatically invalidated to ensure authorization decisions 
reflect the latest state.

Review Comment:
   Done.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to