sgedward opened a new pull request, #11144:
URL: https://github.com/apache/gravitino/pull/11144
### What changes were proposed in this pull request?
Adds a new design document at `design-docs/gravitino-view-privilege.md`
covering view privilege control as a sub-design under the parent [View
Management
design](https://docs.google.com/document/d/1qKZMcY5ifgZF-BjGF2FwYBNWyTwqrCDLaGW_D2jD_LY).
The doc proposes:
- **Adding `ALTER_VIEW` privilege** (with bit `1L << 33`, allow/deny
variants)
- **Wiring `@AuthorizationExpression`** on all five `ViewOperations.java`
endpoints, mirroring the `TableOperations.java` pattern
- **Adding `ViewHookDispatcher`** to set the creator as view owner on
`createView`, unblocking the `VIEW::OWNER` clause already present in
`LOAD_VIEW_AUTHORIZATION_EXPRESSION`
- **Adding visibility filtering** to `listViews` via
`FILTER_VIEW_AUTHORIZATION_EXPRESSION` (currently consumed only by the
Iceberg-REST path)
- **Two new expression constants**: `CREATE_VIEW_AUTHORIZATION_EXPRESSION`
and `ALTER_VIEW_AUTHORIZATION_EXPRESSION`
The doc **diverges from the parent View Management design doc** on one
point: no `DROP_VIEW` privilege is introduced. View drops use the hierarchical
owner-based expression form,
consistent with `dropTable` / `dropFileset` / `dropFunction`. Rationale in
the doc — would appreciate community review on this specifically.
### Why are the changes needed?
Issue #11007 tracks the completion of view privilege support. However, it
would be better to summarize the changes and aggregate them into a design
document to share with the community for confirmation before proceeding to the
implementation phase.
Current state has `CREATE_VIEW` / `SELECT_VIEW` defined in
`Privilege.Name` but never enforced on the generic REST path. Alter and drop
operations have no privilege protection. Only the
Iceberg-REST path (`IcebergViewOperations.java`) is fully wired today,
making the privilege model inconsistent across catalog types.
Fix: #11007
### Does this PR introduce _any_ user-facing change?
No code changes in this PR — design doc only. The implementation work that
follows the design will introduce:
1. A new privilege type `ALTER_VIEW` (grantable like `MODIFY_TABLE`)
2. Enforcement of `CREATE_VIEW` / `SELECT_VIEW` / `ALTER_VIEW` on
Gravitino REST endpoints for non-Iceberg catalogs (previously unenforced)
3. Behavioral change: `listViews` will return only views the caller has
privileges on (currently returns all views in the schema)
4. Hierarchical owner-based drop authorization for views (currently no
privilege check at all)
### How was this patch tested?
N/A — this is a design document. Reviewers should evaluate the proposed
approach and the rationale for diverging from the parent doc on `DROP_VIEW`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
