This is an automated email from the ASF dual-hosted git repository.
jshao pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new f8a472916 [#4128] improvement(core): Remove privileges of metalakes
(#4139)
f8a472916 is described below
commit f8a472916f3d58640cbbd9bf8b9cbc284d960e0b
Author: roryqi <[email protected]>
AuthorDate: Wed Jul 17 20:48:40 2024 +0800
[#4128] improvement(core): Remove privileges of metalakes (#4139)
### What changes were proposed in this pull request?
Remove privileges of metalakes. We use the ownership instead of metalake
privileges.
### Why are the changes needed?
Fix: #4128
### Does this PR introduce _any_ user-facing change?
Modify APIs. But this feature isn't released yet.
### How was this patch tested?
Existing UTs
---
.../java/org/apache/gravitino/MetadataObjects.java | 13 +-
.../apache/gravitino/authorization/Privilege.java | 28 +--
.../apache/gravitino/authorization/Privileges.java | 229 ++++++---------------
.../gravitino/authorization/SecurableObjects.java | 24 ---
.../authorization/TestSecurableObjects.java | 24 ---
.../src/main/java/org/apache/gravitino/Entity.java | 12 --
.../relational/service/MetadataObjectService.java | 11 -
.../relational/service/RoleMetaService.java | 8 -
.../relational/service/TestSecurableObjects.java | 9 +-
.../gravitino/server/web/rest/RoleOperations.java | 5 -
.../server/web/rest/TestRoleOperations.java | 21 --
11 files changed, 71 insertions(+), 313 deletions(-)
diff --git a/api/src/main/java/org/apache/gravitino/MetadataObjects.java
b/api/src/main/java/org/apache/gravitino/MetadataObjects.java
index 70f795fa0..5136164c9 100644
--- a/api/src/main/java/org/apache/gravitino/MetadataObjects.java
+++ b/api/src/main/java/org/apache/gravitino/MetadataObjects.java
@@ -27,11 +27,7 @@ import org.apache.commons.lang3.StringUtils;
/** The helper class for {@link MetadataObject}. */
public class MetadataObjects {
- /**
- * The reserved name for the metadata object.
- *
- * <p>It is used to represent the root metadata object of all metalakes.
- */
+ /** The reserved name for the metadata object. */
public static final String METADATA_OBJECT_RESERVED_NAME = "*";
private static final Splitter DOT_SPLITTER = Splitter.on('.');
@@ -106,13 +102,6 @@ public class MetadataObjects {
* @return The parsed metadata object
*/
public static MetadataObject parse(String fullName, MetadataObject.Type
type) {
- if (METADATA_OBJECT_RESERVED_NAME.equals(fullName)) {
- if (type != MetadataObject.Type.METALAKE) {
- throw new IllegalArgumentException("If metadata object isn't metalake,
it can't be `*`");
- }
- return new MetadataObjectImpl(null, METADATA_OBJECT_RESERVED_NAME, type);
- }
-
Preconditions.checkArgument(
StringUtils.isNotBlank(fullName), "Metadata object full name cannot be
blank");
diff --git
a/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
b/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
index 36229c8fc..5cb7b3214 100644
--- a/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
+++ b/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
@@ -81,34 +81,28 @@ public interface Privilege {
WRITE_TOPIC(0L, 1L << 18),
/** The privilege to read a topic. */
READ_TOPIC(0L, 1L << 19),
- /** The privilege to create a metalake. */
- CREATE_METALAKE(0L, 1L << 20),
- /** The privilege to manage a metalake, including drop and alter a
metalake. */
- MANAGE_METALAKE(0L, 1L << 21),
- /** The privilege to use a metalake, the user can load the information of
the metalake. */
- USE_METALAKE(0L, 1L << 22),
/** The privilege to add a user */
- ADD_USER(0L, 1L << 23),
+ ADD_USER(0L, 1L << 20),
/** The privilege to remove a user */
- REMOVE_USER(0L, 1L << 24),
+ REMOVE_USER(0L, 1L << 21),
/** The privilege to get a user */
- GET_USER(0L, 1L << 25),
+ GET_USER(0L, 1L << 22),
/** The privilege to add a group */
- ADD_GROUP(0L, 1L << 26),
+ ADD_GROUP(0L, 1L << 23),
/** The privilege to remove a group */
- REMOVE_GROUP(0L, 1L << 27),
+ REMOVE_GROUP(0L, 1L << 24),
/** The privilege to get a group */
- GET_GROUP(0L, 1L << 28),
+ GET_GROUP(0L, 1L << 25),
/** The privilege to create a role */
- CREATE_ROLE(0L, 1L << 29),
+ CREATE_ROLE(0L, 1L << 26),
/** The privilege to delete a role */
- DELETE_ROLE(0L, 1L << 30),
+ DELETE_ROLE(0L, 1L << 27),
/** The privilege to grant a role to the user or the group. */
- GRANT_ROLE(0L, 1L << 31),
+ GRANT_ROLE(0L, 1L << 28),
/** The privilege to revoke a role from the user or the group. */
- REVOKE_ROLE(0L, 1L << 32),
+ REVOKE_ROLE(0L, 1L << 29),
/** The privilege to get a role */
- GET_ROLE(0L, 1L << 33);
+ GET_ROLE(0L, 1L << 30);
private final long highBits;
private final long lowBits;
diff --git
a/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
b/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
index b500e956b..cd6e5210e 100644
--- a/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
+++ b/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
@@ -92,14 +92,6 @@ public class Privileges {
case READ_TOPIC:
return ReadTopic.allow();
- // Metalake
- case CREATE_METALAKE:
- return CreateMetalake.allow();
- case MANAGE_METALAKE:
- return ManageMetalake.allow();
- case USE_METALAKE:
- return UseMetalake.allow();
-
// User
case ADD_USER:
return AddUser.allow();
@@ -202,14 +194,6 @@ public class Privileges {
case READ_TOPIC:
return ReadTopic.deny();
- // Metalake
- case CREATE_METALAKE:
- return CreateMetalake.deny();
- case MANAGE_METALAKE:
- return ManageMetalake.deny();
- case USE_METALAKE:
- return UseMetalake.deny();
-
// User
case ADD_USER:
return AddUser.deny();
@@ -250,24 +234,6 @@ public class Privileges {
*/
public abstract static class GenericPrivilege<T extends GenericPrivilege<T>>
implements Privilege {
-
- /**
- * Functional interface for creating instances of GenericPrivilege.
- *
- * @param <T> the type of the privilege
- */
- @FunctionalInterface
- public interface GenericPrivilegeFactory<T extends GenericPrivilege<T>> {
- /**
- * Creates a new instance of the privilege.
- *
- * @param condition the condition of the privilege
- * @param name the name of the privilege
- * @return the created privilege instance
- */
- T create(Condition condition, Name name);
- }
-
private final Condition condition;
private final Name name;
@@ -336,9 +302,9 @@ public class Privileges {
/** The privilege to alter a catalog. */
public static class AlterCatalog extends GenericPrivilege<AlterCatalog> {
private static final AlterCatalog ALLOW_INSTANCE =
- new AlterCatalog(Condition.ALLOW, Name.CREATE_CATALOG);
+ new AlterCatalog(Condition.ALLOW, Name.ALTER_CATALOG);
private static final AlterCatalog DENY_INSTANCE =
- new AlterCatalog(Condition.DENY, Name.CREATE_CATALOG);
+ new AlterCatalog(Condition.DENY, Name.ALTER_CATALOG);
private AlterCatalog(Condition condition, Name name) {
super(condition, name);
@@ -358,9 +324,9 @@ public class Privileges {
/** The privilege to drop a catalog. */
public static class DropCatalog extends GenericPrivilege<DropCatalog> {
private static final DropCatalog ALLOW_INSTANCE =
- new DropCatalog(Condition.ALLOW, Name.CREATE_CATALOG);
+ new DropCatalog(Condition.ALLOW, Name.DROP_CATALOG);
private static final DropCatalog DENY_INSTANCE =
- new DropCatalog(Condition.DENY, Name.CREATE_CATALOG);
+ new DropCatalog(Condition.DENY, Name.DROP_CATALOG);
private DropCatalog(Condition condition, Name name) {
super(condition, name);
@@ -380,9 +346,9 @@ public class Privileges {
/** The privilege to use a catalog. */
public static class UseCatalog extends GenericPrivilege<UseCatalog> {
private static final UseCatalog ALLOW_INSTANCE =
- new UseCatalog(Condition.ALLOW, Name.CREATE_CATALOG);
+ new UseCatalog(Condition.ALLOW, Name.USE_CATALOG);
private static final UseCatalog DENY_INSTANCE =
- new UseCatalog(Condition.DENY, Name.CREATE_CATALOG);
+ new UseCatalog(Condition.DENY, Name.USE_CATALOG);
private UseCatalog(Condition condition, Name name) {
super(condition, name);
@@ -401,10 +367,8 @@ public class Privileges {
/** The privilege to use a schema. */
public static class UseSchema extends GenericPrivilege<UseSchema> {
- private static final UseSchema ALLOW_INSTANCE =
- new UseSchema(Condition.ALLOW, Name.CREATE_CATALOG);
- private static final UseSchema DENY_INSTANCE =
- new UseSchema(Condition.DENY, Name.CREATE_CATALOG);
+ private static final UseSchema ALLOW_INSTANCE = new
UseSchema(Condition.ALLOW, Name.USE_SCHEMA);
+ private static final UseSchema DENY_INSTANCE = new
UseSchema(Condition.DENY, Name.USE_SCHEMA);
private UseSchema(Condition condition, Name name) {
super(condition, name);
@@ -424,9 +388,9 @@ public class Privileges {
/** The privilege to create a schema. */
public static class CreateSchema extends GenericPrivilege<CreateSchema> {
private static final CreateSchema ALLOW_INSTANCE =
- new CreateSchema(Condition.ALLOW, Name.CREATE_CATALOG);
+ new CreateSchema(Condition.ALLOW, Name.CREATE_SCHEMA);
private static final CreateSchema DENY_INSTANCE =
- new CreateSchema(Condition.DENY, Name.CREATE_CATALOG);
+ new CreateSchema(Condition.DENY, Name.CREATE_SCHEMA);
private CreateSchema(Condition condition, Name name) {
super(condition, name);
@@ -446,9 +410,9 @@ public class Privileges {
/** The privilege to alter a schema. */
public static class AlterSchema extends GenericPrivilege<AlterSchema> {
private static final AlterSchema ALLOW_INSTANCE =
- new AlterSchema(Condition.ALLOW, Name.CREATE_CATALOG);
+ new AlterSchema(Condition.ALLOW, Name.ALTER_SCHEMA);
private static final AlterSchema DENY_INSTANCE =
- new AlterSchema(Condition.DENY, Name.CREATE_CATALOG);
+ new AlterSchema(Condition.DENY, Name.ALTER_SCHEMA);
private AlterSchema(Condition condition, Name name) {
super(condition, name);
@@ -468,9 +432,9 @@ public class Privileges {
/** The privilege to drop a schema. */
public static class DropSchema extends GenericPrivilege<DropSchema> {
private static final DropSchema ALLOW_INSTANCE =
- new DropSchema(Condition.ALLOW, Name.CREATE_CATALOG);
+ new DropSchema(Condition.ALLOW, Name.DROP_SCHEMA);
private static final DropSchema DENY_INSTANCE =
- new DropSchema(Condition.DENY, Name.CREATE_CATALOG);
+ new DropSchema(Condition.DENY, Name.DROP_SCHEMA);
private DropSchema(Condition condition, Name name) {
super(condition, name);
@@ -490,9 +454,9 @@ public class Privileges {
/** The privilege to create a table. */
public static class CreateTable extends GenericPrivilege<CreateTable> {
private static final CreateTable ALLOW_INSTANCE =
- new CreateTable(Condition.ALLOW, Name.CREATE_CATALOG);
+ new CreateTable(Condition.ALLOW, Name.CREATE_TABLE);
private static final CreateTable DENY_INSTANCE =
- new CreateTable(Condition.DENY, Name.CREATE_CATALOG);
+ new CreateTable(Condition.DENY, Name.CREATE_TABLE);
private CreateTable(Condition condition, Name name) {
super(condition, name);
@@ -511,10 +475,8 @@ public class Privileges {
/** The privilege to drop a table. */
public static class DropTable extends GenericPrivilege<DropTable> {
- private static final DropTable ALLOW_INSTANCE =
- new DropTable(Condition.ALLOW, Name.CREATE_CATALOG);
- private static final DropTable DENY_INSTANCE =
- new DropTable(Condition.DENY, Name.CREATE_CATALOG);
+ private static final DropTable ALLOW_INSTANCE = new
DropTable(Condition.ALLOW, Name.DROP_TABLE);
+ private static final DropTable DENY_INSTANCE = new
DropTable(Condition.DENY, Name.DROP_TABLE);
private DropTable(Condition condition, Name name) {
super(condition, name);
@@ -533,10 +495,8 @@ public class Privileges {
/** The privilege to read a table. */
public static class ReadTable extends GenericPrivilege<ReadTable> {
- private static final ReadTable ALLOW_INSTANCE =
- new ReadTable(Condition.ALLOW, Name.CREATE_CATALOG);
- private static final ReadTable DENY_INSTANCE =
- new ReadTable(Condition.DENY, Name.CREATE_CATALOG);
+ private static final ReadTable ALLOW_INSTANCE = new
ReadTable(Condition.ALLOW, Name.READ_TABLE);
+ private static final ReadTable DENY_INSTANCE = new
ReadTable(Condition.DENY, Name.READ_TABLE);
private ReadTable(Condition condition, Name name) {
super(condition, name);
@@ -556,9 +516,9 @@ public class Privileges {
/** The privilege to write a table. */
public static class WriteTable extends GenericPrivilege<WriteTable> {
private static final WriteTable ALLOW_INSTANCE =
- new WriteTable(Condition.ALLOW, Name.CREATE_CATALOG);
+ new WriteTable(Condition.ALLOW, Name.WRITE_TABLE);
private static final WriteTable DENY_INSTANCE =
- new WriteTable(Condition.DENY, Name.CREATE_CATALOG);
+ new WriteTable(Condition.DENY, Name.WRITE_TABLE);
private WriteTable(Condition condition, Name name) {
super(condition, name);
@@ -578,9 +538,9 @@ public class Privileges {
/** The privilege to create a fileset. */
public static class CreateFileset extends GenericPrivilege<CreateFileset> {
private static final CreateFileset ALLOW_INSTANCE =
- new CreateFileset(Condition.ALLOW, Name.CREATE_CATALOG);
+ new CreateFileset(Condition.ALLOW, Name.CREATE_FILESET);
private static final CreateFileset DENY_INSTANCE =
- new CreateFileset(Condition.DENY, Name.CREATE_CATALOG);
+ new CreateFileset(Condition.DENY, Name.CREATE_FILESET);
private CreateFileset(Condition condition, Name name) {
super(condition, name);
@@ -600,9 +560,9 @@ public class Privileges {
/** The privilege to drop a fileset. */
public static class DropFileset extends GenericPrivilege<DropFileset> {
private static final DropFileset ALLOW_INSTANCE =
- new DropFileset(Condition.ALLOW, Name.CREATE_CATALOG);
+ new DropFileset(Condition.ALLOW, Name.DROP_FILESET);
private static final DropFileset DENY_INSTANCE =
- new DropFileset(Condition.DENY, Name.CREATE_CATALOG);
+ new DropFileset(Condition.DENY, Name.DROP_FILESET);
private DropFileset(Condition condition, Name name) {
super(condition, name);
@@ -622,9 +582,9 @@ public class Privileges {
/** The privilege to read a fileset. */
public static class ReadFileset extends GenericPrivilege<ReadFileset> {
private static final ReadFileset ALLOW_INSTANCE =
- new ReadFileset(Condition.ALLOW, Name.CREATE_CATALOG);
+ new ReadFileset(Condition.ALLOW, Name.READ_FILESET);
private static final ReadFileset DENY_INSTANCE =
- new ReadFileset(Condition.DENY, Name.CREATE_CATALOG);
+ new ReadFileset(Condition.DENY, Name.READ_FILESET);
private ReadFileset(Condition condition, Name name) {
super(condition, name);
@@ -644,9 +604,9 @@ public class Privileges {
/** The privilege to write a fileset. */
public static class WriteFileset extends GenericPrivilege<WriteFileset> {
private static final WriteFileset ALLOW_INSTANCE =
- new WriteFileset(Condition.ALLOW, Name.CREATE_CATALOG);
+ new WriteFileset(Condition.ALLOW, Name.WRITE_FILESET);
private static final WriteFileset DENY_INSTANCE =
- new WriteFileset(Condition.DENY, Name.CREATE_CATALOG);
+ new WriteFileset(Condition.DENY, Name.WRITE_FILESET);
private WriteFileset(Condition condition, Name name) {
super(condition, name);
@@ -666,9 +626,9 @@ public class Privileges {
/** The privilege to create a topic. */
public static class CreateTopic extends GenericPrivilege<CreateTopic> {
private static final CreateTopic ALLOW_INSTANCE =
- new CreateTopic(Condition.ALLOW, Name.CREATE_CATALOG);
+ new CreateTopic(Condition.ALLOW, Name.CREATE_TOPIC);
private static final CreateTopic DENY_INSTANCE =
- new CreateTopic(Condition.DENY, Name.CREATE_CATALOG);
+ new CreateTopic(Condition.DENY, Name.CREATE_TOPIC);
private CreateTopic(Condition condition, Name name) {
super(condition, name);
@@ -687,10 +647,8 @@ public class Privileges {
/** The privilege to drop a topic. */
public static class DropTopic extends GenericPrivilege<DropTopic> {
- private static final DropTopic ALLOW_INSTANCE =
- new DropTopic(Condition.ALLOW, Name.CREATE_CATALOG);
- private static final DropTopic DENY_INSTANCE =
- new DropTopic(Condition.DENY, Name.CREATE_CATALOG);
+ private static final DropTopic ALLOW_INSTANCE = new
DropTopic(Condition.ALLOW, Name.DROP_TOPIC);
+ private static final DropTopic DENY_INSTANCE = new
DropTopic(Condition.DENY, Name.DROP_TOPIC);
private DropTopic(Condition condition, Name name) {
super(condition, name);
@@ -709,10 +667,8 @@ public class Privileges {
/** The privilege to read a topic. */
public static class ReadTopic extends GenericPrivilege<ReadTopic> {
- private static final ReadTopic ALLOW_INSTANCE =
- new ReadTopic(Condition.ALLOW, Name.CREATE_CATALOG);
- private static final ReadTopic DENY_INSTANCE =
- new ReadTopic(Condition.DENY, Name.CREATE_CATALOG);
+ private static final ReadTopic ALLOW_INSTANCE = new
ReadTopic(Condition.ALLOW, Name.READ_TOPIC);
+ private static final ReadTopic DENY_INSTANCE = new
ReadTopic(Condition.DENY, Name.READ_TOPIC);
private ReadTopic(Condition condition, Name name) {
super(condition, name);
@@ -732,9 +688,9 @@ public class Privileges {
/** The privilege to write a topic. */
public static class WriteTopic extends GenericPrivilege<WriteTopic> {
private static final WriteTopic ALLOW_INSTANCE =
- new WriteTopic(Condition.ALLOW, Name.CREATE_CATALOG);
+ new WriteTopic(Condition.ALLOW, Name.WRITE_TOPIC);
private static final WriteTopic DENY_INSTANCE =
- new WriteTopic(Condition.DENY, Name.CREATE_CATALOG);
+ new WriteTopic(Condition.DENY, Name.WRITE_TOPIC);
private WriteTopic(Condition condition, Name name) {
super(condition, name);
@@ -751,76 +707,10 @@ public class Privileges {
}
}
- /** The privilege to manage a metalake. */
- public static class ManageMetalake extends GenericPrivilege<ManageMetalake> {
- private static final ManageMetalake ALLOW_INSTANCE =
- new ManageMetalake(Condition.ALLOW, Name.CREATE_CATALOG);
- private static final ManageMetalake DENY_INSTANCE =
- new ManageMetalake(Condition.DENY, Name.CREATE_CATALOG);
-
- private ManageMetalake(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static ManageMetalake allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static ManageMetalake deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to create a metalake. */
- public static class CreateMetalake extends GenericPrivilege<CreateMetalake> {
- private static final CreateMetalake ALLOW_INSTANCE =
- new CreateMetalake(Condition.ALLOW, Name.CREATE_CATALOG);
- private static final CreateMetalake DENY_INSTANCE =
- new CreateMetalake(Condition.DENY, Name.CREATE_CATALOG);
-
- private CreateMetalake(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static CreateMetalake allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static CreateMetalake deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to use a metalake. */
- public static class UseMetalake extends GenericPrivilege<UseMetalake> {
- private static final UseMetalake ALLOW_INSTANCE =
- new UseMetalake(Condition.ALLOW, Name.CREATE_CATALOG);
- private static final UseMetalake DENY_INSTANCE =
- new UseMetalake(Condition.DENY, Name.CREATE_CATALOG);
-
- private UseMetalake(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static UseMetalake allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static UseMetalake deny() {
- return DENY_INSTANCE;
- }
- }
-
/** The privilege to get a user. */
public static class GetUser extends GenericPrivilege<GetUser> {
- private static final GetUser ALLOW_INSTANCE = new GetUser(Condition.ALLOW,
Name.CREATE_CATALOG);
- private static final GetUser DENY_INSTANCE = new GetUser(Condition.DENY,
Name.CREATE_CATALOG);
+ private static final GetUser ALLOW_INSTANCE = new GetUser(Condition.ALLOW,
Name.GET_USER);
+ private static final GetUser DENY_INSTANCE = new GetUser(Condition.DENY,
Name.GET_USER);
private GetUser(Condition condition, Name name) {
super(condition, name);
@@ -839,8 +729,8 @@ public class Privileges {
/** The privilege to add a user. */
public static class AddUser extends GenericPrivilege<AddUser> {
- private static final AddUser ALLOW_INSTANCE = new AddUser(Condition.ALLOW,
Name.CREATE_CATALOG);
- private static final AddUser DENY_INSTANCE = new AddUser(Condition.DENY,
Name.CREATE_CATALOG);
+ private static final AddUser ALLOW_INSTANCE = new AddUser(Condition.ALLOW,
Name.ADD_USER);
+ private static final AddUser DENY_INSTANCE = new AddUser(Condition.DENY,
Name.ADD_USER);
private AddUser(Condition condition, Name name) {
super(condition, name);
@@ -860,9 +750,9 @@ public class Privileges {
/** The privilege to remove a user. */
public static class RemoveUser extends GenericPrivilege<RemoveUser> {
private static final RemoveUser ALLOW_INSTANCE =
- new RemoveUser(Condition.ALLOW, Name.CREATE_CATALOG);
+ new RemoveUser(Condition.ALLOW, Name.REMOVE_USER);
private static final RemoveUser DENY_INSTANCE =
- new RemoveUser(Condition.DENY, Name.CREATE_CATALOG);
+ new RemoveUser(Condition.DENY, Name.REMOVE_USER);
private RemoveUser(Condition condition, Name name) {
super(condition, name);
@@ -881,9 +771,8 @@ public class Privileges {
/** The privilege to add a group. */
public static class AddGroup extends GenericPrivilege<AddGroup> {
- private static final AddGroup ALLOW_INSTANCE =
- new AddGroup(Condition.ALLOW, Name.CREATE_CATALOG);
- private static final AddGroup DENY_INSTANCE = new AddGroup(Condition.DENY,
Name.CREATE_CATALOG);
+ private static final AddGroup ALLOW_INSTANCE = new
AddGroup(Condition.ALLOW, Name.ADD_GROUP);
+ private static final AddGroup DENY_INSTANCE = new AddGroup(Condition.DENY,
Name.ADD_GROUP);
private AddGroup(Condition condition, Name name) {
super(condition, name);
@@ -903,9 +792,9 @@ public class Privileges {
/** The privilege to remove a group. */
public static class RemoveGroup extends GenericPrivilege<RemoveGroup> {
private static final RemoveGroup ALLOW_INSTANCE =
- new RemoveGroup(Condition.ALLOW, Name.CREATE_CATALOG);
+ new RemoveGroup(Condition.ALLOW, Name.REMOVE_GROUP);
private static final RemoveGroup DENY_INSTANCE =
- new RemoveGroup(Condition.DENY, Name.CREATE_CATALOG);
+ new RemoveGroup(Condition.DENY, Name.REMOVE_GROUP);
private RemoveGroup(Condition condition, Name name) {
super(condition, name);
@@ -946,9 +835,9 @@ public class Privileges {
/** The privilege to create a role. */
public static class CreateRole extends GenericPrivilege<CreateRole> {
private static final CreateRole ALLOW_INSTANCE =
- new CreateRole(Condition.ALLOW, Name.CREATE_CATALOG);
+ new CreateRole(Condition.ALLOW, Name.CREATE_ROLE);
private static final CreateRole DENY_INSTANCE =
- new CreateRole(Condition.DENY, Name.CREATE_CATALOG);
+ new CreateRole(Condition.DENY, Name.CREATE_ROLE);
private CreateRole(Condition condition, Name name) {
super(condition, name);
@@ -967,8 +856,8 @@ public class Privileges {
/** The privilege to get a role. */
public static class GetRole extends GenericPrivilege<GetRole> {
- private static final GetRole ALLOW_INSTANCE = new GetRole(Condition.ALLOW,
Name.CREATE_CATALOG);
- private static final GetRole DENY_INSTANCE = new GetRole(Condition.DENY,
Name.CREATE_CATALOG);
+ private static final GetRole ALLOW_INSTANCE = new GetRole(Condition.ALLOW,
Name.GET_ROLE);
+ private static final GetRole DENY_INSTANCE = new GetRole(Condition.DENY,
Name.GET_ROLE);
private GetRole(Condition condition, Name name) {
super(condition, name);
@@ -988,9 +877,9 @@ public class Privileges {
/** The privilege to delete a role. */
public static class DeleteRole extends GenericPrivilege<DeleteRole> {
private static final DeleteRole ALLOW_INSTANCE =
- new DeleteRole(Condition.ALLOW, Name.CREATE_CATALOG);
+ new DeleteRole(Condition.ALLOW, Name.DELETE_ROLE);
private static final DeleteRole DENY_INSTANCE =
- new DeleteRole(Condition.DENY, Name.CREATE_CATALOG);
+ new DeleteRole(Condition.DENY, Name.DELETE_ROLE);
private DeleteRole(Condition condition, Name name) {
super(condition, name);
@@ -1009,10 +898,8 @@ public class Privileges {
/** The privilege to grant a role to the user or the group. */
public static class GrantRole extends GenericPrivilege<GrantRole> {
- private static final GrantRole ALLOW_INSTANCE =
- new GrantRole(Condition.ALLOW, Name.CREATE_CATALOG);
- private static final GrantRole DENY_INSTANCE =
- new GrantRole(Condition.DENY, Name.CREATE_CATALOG);
+ private static final GrantRole ALLOW_INSTANCE = new
GrantRole(Condition.ALLOW, Name.GRANT_ROLE);
+ private static final GrantRole DENY_INSTANCE = new
GrantRole(Condition.DENY, Name.GRANT_ROLE);
private GrantRole(Condition condition, Name name) {
super(condition, name);
@@ -1032,9 +919,9 @@ public class Privileges {
/** The privilege to revoke a role from the user or the group. */
public static class RevokeRole extends GenericPrivilege<RevokeRole> {
private static final RevokeRole ALLOW_INSTANCE =
- new RevokeRole(Condition.ALLOW, Name.CREATE_CATALOG);
+ new RevokeRole(Condition.ALLOW, Name.REVOKE_ROLE);
private static final RevokeRole DENY_INSTANCE =
- new RevokeRole(Condition.DENY, Name.CREATE_CATALOG);
+ new RevokeRole(Condition.DENY, Name.REVOKE_ROLE);
private RevokeRole(Condition condition, Name name) {
super(condition, name);
diff --git
a/api/src/main/java/org/apache/gravitino/authorization/SecurableObjects.java
b/api/src/main/java/org/apache/gravitino/authorization/SecurableObjects.java
index 4fcbb0a11..8378bb215 100644
--- a/api/src/main/java/org/apache/gravitino/authorization/SecurableObjects.java
+++ b/api/src/main/java/org/apache/gravitino/authorization/SecurableObjects.java
@@ -33,17 +33,6 @@ public class SecurableObjects {
private static final Splitter DOT_SPLITTER = Splitter.on('.');
- /**
- * Create the metalake {@link SecurableObject} with the given metalake name.
- *
- * @param metalake The metalake name
- * @param privileges The privileges of the metalake
- * @return The created metalake {@link SecurableObject}
- */
- public static SecurableObject ofMetalake(String metalake, List<Privilege>
privileges) {
- return of(MetadataObject.Type.METALAKE, Lists.newArrayList(metalake),
privileges);
- }
-
/**
* Create the catalog {@link SecurableObject} with the given catalog name.
*
@@ -116,19 +105,6 @@ public class SecurableObjects {
return of(MetadataObject.Type.FILESET, names, privileges);
}
- /**
- * All metalakes is a special securable object .You can give the securable
object the privileges
- * `CREATE METALAKE`, etc. It means that you can create any which doesn't
exist. This securable
- * object is only used for metalake admin. You can't grant any privilege to
this securable object.
- * You can't bind this securable object to any role, too.
- *
- * @param privileges The privileges of the all metalakes
- * @return The created {@link SecurableObject}
- */
- public static SecurableObject ofAllMetalakes(List<Privilege> privileges) {
- return new SecurableObjectImpl(null, "*", MetadataObject.Type.METALAKE,
privileges);
- }
-
private static class SecurableObjectImpl extends MetadataObjectImpl
implements SecurableObject {
private List<Privilege> privileges;
diff --git
a/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java
b/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java
index 5fb7ebb04..230343679 100644
---
a/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java
+++
b/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java
@@ -27,30 +27,6 @@ public class TestSecurableObjects {
@Test
public void testSecurableObjects() {
- SecurableObject allMetalakes =
-
SecurableObjects.ofAllMetalakes(Lists.newArrayList(Privileges.CreateMetalake.allow()));
- Assertions.assertEquals("*", allMetalakes.fullName());
- Assertions.assertEquals(MetadataObject.Type.METALAKE, allMetalakes.type());
-
- Assertions.assertThrows(
- IllegalArgumentException.class,
- () ->
- SecurableObjects.of(
- MetadataObject.Type.METALAKE,
- Lists.newArrayList("*"),
- Lists.newArrayList(Privileges.UseMetalake.allow())));
-
- SecurableObject metalake =
- SecurableObjects.ofMetalake("metalake",
Lists.newArrayList(Privileges.UseMetalake.allow()));
- Assertions.assertEquals("metalake", metalake.fullName());
- Assertions.assertEquals(MetadataObject.Type.METALAKE, metalake.type());
- SecurableObject anotherMetalake =
- SecurableObjects.of(
- MetadataObject.Type.METALAKE,
- Lists.newArrayList("metalake"),
- Lists.newArrayList(Privileges.UseMetalake.allow()));
- Assertions.assertEquals(metalake, anotherMetalake);
-
SecurableObject catalog =
SecurableObjects.ofCatalog("catalog",
Lists.newArrayList(Privileges.UseCatalog.allow()));
Assertions.assertEquals("catalog", catalog.fullName());
diff --git a/core/src/main/java/org/apache/gravitino/Entity.java
b/core/src/main/java/org/apache/gravitino/Entity.java
index 3d6cf5d0b..96ccc40ae 100644
--- a/core/src/main/java/org/apache/gravitino/Entity.java
+++ b/core/src/main/java/org/apache/gravitino/Entity.java
@@ -55,18 +55,6 @@ public interface Entity extends Serializable {
/** The tag schema name in the system catalog. */
String TAG_SCHEMA_NAME = "tag";
- /**
- * All metalakes are a virtual entity. It represents all the metalakes. We
don't store it. We use
- * a specific type to represent its entity type.
- */
- String ALL_METALAKES_ENTITY_TYPE = "ROOT";
-
- /**
- * All metalakes are a virtual entity. It represents all the metalakes. We
don't store it. We use
- * a specific id to represent its entity id.
- */
- long ALL_METALAKES_ENTITY_ID = 0;
-
/** Enumeration defining the types of entities in the Gravitino framework. */
@Getter
enum EntityType {
diff --git
a/core/src/main/java/org/apache/gravitino/storage/relational/service/MetadataObjectService.java
b/core/src/main/java/org/apache/gravitino/storage/relational/service/MetadataObjectService.java
index 1fa5de878..fbde62ac7 100644
---
a/core/src/main/java/org/apache/gravitino/storage/relational/service/MetadataObjectService.java
+++
b/core/src/main/java/org/apache/gravitino/storage/relational/service/MetadataObjectService.java
@@ -22,9 +22,7 @@ import com.google.common.base.Joiner;
import com.google.common.base.Splitter;
import java.util.List;
import javax.annotation.Nullable;
-import org.apache.gravitino.Entity;
import org.apache.gravitino.MetadataObject;
-import org.apache.gravitino.MetadataObjects;
import org.apache.gravitino.storage.relational.po.CatalogPO;
import org.apache.gravitino.storage.relational.po.FilesetPO;
import org.apache.gravitino.storage.relational.po.MetalakePO;
@@ -46,11 +44,6 @@ public class MetadataObjectService {
public static long getMetadataObjectId(
long metalakeId, String fullName, MetadataObject.Type type) {
- if (fullName.equals(MetadataObjects.METADATA_OBJECT_RESERVED_NAME)
- && type == MetadataObject.Type.METALAKE) {
- return Entity.ALL_METALAKES_ENTITY_ID;
- }
-
if (type == MetadataObject.Type.METALAKE) {
return MetalakeMetaService.getInstance().getMetalakeIdByName(fullName);
}
@@ -82,10 +75,6 @@ public class MetadataObjectService {
// Metadata object may be null because the metadata object can be deleted
asynchronously.
@Nullable
public static String getMetadataObjectFullName(String type, long
metadataObjectId) {
- if (type.equals(Entity.ALL_METALAKES_ENTITY_TYPE)) {
- return MetadataObjects.METADATA_OBJECT_RESERVED_NAME;
- }
-
MetadataObject.Type metadatatype = MetadataObject.Type.valueOf(type);
if (metadatatype == MetadataObject.Type.METALAKE) {
MetalakePO metalakePO =
MetalakeMetaService.getInstance().getMetalakePOById(metadataObjectId);
diff --git
a/core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java
b/core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java
index cf8a5632a..1583a943b 100644
---
a/core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java
+++
b/core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java
@@ -23,7 +23,6 @@ import java.io.IOException;
import java.util.List;
import org.apache.gravitino.Entity;
import org.apache.gravitino.MetadataObject;
-import org.apache.gravitino.MetadataObjects;
import org.apache.gravitino.NameIdentifier;
import org.apache.gravitino.authorization.AuthorizationUtils;
import org.apache.gravitino.authorization.SecurableObject;
@@ -237,17 +236,10 @@ public class RoleMetaService {
}
private MetadataObject.Type getType(String type) {
- if (Entity.ALL_METALAKES_ENTITY_TYPE.equals(type)) {
- return MetadataObject.Type.METALAKE;
- }
return MetadataObject.Type.valueOf(type);
}
private String getEntityType(SecurableObject securableObject) {
- if (securableObject.type() == MetadataObject.Type.METALAKE
- &&
securableObject.name().equals(MetadataObjects.METADATA_OBJECT_RESERVED_NAME)) {
- return Entity.ALL_METALAKES_ENTITY_TYPE;
- }
return securableObject.type().name();
}
}
diff --git
a/core/src/test/java/org/apache/gravitino/storage/relational/service/TestSecurableObjects.java
b/core/src/test/java/org/apache/gravitino/storage/relational/service/TestSecurableObjects.java
index ac753c18d..629910682 100644
---
a/core/src/test/java/org/apache/gravitino/storage/relational/service/TestSecurableObjects.java
+++
b/core/src/test/java/org/apache/gravitino/storage/relational/service/TestSecurableObjects.java
@@ -104,8 +104,6 @@ public class TestSecurableObjects extends TestJDBCBackend {
SecurableObject topicObject =
SecurableObjects.ofTopic(
schemaObject, "topic",
Lists.newArrayList(Privileges.ReadTopic.deny()));
- SecurableObject allMetalakesObject =
-
SecurableObjects.ofAllMetalakes(Lists.newArrayList(Privileges.UseMetalake.allow()));
RoleEntity role1 =
createRoleEntity(
@@ -114,12 +112,7 @@ public class TestSecurableObjects extends TestJDBCBackend {
"role1",
auditInfo,
Lists.newArrayList(
- catalogObject,
- schemaObject,
- tableObject,
- filesetObject,
- topicObject,
- allMetalakesObject),
+ catalogObject, schemaObject, tableObject, filesetObject,
topicObject),
ImmutableMap.of("k1", "v1"));
Assertions.assertDoesNotThrow(() -> roleMetaService.insertRole(role1,
false));
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java
index 66393a0ea..18b74c84e 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java
@@ -34,7 +34,6 @@ import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.gravitino.GravitinoEnv;
import org.apache.gravitino.MetadataObject;
-import org.apache.gravitino.MetadataObjects;
import org.apache.gravitino.NameIdentifier;
import org.apache.gravitino.authorization.AccessControlManager;
import org.apache.gravitino.authorization.AuthorizationUtils;
@@ -175,10 +174,6 @@ public class RoleOperations {
// Securable object ignores the metalake namespace, so we should add it
back.
if (object.type() == MetadataObject.Type.METALAKE) {
- // All metalakes don't need to check the securable object whether exists.
- if (object.name().equals(MetadataObjects.METADATA_OBJECT_RESERVED_NAME))
{
- return;
- }
identifier = NameIdentifier.parse(object.fullName());
} else {
identifier = NameIdentifier.parse(String.format("%s.%s", metalake,
object.fullName()));
diff --git
a/server/src/test/java/org/apache/gravitino/server/web/rest/TestRoleOperations.java
b/server/src/test/java/org/apache/gravitino/server/web/rest/TestRoleOperations.java
index 34589717d..c99154eb8 100644
---
a/server/src/test/java/org/apache/gravitino/server/web/rest/TestRoleOperations.java
+++
b/server/src/test/java/org/apache/gravitino/server/web/rest/TestRoleOperations.java
@@ -394,27 +394,6 @@ public class TestRoleOperations extends JerseyTest {
@Test
public void testCheckSecurableObjects() {
- // check all metalakes
- SecurableObject allMetalake =
-
SecurableObjects.ofAllMetalakes(Lists.newArrayList(Privileges.UseMetalake.allow()));
- when(metalakeDispatcher.metalakeExists(any())).thenReturn(true);
- Assertions.assertDoesNotThrow(
- () -> RoleOperations.checkSecurableObject("metalake",
DTOConverters.toDTO(allMetalake)));
- when(metalakeDispatcher.metalakeExists(any())).thenReturn(false);
- Assertions.assertDoesNotThrow(
- () -> RoleOperations.checkSecurableObject("metalake",
DTOConverters.toDTO(allMetalake)));
-
- // check the metalake
- SecurableObject metalake =
- SecurableObjects.ofMetalake("metalake",
Lists.newArrayList(Privileges.UseMetalake.allow()));
- when(metalakeDispatcher.metalakeExists(any())).thenReturn(true);
- Assertions.assertDoesNotThrow(
- () -> RoleOperations.checkSecurableObject("metalake",
DTOConverters.toDTO(metalake)));
- when(metalakeDispatcher.metalakeExists(any())).thenReturn(false);
- Assertions.assertThrows(
- IllegalArgumentException.class,
- () -> RoleOperations.checkSecurableObject("metalake",
DTOConverters.toDTO(metalake)));
-
// check the catalog
SecurableObject catalog =
SecurableObjects.ofCatalog("catalog",
Lists.newArrayList(Privileges.UseCatalog.allow()));
