Re: [PR] [#7529] feat(authz): Support load ownership in JcasbinAuthorizer [gravitino]

via GitHub Mon, 23 Jun 2025 18:33:13 -0700


xunliu commented on code in PR #7425:
URL: https://github.com/apache/gravitino/pull/7425#discussion_r2162796050



##########
server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java:
##########
@@ -162,38 +188,64 @@ private void loadPrivilege(String metalake, String 
username, Long userId) {
           continue;
         }
         enforcer.addRoleForUser(String.valueOf(userId), 
String.valueOf(roleId));
-        loadPolicyByRoleId(roleId);
+        loadPolicyByRoleId(role);
         loadedRoles.add(roleId);
       }
-      // TODO load owner relationship
+      loadOwner(metalake, metadataObject, metadataObjectId);
     } catch (Exception e) {
       LOG.error(e.getMessage(), e);
     }
   }
 
-  private void loadPolicyByRoleId(Long roleId) {
+  private void loadOwner(String metalake, MetadataObject metadataObject, Long 
metadataId) {

Review Comment:
   Maybe the `loadOwnerPolicy` is better than `loadOwner()`?



##########
server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java:
##########
@@ -162,38 +188,64 @@ private void loadPrivilege(String metalake, String 
username, Long userId) {
           continue;
         }
         enforcer.addRoleForUser(String.valueOf(userId), 
String.valueOf(roleId));
-        loadPolicyByRoleId(roleId);
+        loadPolicyByRoleId(role);
         loadedRoles.add(roleId);
       }
-      // TODO load owner relationship
+      loadOwner(metalake, metadataObject, metadataObjectId);
     } catch (Exception e) {
       LOG.error(e.getMessage(), e);
     }
   }
 
-  private void loadPolicyByRoleId(Long roleId) {
+  private void loadOwner(String metalake, MetadataObject metadataObject, Long 
metadataId) {
+    try {
+      NameIdentifier entityIdent = MetadataObjectUtil.toEntityIdent(metalake, 
metadataObject);
+      EntityStore entityStore = GravitinoEnv.getInstance().entityStore();
+      List<? extends Entity> owners =
+          entityStore
+              .relationOperations()
+              .listEntitiesByRelation(
+                  SupportsRelationOperations.Type.OWNER_REL,
+                  entityIdent,
+                  Entity.EntityType.valueOf(metadataObject.type().name()));
+      for (Entity ownerEntity : owners) {
+        if (ownerEntity instanceof UserEntity) {
+          UserEntity user = (UserEntity) ownerEntity;
+          ImmutableList<String> policy =
+              ImmutableList.of(
+                  String.valueOf(user.id()),
+                  String.valueOf(metadataObject.type()),
+                  String.valueOf(metadataId),
+                  AuthConstants.OWNER,
+                  "allow");
+          enforcer.addPolicy(policy);
+        }
+      }
+    } catch (Exception e) {
+      LOG.warn("Can not load metadata owner", e);

Review Comment:
   We are only writing a log? Do we need to do anything else? Continue throwing 
an exception? 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] [#7529] feat(authz): Support load ownership in JcasbinAuthorizer [gravitino]

Reply via email to