hdygxsj commented on code in PR #7425:
URL: https://github.com/apache/gravitino/pull/7425#discussion_r2163129560
##########
server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java:
##########
@@ -162,38 +188,64 @@ private void loadPrivilege(String metalake, String
username, Long userId) {
continue;
}
enforcer.addRoleForUser(String.valueOf(userId),
String.valueOf(roleId));
- loadPolicyByRoleId(roleId);
+ loadPolicyByRoleId(role);
loadedRoles.add(roleId);
}
- // TODO load owner relationship
+ loadOwner(metalake, metadataObject, metadataObjectId);
} catch (Exception e) {
LOG.error(e.getMessage(), e);
}
}
- private void loadPolicyByRoleId(Long roleId) {
+ private void loadOwner(String metalake, MetadataObject metadataObject, Long
metadataId) {
+ try {
+ NameIdentifier entityIdent = MetadataObjectUtil.toEntityIdent(metalake,
metadataObject);
+ EntityStore entityStore = GravitinoEnv.getInstance().entityStore();
+ List<? extends Entity> owners =
+ entityStore
+ .relationOperations()
+ .listEntitiesByRelation(
+ SupportsRelationOperations.Type.OWNER_REL,
+ entityIdent,
+ Entity.EntityType.valueOf(metadataObject.type().name()));
+ for (Entity ownerEntity : owners) {
+ if (ownerEntity instanceof UserEntity) {
+ UserEntity user = (UserEntity) ownerEntity;
+ ImmutableList<String> policy =
+ ImmutableList.of(
+ String.valueOf(user.id()),
+ String.valueOf(metadataObject.type()),
+ String.valueOf(metadataId),
+ AuthConstants.OWNER,
+ "allow");
+ enforcer.addPolicy(policy);
+ }
+ }
+ } catch (Exception e) {
+ LOG.warn("Can not load metadata owner", e);
Review Comment:
The EntityStore interface has two implementations. One of the
implementations throws an IOException, which needs to be caught. However, the
current execution path uses the other implementation, which is not expected to
throw any exceptions under normal circumstances. If the permissions are not
loaded correctly, the authentication check will simply return false.
##########
server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java:
##########
@@ -162,38 +188,64 @@ private void loadPrivilege(String metalake, String
username, Long userId) {
continue;
}
enforcer.addRoleForUser(String.valueOf(userId),
String.valueOf(roleId));
- loadPolicyByRoleId(roleId);
+ loadPolicyByRoleId(role);
loadedRoles.add(roleId);
}
- // TODO load owner relationship
+ loadOwner(metalake, metadataObject, metadataObjectId);
} catch (Exception e) {
LOG.error(e.getMessage(), e);
}
}
- private void loadPolicyByRoleId(Long roleId) {
+ private void loadOwner(String metalake, MetadataObject metadataObject, Long
metadataId) {
Review Comment:
fixed
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
