This is an automated email from the ASF dual-hosted git repository. jshao pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/gravitino.git
commit d33e30c3d1a2347b14ebedcae938df13f6c11423 Author: yangyang zhong <[email protected]> AuthorDate: Tue Apr 29 10:05:50 2025 +0800 [#6774] feat(authz): Support initialize GravitinoAuthorizer (#7062) ### What changes were proposed in this pull request? Support initialize GravitinoAuthorizer ### Why are the changes needed? Fix: #6774 ### Does this PR introduce _any_ user-facing change? None ### How was this patch tested? 1、org.apache.gravitino.server.authorization.TestGravitinoAuthorizerProvider 2、org.apache.gravitino.server.authorization.TestAllowAuthorizer --- .../authorization/GravitinoAuthorizerProvider.java | 19 ++++++++-- ...uthorizeApi.java => PassThroughAuthorizer.java} | 34 ++++++++++++------ .../annotations/MetadataAuthorizeApi.java | 24 ------------- .../TestGravitinoAuthorizerProvider.java | 40 ++++++++++++++++++++++ .../authorization/TestPassThroughAuthorizer.java} | 24 ++++++++----- .../authorization/annotations/TestAnnotations.java | 2 +- .../gravitino/server/TestGravitinoServer.java | 2 +- 7 files changed, 98 insertions(+), 47 deletions(-) diff --git a/server-common/src/main/java/org/apache/gravitino/server/authorization/GravitinoAuthorizerProvider.java b/server-common/src/main/java/org/apache/gravitino/server/authorization/GravitinoAuthorizerProvider.java index ad48590feb..49390cf27f 100644 --- a/server-common/src/main/java/org/apache/gravitino/server/authorization/GravitinoAuthorizerProvider.java +++ b/server-common/src/main/java/org/apache/gravitino/server/authorization/GravitinoAuthorizerProvider.java @@ -17,6 +17,7 @@ package org.apache.gravitino.server.authorization; +import org.apache.gravitino.Configs; import org.apache.gravitino.server.ServerConfig; /** @@ -31,7 +32,7 @@ public class GravitinoAuthorizerProvider { private GravitinoAuthorizerProvider() {} - private GravitinoAuthorizer gravitinoAuthorizer; + private volatile GravitinoAuthorizer gravitinoAuthorizer; /** * Instantiate the {@link GravitinoAuthorizer}, and then execute the initialize method in the @@ -40,7 +41,21 @@ public class GravitinoAuthorizerProvider { * @param serverConfig Gravitino server config */ public void initialize(ServerConfig serverConfig) { - // TODO + if (gravitinoAuthorizer == null) { + synchronized (this) { + if (gravitinoAuthorizer == null) { + boolean enableAuthorization = serverConfig.get(Configs.ENABLE_AUTHORIZATION); + if (enableAuthorization) { + // TODO + } else { + gravitinoAuthorizer = new PassThroughAuthorizer(); + } + if (gravitinoAuthorizer != null) { + gravitinoAuthorizer.initialize(); + } + } + } + } } public static GravitinoAuthorizerProvider getInstance() { diff --git a/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/ExpressionsAuthorizeApi.java b/server-common/src/main/java/org/apache/gravitino/server/authorization/PassThroughAuthorizer.java similarity index 54% rename from server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/ExpressionsAuthorizeApi.java rename to server-common/src/main/java/org/apache/gravitino/server/authorization/PassThroughAuthorizer.java index b45cf7707a..645b946b6b 100644 --- a/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/ExpressionsAuthorizeApi.java +++ b/server-common/src/main/java/org/apache/gravitino/server/authorization/PassThroughAuthorizer.java @@ -15,17 +15,31 @@ * under the License. */ -package org.apache.gravitino.server.authorization.annotations; +package org.apache.gravitino.server.authorization; -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; +import java.io.IOException; +import java.security.Principal; +import org.apache.gravitino.MetadataObject; +import org.apache.gravitino.authorization.Privilege; /** - * This annotation is used to implement unified authentication in AOP. Use Expressions to define the - * required privileges for an API. + * The default implementation of GravitinoAuthorizer, indicating that metadata permission control is + * not enabled. */ -@Target({ElementType.METHOD}) -@Retention(RetentionPolicy.RUNTIME) -public @interface ExpressionsAuthorizeApi {} +public class PassThroughAuthorizer implements GravitinoAuthorizer { + + @Override + public void initialize() {} + + @Override + public boolean authorize( + Principal principal, + String metalake, + MetadataObject metadataObject, + Privilege.Name privilege) { + return true; + } + + @Override + public void close() throws IOException {} +} diff --git a/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/MetadataAuthorizeApi.java b/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/MetadataAuthorizeApi.java deleted file mode 100644 index 2fae8439fb..0000000000 --- a/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/MetadataAuthorizeApi.java +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * http://www.apache.org/licenses/LICENSE-2.0 - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.gravitino.server.authorization.annotations; - -/** - * Defines the annotation for authorizing access to an API. Use the resourceType and privileges - * fields to define the required privileges and resource type for the API. - */ -public @interface MetadataAuthorizeApi {} diff --git a/server-common/src/test/java/org/apache/gravitino/server/authorization/TestGravitinoAuthorizerProvider.java b/server-common/src/test/java/org/apache/gravitino/server/authorization/TestGravitinoAuthorizerProvider.java new file mode 100644 index 0000000000..888080ced3 --- /dev/null +++ b/server-common/src/test/java/org/apache/gravitino/server/authorization/TestGravitinoAuthorizerProvider.java @@ -0,0 +1,40 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.gravitino.server.authorization; + +import org.apache.gravitino.Configs; +import org.apache.gravitino.server.ServerConfig; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.Test; + +/** Test of {@link GravitinoAuthorizerProvider} */ +public class TestGravitinoAuthorizerProvider { + + @Test + public void testInitializeAllowAuthorizer() { + ServerConfig serverConfig = new ServerConfig(); + serverConfig.set(Configs.ENABLE_AUTHORIZATION, false); + GravitinoAuthorizerProvider.getInstance().initialize(serverConfig); + GravitinoAuthorizer gravitinoAuthorizer = + GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer(); + Assertions.assertInstanceOf( + PassThroughAuthorizer.class, + gravitinoAuthorizer, + "Error initializing GravitinoAuthorizerProvider"); + } +} diff --git a/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/AuthorizeMetadata.java b/server-common/src/test/java/org/apache/gravitino/server/authorization/TestPassThroughAuthorizer.java similarity index 59% rename from server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/AuthorizeMetadata.java rename to server-common/src/test/java/org/apache/gravitino/server/authorization/TestPassThroughAuthorizer.java index 9fa04357ba..32e8510cce 100644 --- a/server-common/src/main/java/org/apache/gravitino/server/authorization/annotations/AuthorizeMetadata.java +++ b/server-common/src/test/java/org/apache/gravitino/server/authorization/TestPassThroughAuthorizer.java @@ -15,14 +15,20 @@ * under the License. */ -package org.apache.gravitino.server.authorization.annotations; +package org.apache.gravitino.server.authorization; -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; +import java.io.IOException; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.Test; -/** This annotation identify which parameters in the request are to be used for authorization. */ -@Target({ElementType.PARAMETER, ElementType.FIELD}) -@Retention(RetentionPolicy.RUNTIME) -public @interface AuthorizeMetadata {} +/** Test of {@link PassThroughAuthorizer} */ +public class TestPassThroughAuthorizer { + + @Test + public void testAuthorize() throws IOException { + try (PassThroughAuthorizer passThroughAuthorizer = new PassThroughAuthorizer()) { + boolean result = passThroughAuthorizer.authorize(null, null, null, null); + Assertions.assertTrue(result, "Logic error in PassThroughAuthorizer"); + } + } +} diff --git a/server-common/src/test/java/org/apache/gravitino/server/authorization/annotations/TestAnnotations.java b/server-common/src/test/java/org/apache/gravitino/server/authorization/annotations/TestAnnotations.java index 9bad0c47d6..75a041eabb 100644 --- a/server-common/src/test/java/org/apache/gravitino/server/authorization/annotations/TestAnnotations.java +++ b/server-common/src/test/java/org/apache/gravitino/server/authorization/annotations/TestAnnotations.java @@ -45,7 +45,7 @@ public class TestAnnotations { // This class is used to test the AuthorizeApi annotation. // 1. ResourceAuthorizeApi - // 2. ExpressionsAuthorizeApi + // 2. AuthorizationExpression static class TestAuthorizeAnnotationClass { @AuthorizationMetadataPrivileges( privileges = {Privilege.Name.CREATE_CATALOG, Privilege.Name.USE_CATALOG}, diff --git a/server/src/test/java/org/apache/gravitino/server/TestGravitinoServer.java b/server/src/test/java/org/apache/gravitino/server/TestGravitinoServer.java index 428d642491..2155047c9e 100644 --- a/server/src/test/java/org/apache/gravitino/server/TestGravitinoServer.java +++ b/server/src/test/java/org/apache/gravitino/server/TestGravitinoServer.java @@ -81,7 +81,7 @@ public class TestGravitinoServer { } @AfterEach - public void tearDown() { + public void tearDown() throws IOException { if (gravitinoServer != null) { gravitinoServer.stop(); }
