(gravitino) 09/19: [#6786] fix(authz): modify querying roles by user in ROLE_USER_REL relation for JcasbinAuthorizer (#7376)

Tue, 15 Jul 2025 02:43:53 -0700 

This is an automated email from the ASF dual-hosted git repository.

jshao pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git

commit 3afd0f4131bb7a986977d1923de001165707d03d
Author: Kyle Lin <[email protected]>
AuthorDate: Thu Jun 19 10:09:46 2025 +0800

    [#6786] fix(authz): modify querying roles by user in ROLE_USER_REL relation 
for JcasbinAuthorizer (#7376)
    
    ### What changes were proposed in this pull request?
    
    Currently, the `ROLE_USER_REL` relation in `JDBCBackend` only supports
    querying users by role, but not querying roles by user. This causes
    issues in `JcasbinAuthorizer` when trying to load user privileges.
    
    This PR adds support for querying roles by user in the `ROLE_USER_REL`
    relation by modifying the `listEntitiesByRelation` method in
    `JDBCBackend`.
    
    ### Why are the changes needed?
    
    Fixes #6786
    
    ### Does this PR introduce any user-facing change?
    
    No.
    
    ### How was this patch tested?
    
    Ran `./gradlew clean build`
---
 .../apache/gravitino/storage/relational/JDBCBackend.java    |  2 ++
 .../storage/relational/service/RoleMetaService.java         | 13 +++++++++++++
 .../server/authorization/jcasbin/JcasbinAuthorizer.java     |  2 +-
 .../server/authorization/jcasbin/TestJcasbinAuthorizer.java |  8 ++++----
 4 files changed, 20 insertions(+), 5 deletions(-)

diff --git 
a/core/src/main/java/org/apache/gravitino/storage/relational/JDBCBackend.java 
b/core/src/main/java/org/apache/gravitino/storage/relational/JDBCBackend.java
index 0911a3a5df..a51e306310 100644
--- 
a/core/src/main/java/org/apache/gravitino/storage/relational/JDBCBackend.java
+++ 
b/core/src/main/java/org/apache/gravitino/storage/relational/JDBCBackend.java
@@ -464,6 +464,8 @@ public class JDBCBackend implements RelationalBackend {
       case ROLE_USER_REL:
         if (identType == Entity.EntityType.ROLE) {
           return (List<E>) 
UserMetaService.getInstance().listUsersByRoleIdent(nameIdentifier);
+        } else if (identType == Entity.EntityType.USER) {
+          return (List<E>) 
RoleMetaService.getInstance().listRolesByUserIdent(nameIdentifier);
         } else {
           throw new IllegalArgumentException(
               String.format("ROLE_USER_REL doesn't support type %s", 
identType.name()));
diff --git 
a/core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java
 
b/core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java
index 0522a3cb95..c75462005a 100644
--- 
a/core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java
+++ 
b/core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java
@@ -40,6 +40,7 @@ import org.apache.gravitino.authorization.AuthorizationUtils;
 import org.apache.gravitino.authorization.SecurableObject;
 import org.apache.gravitino.exceptions.NoSuchEntityException;
 import org.apache.gravitino.meta.RoleEntity;
+import org.apache.gravitino.meta.UserEntity;
 import org.apache.gravitino.storage.relational.mapper.GroupRoleRelMapper;
 import org.apache.gravitino.storage.relational.mapper.OwnerMetaMapper;
 import org.apache.gravitino.storage.relational.mapper.RoleMetaMapper;
@@ -85,6 +86,18 @@ public class RoleMetaService {
         RoleMetaMapper.class, mapper -> mapper.listRolesByUserId(userId));
   }
 
+  public List<RoleEntity> listRolesByUserIdent(NameIdentifier userIdent) {
+    UserEntity user = 
UserMetaService.getInstance().getUserByIdentifier(userIdent);
+    String metalake = NameIdentifierUtil.getMetalake(userIdent);
+    List<RolePO> rolePOs = listRolesByUserId(user.id());
+    return rolePOs.stream()
+        .map(
+            po ->
+                POConverters.fromRolePO(
+                    po, Collections.emptyList(), 
AuthorizationUtils.ofRoleNamespace(metalake)))
+        .collect(Collectors.toList());
+  }
+
   public List<RoleEntity> listRolesByMetadataObject(
       NameIdentifier metadataObjectIdent, Entity.EntityType 
metadataObjectType, boolean allFields) {
     String metalake = NameIdentifierUtil.getMetalake(metadataObjectIdent);
diff --git 
a/server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java
 
b/server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java
index dce344053d..0daebb94a8 100644
--- 
a/server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java
+++ 
b/server-common/src/main/java/org/apache/gravitino/server/authorization/jcasbin/JcasbinAuthorizer.java
@@ -148,7 +148,7 @@ public class JcasbinAuthorizer implements 
GravitinoAuthorizer {
               .listEntitiesByRelation(
                   SupportsRelationOperations.Type.ROLE_USER_REL,
                   NameIdentifierUtil.ofUser(metalake, username),
-                  Entity.EntityType.ROLE);
+                  Entity.EntityType.USER);
 
       for (RoleEntity role : entities) {
         Long roleId = role.id();
diff --git 
a/server-common/src/test/java/org/apache/gravitino/server/authorization/jcasbin/TestJcasbinAuthorizer.java
 
b/server-common/src/test/java/org/apache/gravitino/server/authorization/jcasbin/TestJcasbinAuthorizer.java
index d1a44cedc3..4919c469c3 100644
--- 
a/server-common/src/test/java/org/apache/gravitino/server/authorization/jcasbin/TestJcasbinAuthorizer.java
+++ 
b/server-common/src/test/java/org/apache/gravitino/server/authorization/jcasbin/TestJcasbinAuthorizer.java
@@ -165,7 +165,7 @@ public class TestJcasbinAuthorizer {
     when(supportsRelationOperations.listEntitiesByRelation(
             eq(SupportsRelationOperations.Type.ROLE_USER_REL),
             eq(userNameIdentifier),
-            eq(Entity.EntityType.ROLE)))
+            eq(Entity.EntityType.USER)))
         .thenReturn(ImmutableList.of(allowRole));
     assertTrue(doAuthorize(currentPrincipal));
     // Test role cache.
@@ -176,7 +176,7 @@ public class TestJcasbinAuthorizer {
     when(supportsRelationOperations.listEntitiesByRelation(
             eq(SupportsRelationOperations.Type.ROLE_USER_REL),
             eq(userNameIdentifier),
-            eq(Entity.EntityType.ROLE)))
+            eq(Entity.EntityType.USER)))
         .thenReturn(ImmutableList.of(tempNewRole));
     assertTrue(doAuthorize(currentPrincipal));
     // After clearing the cache, authorize will fail
@@ -186,7 +186,7 @@ public class TestJcasbinAuthorizer {
     when(supportsRelationOperations.listEntitiesByRelation(
             eq(SupportsRelationOperations.Type.ROLE_USER_REL),
             eq(userNameIdentifier),
-            eq(Entity.EntityType.ROLE)))
+            eq(Entity.EntityType.USER)))
         .thenReturn(ImmutableList.of(allowRole));
     assertTrue(doAuthorize(currentPrincipal));
     // Test deny
@@ -194,7 +194,7 @@ public class TestJcasbinAuthorizer {
     when(supportsRelationOperations.listEntitiesByRelation(
             eq(SupportsRelationOperations.Type.ROLE_USER_REL),
             eq(userNameIdentifier),
-            eq(Entity.EntityType.ROLE)))
+            eq(Entity.EntityType.USER)))
         .thenReturn(ImmutableList.of(allowRole, denyRole));
     assertFalse(doAuthorize(currentPrincipal));
   }

Reply via email to