an-shi-chi-fan opened a new issue, #7837:
URL: https://github.com/apache/gravitino/issues/7837
### Version
main branch
### Describe what's wrong
## Scenario 1
1. Create a role
2. Add users to the role
3. Grant permissions to the role on catalog (assuming it's the Ranger plugin)
When granting permissions, the Ranger plugin will lack roles and users (only
one policy will automatically create a role).
## Scenario 2
Create a role and grant permissions for catalog1.
Grant permissions for catalog2 to the role.
The Ranger for catalog2 will also lack users and roles.
### Error message and/or stacktrace
no message
### How to reproduce
See Scenario 1 and Scenario 2
### Additional context
Role grantPrivilegesToRole(
String metalake, String role, MetadataObject object, Set<Privilege>
privileges) {
try {
AuthorizationPluginCallbackWrapper authorizationPluginCallbackWrapper =
new AuthorizationPluginCallbackWrapper();
Role updatedRole =
store.update(
AuthorizationUtils.ofRole(metalake, role),
RoleEntity.class,
Entity.EntityType.ROLE,
roleEntity -> {
if
(checkContainsNewCatalogPermission(roleEntity.securableObjects(), object)) {
User[] users = roleManager.listRoleUsers(metalake, role);
AuthorizationUtils.callAuthorizationPluginForMetadataObject(
metalake,
object,
authorizationPlugin -> {
authorizationPlugin.onRoleCreated(
RoleEntity.builder()
.withId(roleEntity.id())
.withName(role)
.withAuditInfo(roleEntity.auditInfo())
.withSecurableObjects(Lists.newArrayList())
.build());
});
for (User user : users) {
AuthorizationUtils.callAuthorizationPluginForMetadataObject(
metalake,
object,
authorizationPlugin -> {
authorizationPlugin.onUserAdded(user);
});
AuthorizationUtils.callAuthorizationPluginForMetadataObject(
metalake,
object,
authorizationPlugin -> {
authorizationPlugin.onGrantedRolesToUser(
Lists.newArrayList(roleEntity), user);
});
}
}
List<SecurableObject> grantedSecurableObjects =
generateNewSecurableObjects(
roleEntity.securableObjects(),
object,
targetObject -> {
if (targetObject == null) {
return createNewSecurableObject(
metalake,
role,
object,
privileges,
roleEntity,
authorizationPluginCallbackWrapper);
} else {
return updateGrantedSecurableObject(
metalake,
role,
object,
privileges,
roleEntity,
targetObject,
authorizationPluginCallbackWrapper);
}
});
AuditInfo auditInfo =
AuditInfo.builder()
.withCreator(roleEntity.auditInfo().creator())
.withCreateTime(roleEntity.auditInfo().createTime())
.withLastModifier(PrincipalUtils.getCurrentPrincipal().getName())
.withLastModifiedTime(Instant.now())
.build();
return RoleEntity.builder()
.withId(roleEntity.id())
.withName(roleEntity.name())
.withNamespace(roleEntity.namespace())
.withProperties(roleEntity.properties())
.withAuditInfo(auditInfo)
.withSecurableObjects(grantedSecurableObjects)
.build();
});
// Execute the authorization plugin callback
authorizationPluginCallbackWrapper.execute();
return updatedRole;
} catch (NoSuchEntityException nse) {
LOG.error("Failed to grant, role {} does not exist in the metalake
{}", role, metalake, nse);
throw new NoSuchRoleException(ROLE_DOES_NOT_EXIST_MSG, role, metalake);
} catch (IOException ioe) {
LOG.error("Grant privileges to {} failed due to storage issues", role,
ioe);
throw new RuntimeException(ioe);
}
}
private boolean checkContainsNewCatalogPermission(
List<SecurableObject> securableObjects, MetadataObject targetObject) {
if (targetObject.type() == MetadataObject.Type.METALAKE
|| targetObject.type() == MetadataObject.Type.ROLE) {
return false;
}
if (securableObjects == null || securableObjects.isEmpty()) {
return true;
}
String catalogName = targetObject.fullName().split("\\.")[0];
return securableObjects.stream()
.map(SecurableObject::fullName)
.allMatch(name -> !name.startsWith(catalogName));
}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
