This is an automated email from the ASF dual-hosted git repository.
roryqi pushed a commit to branch branch-1.0
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/branch-1.0 by this push:
new 719e8d4284 [#8501] improvement: Check list operations' privilege
(#8586)
719e8d4284 is described below
commit 719e8d42841d2fc98fbfc58c676d5abb5e41fee5
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Wed Sep 17 15:19:23 2025 +0800
[#8501] improvement: Check list operations' privilege (#8586)
### What changes were proposed in this pull request?
Before this pull request, we don't have any privilege for list
operations.
After this pull request, we need usage privilege for the object which is
listed.
### Why are the changes needed?
Fix: #8501
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
Add a new UT.
Co-authored-by: roryqi <[email protected]>
---
.../test/authorization/FilesetAuthorizationIT.java | 6 ++
.../test/authorization/ModelAuthorizationIT.java | 14 ++++-
.../test/authorization/SchemaAuthorizationIT.java | 2 +
.../test/authorization/TableAuthorizationIT.java | 6 ++
.../test/authorization/TopicAuthorizationIT.java | 12 ++++
.../AuthorizationExpressionConstants.java | 67 ++++++++++++++++++++++
.../server/web/rest/CatalogOperations.java | 8 +--
.../server/web/rest/FilesetOperations.java | 17 +++---
.../gravitino/server/web/rest/ModelOperations.java | 49 +++++++++-------
.../server/web/rest/SchemaOperations.java | 20 ++++---
.../gravitino/server/web/rest/TableOperations.java | 21 ++++---
.../gravitino/server/web/rest/TopicOperations.java | 23 ++++----
.../TestCatalogAuthorizationExpression.java | 4 +-
.../TestFilesetAuthorizationExpression.java | 4 +-
.../TestModelAuthorizationExpression.java | 3 +-
.../TestSchemaAuthorizationExpression.java | 4 +-
.../TestTableAuthorizationExpression.java | 3 +-
.../TestTopicAuthorizationExpression.java | 4 +-
18 files changed, 199 insertions(+), 68 deletions(-)
diff --git
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/FilesetAuthorizationIT.java
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/FilesetAuthorizationIT.java
index 8e99f86fba..2b3f80aaf7 100644
---
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/FilesetAuthorizationIT.java
+++
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/FilesetAuthorizationIT.java
@@ -155,6 +155,12 @@ public class FilesetAuthorizationIT extends
BaseRestApiAuthorizationIT {
storageLocation(GravitinoITUtils.genRandomName("FilesetAuthorizationIT_fileset2")),
new HashMap<>());
});
+
+ assertThrows(
+ "Can not access metadata {" + CATALOG + "." + SCHEMA + "}.",
+ ForbiddenException.class,
+ () -> filesetCatalogNormalUser.listFilesets(Namespace.of(SCHEMA)));
+
// grant privileges
GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE);
gravitinoMetalake.grantPrivilegesToRole(
diff --git
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/ModelAuthorizationIT.java
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/ModelAuthorizationIT.java
index 43c490e039..1f39f43419 100644
---
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/ModelAuthorizationIT.java
+++
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/ModelAuthorizationIT.java
@@ -111,6 +111,14 @@ public class ModelAuthorizationIT extends
BaseRestApiAuthorizationIT {
() -> {
normalUserCatalog.registerModel(NameIdentifier.of(SCHEMA, "model2"),
"", new HashMap<>());
});
+
+ assertThrows(
+ "Can not access metadata {" + METALAKE + "," + CATALOG + "." + SCHEMA
+ "}.",
+ ForbiddenException.class,
+ () -> {
+ normalUserCatalog.listModels(Namespace.of(SCHEMA));
+ });
+
GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE);
// test grant create schema privilege
gravitinoMetalake.grantPrivilegesToRole(
@@ -246,8 +254,10 @@ public class ModelAuthorizationIT extends
BaseRestApiAuthorizationIT {
ModelCatalog modelCatalogLoadByNormalUser =
catalogEntityLoadByNormalUser.asModelCatalog();
int[] versions = modelCatalog.listModelVersions(NameIdentifier.of(SCHEMA,
"model1"));
assertEquals(2, versions.length);
- versions =
modelCatalogLoadByNormalUser.listModelVersions(NameIdentifier.of(SCHEMA,
"model1"));
- assertEquals(0, versions.length);
+ assertThrows(
+ "Can not access metadata {" + METALAKE + "," + CATALOG + "." + SCHEMA
+ "model1" + "}.",
+ ForbiddenException.class,
+ () ->
modelCatalogLoadByNormalUser.listModelVersions(NameIdentifier.of(SCHEMA,
"model1")));
gravitinoMetalake.grantPrivilegesToRole(
role,
MetadataObjects.of(ImmutableList.of(CATALOG, SCHEMA, "model1"),
MetadataObject.Type.MODEL),
diff --git
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/SchemaAuthorizationIT.java
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/SchemaAuthorizationIT.java
index 27c4983f37..c92ef8e6bc 100644
---
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/SchemaAuthorizationIT.java
+++
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/SchemaAuthorizationIT.java
@@ -80,6 +80,7 @@ public class SchemaAuthorizationIT extends
BaseRestApiAuthorizationIT {
() -> {
normalUserClient.loadMetalake(METALAKE).loadCatalog(CATALOG);
});
+
// grant tester load catalog privilege
List<SecurableObject> securableObjects = new ArrayList<>();
GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE);
@@ -108,6 +109,7 @@ public class SchemaAuthorizationIT extends
BaseRestApiAuthorizationIT {
() -> {
catalogEntityLoadByTester2.asSchemas().createSchema("schema2",
"test2", new HashMap<>());
});
+
GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE);
// test grant create schema privilege
gravitinoMetalake.grantPrivilegesToRole(
diff --git
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/TableAuthorizationIT.java
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/TableAuthorizationIT.java
index f18023f1c8..0b21e21a65 100644
---
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/TableAuthorizationIT.java
+++
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/TableAuthorizationIT.java
@@ -131,6 +131,12 @@ public class TableAuthorizationIT extends
BaseRestApiAuthorizationIT {
tableCatalogNormalUser.createTable(
NameIdentifier.of(SCHEMA, "table2"), createColumns(), "test2",
new HashMap<>());
});
+ assertThrows(
+ "Can not access metadata {" + CATALOG + "." + SCHEMA + "}.",
+ ForbiddenException.class,
+ () -> {
+ tableCatalogNormalUser.listTables(Namespace.of(SCHEMA));
+ });
// grant privileges
GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE);
gravitinoMetalake.grantPrivilegesToRole(
diff --git
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/TopicAuthorizationIT.java
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/TopicAuthorizationIT.java
index 2bf775267e..8b31afd8a5 100644
---
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/TopicAuthorizationIT.java
+++
b/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/TopicAuthorizationIT.java
@@ -121,12 +121,23 @@ public class TopicAuthorizationIT extends
BaseRestApiAuthorizationIT {
topicCatalogNormalUser.createTopic(
NameIdentifier.of(SCHEMA, "topic2"), "test2", null, new
HashMap<>());
});
+
+ assertThrows(
+ "Can not access metadata {" + CATALOG + "." + SCHEMA + "}.",
+ ForbiddenException.class,
+ () -> {
+ topicCatalogNormalUser.listTopics(Namespace.of(SCHEMA));
+ });
+
// grant privileges
GravitinoMetalake gravitinoMetalake = client.loadMetalake(METALAKE);
gravitinoMetalake.grantPrivilegesToRole(
role,
MetadataObjects.of(CATALOG, SCHEMA, MetadataObject.Type.SCHEMA),
ImmutableList.of(Privileges.UseSchema.allow(),
Privileges.CreateTopic.allow()));
+
+
normalUserClient.loadMetalake(METALAKE).loadCatalog(CATALOG).asSchemas().loadSchema(SCHEMA);
+
// normal user can now create topic
topicCatalogNormalUser.createTopic(
NameIdentifier.of(SCHEMA, "topic2"), "test2", null, new HashMap<>());
@@ -149,6 +160,7 @@ public class TopicAuthorizationIT extends
BaseRestApiAuthorizationIT {
// normal user can only see topics they have privilege for
TopicCatalog topicCatalogNormalUser =
normalUserClient.loadMetalake(METALAKE).loadCatalog(CATALOG).asTopicCatalog();
+
NameIdentifier[] topicsListNormalUser =
topicCatalogNormalUser.listTopics(Namespace.of(SCHEMA));
assertArrayEquals(
new NameIdentifier[] {
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConstants.java
b/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConstants.java
new file mode 100644
index 0000000000..486506ba6e
--- /dev/null
+++
b/server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConstants.java
@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.gravitino.server.authorization.expression;
+
+public class AuthorizationExpressionConstants {
+ public static final String loadCatalogAuthorizationExpression =
+ "ANY_USE_CATALOG || ANY(OWNER, METALAKE, CATALOG)";
+
+ public static final String loadSchemaAuthorizationExpression =
+ " ANY(OWNER, METALAKE, CATALOG) || "
+ + "ANY_USE_CATALOG && (SCHEMA::OWNER || ANY_USE_SCHEMA) ";
+
+ public static final String loadModelAuthorizationExpression =
+ "ANY(OWNER, METALAKE, CATALOG) ||"
+ + " SCHEMA_OWNER_WITH_USE_CATALOG || "
+ + " ANY_USE_CATALOG && ANY_USE_SCHEMA && (MODEL::OWNER ||
ANY_USE_MODEL)";
+
+ public static final String loadTableAuthorizationExpression =
+ "ANY(OWNER, METALAKE, CATALOG) ||"
+ + "SCHEMA_OWNER_WITH_USE_CATALOG ||"
+ + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (TABLE::OWNER ||
ANY_SELECT_TABLE || ANY_MODIFY_TABLE)";
+
+ public static final String loadTopicsAuthorizationExpression =
+ "ANY(OWNER, METALAKE, CATALOG) || "
+ + "SCHEMA_OWNER_WITH_USE_CATALOG || "
+ + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (TOPIC::OWNER ||
ANY_CONSUME_TOPIC || ANY_PRODUCE_TOPIC)";
+
+ public static final String loadFilesetAuthorizationExpression =
+ "ANY(OWNER, METALAKE, CATALOG) || "
+ + "SCHEMA_OWNER_WITH_USE_CATALOG || "
+ + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (FILESET::OWNER ||
ANY_READ_FILESET || ANY_WRITE_FILESET)";
+
+ public static final String filterSchemaAuthorizationExpression =
+ "ANY(OWNER, METALAKE, CATALOG, SCHEMA) || ANY_USE_SCHEMA";
+
+ public static final String filterModelAuthorizationExpression =
+ "ANY(OWNER, METALAKE, CATALOG, SCHEMA, MODEL) || ANY_USE_MODEL";
+
+ public static final String filterTableAuthorizationExpression =
+ "ANY(OWNER, METALAKE, CATALOG, SCHEMA, TABLE) || "
+ + "ANY_SELECT_TABLE || "
+ + "ANY_MODIFY_TABLE";
+
+ public static final String filterTopicsAuthorizationExpression =
+ "ANY(OWNER, METALAKE, CATALOG, SCHEMA, TOPIC) || "
+ + "ANY_CONSUME_TOPIC || "
+ + "ANY_PRODUCE_TOPIC";
+
+ public static final String filterFilesetAuthorizationExpression =
+ "ANY(OWNER, METALAKE, CATALOG, SCHEMA, FILESET) || "
+ + "ANY_READ_FILESET || "
+ + "ANY_WRITE_FILESET";
+}
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/CatalogOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/CatalogOperations.java
index 68a8a56f2e..c1e36b8c09 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/CatalogOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/CatalogOperations.java
@@ -57,6 +57,7 @@ import org.apache.gravitino.metrics.MetricNames;
import org.apache.gravitino.server.authorization.MetadataFilterHelper;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationMetadata;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.Utils;
import org.apache.gravitino.utils.NameIdentifierUtil;
import org.apache.gravitino.utils.NamespaceUtil;
@@ -72,9 +73,6 @@ public class CatalogOperations {
private final CatalogDispatcher catalogDispatcher;
- private static final String loadCatalogAuthorizationExpression =
- "ANY_USE_CATALOG || ANY(OWNER, METALAKE, CATALOG)";
-
@Context private HttpServletRequest httpRequest;
@Inject
@@ -104,7 +102,7 @@ public class CatalogOperations {
catalogs =
MetadataFilterHelper.filterByExpression(
metalake,
- loadCatalogAuthorizationExpression,
+
AuthorizationExpressionConstants.loadCatalogAuthorizationExpression,
Entity.EntityType.CATALOG,
catalogs,
(catalogEntity) ->
@@ -117,7 +115,7 @@ public class CatalogOperations {
idents =
MetadataFilterHelper.filterByExpression(
metalake,
- loadCatalogAuthorizationExpression,
+
AuthorizationExpressionConstants.loadCatalogAuthorizationExpression,
Entity.EntityType.CATALOG,
idents);
Response response = Utils.ok(new EntityListResponse(idents));
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java
index cc73414602..b476ad9c36 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/FilesetOperations.java
@@ -64,6 +64,7 @@ import org.apache.gravitino.rest.RESTUtils;
import org.apache.gravitino.server.authorization.MetadataFilterHelper;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationMetadata;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.Utils;
import org.apache.gravitino.utils.NameIdentifierUtil;
import org.apache.gravitino.utils.NamespaceUtil;
@@ -77,11 +78,6 @@ public class FilesetOperations {
private final FilesetDispatcher dispatcher;
- private static final String loadFilesetAuthorizationExpression =
- "ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (FILESET::OWNER ||
ANY_READ_FILESET || ANY_WRITE_FILESET)";
-
@Context private HttpServletRequest httpRequest;
@Inject
@@ -93,6 +89,9 @@ public class FilesetOperations {
@Produces("application/vnd.gravitino.v1+json")
@Timed(name = "list-fileset." + MetricNames.HTTP_PROCESS_DURATION, absolute
= true)
@ResponseMetered(name = "list-fileset", absolute = true)
+ @AuthorizationExpression(
+ expression =
AuthorizationExpressionConstants.loadSchemaAuthorizationExpression,
+ accessMetadataType = MetadataObject.Type.SCHEMA)
public Response listFilesets(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
String metalake,
@@ -109,7 +108,7 @@ public class FilesetOperations {
idents =
MetadataFilterHelper.filterByExpression(
metalake,
- loadFilesetAuthorizationExpression,
+
AuthorizationExpressionConstants.filterFilesetAuthorizationExpression,
Entity.EntityType.FILESET,
idents);
Response response = Utils.ok(new EntityListResponse(idents));
@@ -190,7 +189,7 @@ public class FilesetOperations {
@Timed(name = "load-fileset." + MetricNames.HTTP_PROCESS_DURATION, absolute
= true)
@ResponseMetered(name = "load-fileset", absolute = true)
@AuthorizationExpression(
- expression = loadFilesetAuthorizationExpression,
+ expression =
AuthorizationExpressionConstants.loadFilesetAuthorizationExpression,
accessMetadataType = MetadataObject.Type.FILESET)
public Response loadFileset(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -221,7 +220,7 @@ public class FilesetOperations {
@Timed(name = "list-fileset-files." + MetricNames.HTTP_PROCESS_DURATION,
absolute = true)
@ResponseMetered(name = "list-fileset-files", absolute = true)
@AuthorizationExpression(
- expression = loadFilesetAuthorizationExpression,
+ expression =
AuthorizationExpressionConstants.loadFilesetAuthorizationExpression,
accessMetadataType = MetadataObject.Type.FILESET)
public Response listFiles(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -352,7 +351,7 @@ public class FilesetOperations {
@Timed(name = "get-file-location." + MetricNames.HTTP_PROCESS_DURATION,
absolute = true)
@ResponseMetered(name = "get-file-location", absolute = true)
@AuthorizationExpression(
- expression = loadFilesetAuthorizationExpression,
+ expression =
AuthorizationExpressionConstants.loadFilesetAuthorizationExpression,
accessMetadataType = MetadataObject.Type.FILESET)
public Response getFileLocation(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/ModelOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/ModelOperations.java
index a77b47ef88..5c2e1ea7e2 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/ModelOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/ModelOperations.java
@@ -66,6 +66,7 @@ import org.apache.gravitino.model.ModelVersionChange;
import org.apache.gravitino.server.authorization.MetadataFilterHelper;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationMetadata;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.Utils;
import org.apache.gravitino.utils.NameIdentifierUtil;
import org.apache.gravitino.utils.NamespaceUtil;
@@ -77,11 +78,6 @@ public class ModelOperations {
private static final Logger LOG =
LoggerFactory.getLogger(ModelOperations.class);
- private static final String loadModelAuthorizationExpression =
- "ANY(OWNER, METALAKE, CATALOG) ||"
- + " SCHEMA_OWNER_WITH_USE_CATALOG || "
- + " ANY_USE_CATALOG && ANY_USE_SCHEMA && (MODEL::OWNER ||
ANY_USE_MODEL)";
-
private final ModelDispatcher modelDispatcher;
@Context private HttpServletRequest httpRequest;
@@ -95,10 +91,14 @@ public class ModelOperations {
@Produces("application/vnd.gravitino.v1+json")
@Timed(name = "list-model." + MetricNames.HTTP_PROCESS_DURATION, absolute =
true)
@ResponseMetered(name = "list-model", absolute = true)
+ @AuthorizationExpression(
+ expression =
AuthorizationExpressionConstants.loadSchemaAuthorizationExpression,
+ accessMetadataType = MetadataObject.Type.SCHEMA)
public Response listModels(
- @PathParam("metalake") String metalake,
- @PathParam("catalog") String catalog,
- @PathParam("schema") String schema) {
+ @PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
+ String metalake,
+ @PathParam("catalog") @AuthorizationMetadata(type =
Entity.EntityType.CATALOG) String catalog,
+ @PathParam("schema") @AuthorizationMetadata(type =
Entity.EntityType.SCHEMA) String schema) {
LOG.info("Received list models request for schema: {}.{}.{}", metalake,
catalog, schema);
Namespace modelNs = NamespaceUtil.ofModel(metalake, catalog, schema);
@@ -110,7 +110,10 @@ public class ModelOperations {
modelIds = modelIds == null ? new NameIdentifier[0] : modelIds;
modelIds =
MetadataFilterHelper.filterByExpression(
- metalake, loadModelAuthorizationExpression,
Entity.EntityType.MODEL, modelIds);
+ metalake,
+
AuthorizationExpressionConstants.filterModelAuthorizationExpression,
+ Entity.EntityType.MODEL,
+ modelIds);
LOG.info("List {} models under schema {}", modelIds.length,
modelNs);
return Utils.ok(new EntityListResponse(modelIds));
});
@@ -126,7 +129,7 @@ public class ModelOperations {
@Timed(name = "get-model." + MetricNames.HTTP_PROCESS_DURATION, absolute =
true)
@ResponseMetered(name = "get-model", absolute = true)
@AuthorizationExpression(
- expression = loadModelAuthorizationExpression,
+ expression =
AuthorizationExpressionConstants.loadModelAuthorizationExpression,
accessMetadataType = MetadataObject.Type.MODEL)
public Response getModel(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -239,11 +242,15 @@ public class ModelOperations {
@Produces("application/vnd.gravitino.v1+json")
@Timed(name = "list-model-versions." + MetricNames.HTTP_PROCESS_DURATION,
absolute = true)
@ResponseMetered(name = "list-model-versions", absolute = true)
+ @AuthorizationExpression(
+ expression =
AuthorizationExpressionConstants.loadModelAuthorizationExpression,
+ accessMetadataType = MetadataObject.Type.MODEL)
public Response listModelVersions(
- @PathParam("metalake") String metalake,
- @PathParam("catalog") String catalog,
- @PathParam("schema") String schema,
- @PathParam("model") String model,
+ @PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
+ String metalake,
+ @PathParam("catalog") @AuthorizationMetadata(type =
Entity.EntityType.CATALOG) String catalog,
+ @PathParam("schema") @AuthorizationMetadata(type =
Entity.EntityType.SCHEMA) String schema,
+ @PathParam("model") @AuthorizationMetadata(type =
Entity.EntityType.MODEL) String model,
@QueryParam("details") @DefaultValue("false") boolean verbose) {
LOG.info("Received list model versions request: {}.{}.{}.{}", metalake,
catalog, schema, model);
NameIdentifier modelId = NameIdentifierUtil.ofModel(metalake, catalog,
schema, model);
@@ -266,7 +273,8 @@ public class ModelOperations {
};
return MetadataFilterHelper.filterByExpression(
metalake,
- loadModelAuthorizationExpression,
+ AuthorizationExpressionConstants
+ .loadModelAuthorizationExpression,
Entity.EntityType.MODEL_VERSION,
nameIdentifiers)
.length
@@ -290,7 +298,8 @@ public class ModelOperations {
};
return MetadataFilterHelper.filterByExpression(
metalake,
- loadModelAuthorizationExpression,
+ AuthorizationExpressionConstants
+ .loadModelAuthorizationExpression,
Entity.EntityType.MODEL_VERSION,
nameIdentifiers)
.length
@@ -313,7 +322,7 @@ public class ModelOperations {
@Timed(name = "get-model-version." + MetricNames.HTTP_PROCESS_DURATION,
absolute = true)
@ResponseMetered(name = "get-model-version", absolute = true)
@AuthorizationExpression(
- expression = loadModelAuthorizationExpression,
+ expression =
AuthorizationExpressionConstants.loadModelAuthorizationExpression,
accessMetadataType = MetadataObject.Type.MODEL)
public Response getModelVersion(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -352,7 +361,7 @@ public class ModelOperations {
@Timed(name = "get-model-alias." + MetricNames.HTTP_PROCESS_DURATION,
absolute = true)
@ResponseMetered(name = "get-model-alias", absolute = true)
@AuthorizationExpression(
- expression = loadModelAuthorizationExpression,
+ expression =
AuthorizationExpressionConstants.loadModelAuthorizationExpression,
accessMetadataType = MetadataObject.Type.MODEL)
public Response getModelVersionByAlias(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -679,7 +688,7 @@ public class ModelOperations {
@Timed(name = "get-model-version-uri." + MetricNames.HTTP_PROCESS_DURATION,
absolute = true)
@ResponseMetered(name = "get-model-version-uri", absolute = true)
@AuthorizationExpression(
- expression = loadModelAuthorizationExpression,
+ expression =
AuthorizationExpressionConstants.loadModelAuthorizationExpression,
accessMetadataType = MetadataObject.Type.MODEL)
public Response getModelVersionUri(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
@@ -719,7 +728,7 @@ public class ModelOperations {
@Timed(name = "get-model-alias-uri." + MetricNames.HTTP_PROCESS_DURATION,
absolute = true)
@ResponseMetered(name = "get-model-alias-uri", absolute = true)
@AuthorizationExpression(
- expression = loadModelAuthorizationExpression,
+ expression =
AuthorizationExpressionConstants.loadModelAuthorizationExpression,
accessMetadataType = MetadataObject.Type.MODEL)
public Response getModelVersionUriByAlias(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/SchemaOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/SchemaOperations.java
index fe3e909cfd..9877b07365 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/SchemaOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/SchemaOperations.java
@@ -53,6 +53,7 @@ import org.apache.gravitino.metrics.MetricNames;
import org.apache.gravitino.server.authorization.MetadataFilterHelper;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationMetadata;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.Utils;
import org.apache.gravitino.utils.NameIdentifierUtil;
import org.apache.gravitino.utils.NamespaceUtil;
@@ -66,10 +67,6 @@ public class SchemaOperations {
private static final Logger LOG =
LoggerFactory.getLogger(SchemaOperations.class);
- private static final String loadSchemaAuthorizationExpression =
- " ANY(OWNER, METALAKE, CATALOG) || "
- + "ANY_USE_CATALOG && (SCHEMA::OWNER || ANY_USE_SCHEMA) ";
-
private final SchemaDispatcher dispatcher;
@Context private HttpServletRequest httpRequest;
@@ -83,8 +80,14 @@ public class SchemaOperations {
@Produces("application/vnd.gravitino.v1+json")
@Timed(name = "list-schema." + MetricNames.HTTP_PROCESS_DURATION, absolute =
true)
@ResponseMetered(name = "list-schema", absolute = true)
+ @AuthorizationExpression(
+ expression =
AuthorizationExpressionConstants.loadCatalogAuthorizationExpression,
+ accessMetadataType = MetadataObject.Type.CATALOG)
public Response listSchemas(
- @PathParam("metalake") String metalake, @PathParam("catalog") String
catalog) {
+ @PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
+ String metalake,
+ @PathParam("catalog") @AuthorizationMetadata(type =
Entity.EntityType.CATALOG)
+ String catalog) {
LOG.info("Received list schema request for catalog: {}.{}", metalake,
catalog);
try {
return Utils.doAs(
@@ -94,7 +97,10 @@ public class SchemaOperations {
NameIdentifier[] idents = dispatcher.listSchemas(schemaNS);
idents =
MetadataFilterHelper.filterByExpression(
- metalake, loadSchemaAuthorizationExpression,
Entity.EntityType.SCHEMA, idents);
+ metalake,
+
AuthorizationExpressionConstants.filterSchemaAuthorizationExpression,
+ Entity.EntityType.SCHEMA,
+ idents);
Response response = Utils.ok(new EntityListResponse(idents));
LOG.info("List {} schemas in catalog {}.{}", idents.length,
metalake, catalog);
return response;
@@ -143,7 +149,7 @@ public class SchemaOperations {
@Timed(name = "load-schema." + MetricNames.HTTP_PROCESS_DURATION, absolute =
true)
@ResponseMetered(name = "load-schema", absolute = true)
@AuthorizationExpression(
- expression = loadSchemaAuthorizationExpression,
+ expression =
AuthorizationExpressionConstants.loadSchemaAuthorizationExpression,
accessMetadataType = MetadataObject.Type.SCHEMA)
public Response loadSchema(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/TableOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/TableOperations.java
index 5df8577199..8c79b6ee26 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/TableOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/TableOperations.java
@@ -54,6 +54,7 @@ import org.apache.gravitino.rel.TableChange;
import org.apache.gravitino.server.authorization.MetadataFilterHelper;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationMetadata;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.Utils;
import org.apache.gravitino.utils.NameIdentifierUtil;
import org.apache.gravitino.utils.NamespaceUtil;
@@ -65,11 +66,6 @@ public class TableOperations {
private static final Logger LOG =
LoggerFactory.getLogger(TableOperations.class);
- private static final String loadTableAuthorizationExpression =
- "ANY(OWNER, METALAKE, CATALOG) ||"
- + "SCHEMA_OWNER_WITH_USE_CATALOG ||"
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (TABLE::OWNER ||
ANY_SELECT_TABLE || ANY_MODIFY_TABLE)";
-
private final TableDispatcher dispatcher;
@Context private HttpServletRequest httpRequest;
@@ -83,10 +79,14 @@ public class TableOperations {
@Produces("application/vnd.gravitino.v1+json")
@Timed(name = "list-table." + MetricNames.HTTP_PROCESS_DURATION, absolute =
true)
@ResponseMetered(name = "list-table", absolute = true)
+ @AuthorizationExpression(
+ expression =
AuthorizationExpressionConstants.loadSchemaAuthorizationExpression,
+ accessMetadataType = MetadataObject.Type.SCHEMA)
public Response listTables(
- @PathParam("metalake") String metalake,
- @PathParam("catalog") String catalog,
- @PathParam("schema") String schema) {
+ @PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
+ String metalake,
+ @PathParam("catalog") @AuthorizationMetadata(type =
Entity.EntityType.CATALOG) String catalog,
+ @PathParam("schema") @AuthorizationMetadata(type =
Entity.EntityType.SCHEMA) String schema) {
LOG.info("Received list tables request for schema: {}.{}.{}", metalake,
catalog, schema);
try {
return Utils.doAs(
@@ -96,7 +96,10 @@ public class TableOperations {
NameIdentifier[] idents = dispatcher.listTables(tableNS);
idents =
MetadataFilterHelper.filterByExpression(
- metalake, loadTableAuthorizationExpression,
Entity.EntityType.TABLE, idents);
+ metalake,
+
AuthorizationExpressionConstants.filterTableAuthorizationExpression,
+ Entity.EntityType.TABLE,
+ idents);
Response response = Utils.ok(new EntityListResponse(idents));
LOG.info(
"List {} tables under schema: {}.{}.{}", idents.length,
metalake, catalog, schema);
diff --git
a/server/src/main/java/org/apache/gravitino/server/web/rest/TopicOperations.java
b/server/src/main/java/org/apache/gravitino/server/web/rest/TopicOperations.java
index 5e273643e9..6eb04d4c13 100644
---
a/server/src/main/java/org/apache/gravitino/server/web/rest/TopicOperations.java
+++
b/server/src/main/java/org/apache/gravitino/server/web/rest/TopicOperations.java
@@ -49,6 +49,7 @@ import org.apache.gravitino.metrics.MetricNames;
import org.apache.gravitino.server.authorization.MetadataFilterHelper;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationMetadata;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.Utils;
import org.apache.gravitino.utils.NameIdentifierUtil;
import org.apache.gravitino.utils.NamespaceUtil;
@@ -59,11 +60,6 @@ import org.slf4j.LoggerFactory;
public class TopicOperations {
private static final Logger LOG =
LoggerFactory.getLogger(TopicOperations.class);
- private static final String loadTopicsAuthorizationExpression =
- "ANY(OWNER, METALAKE, CATALOG) || "
- + "SCHEMA_OWNER_WITH_USE_CATALOG || "
- + "ANY_USE_CATALOG && ANY_USE_SCHEMA && (TOPIC::OWNER ||
ANY_CONSUME_TOPIC || ANY_PRODUCE_TOPIC)";
-
private final TopicDispatcher dispatcher;
@Context private HttpServletRequest httpRequest;
@@ -77,10 +73,14 @@ public class TopicOperations {
@Produces("application/vnd.gravitino.v1+json")
@Timed(name = "list-topic." + MetricNames.HTTP_PROCESS_DURATION, absolute =
true)
@ResponseMetered(name = "list-topic", absolute = true)
+ @AuthorizationExpression(
+ expression =
AuthorizationExpressionConstants.loadSchemaAuthorizationExpression,
+ accessMetadataType = MetadataObject.Type.SCHEMA)
public Response listTopics(
- @PathParam("metalake") String metalake,
- @PathParam("catalog") String catalog,
- @PathParam("schema") String schema) {
+ @PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
+ String metalake,
+ @PathParam("catalog") @AuthorizationMetadata(type =
Entity.EntityType.CATALOG) String catalog,
+ @PathParam("schema") @AuthorizationMetadata(type =
Entity.EntityType.SCHEMA) String schema) {
try {
LOG.info("Received list topics request for schema: {}.{}.{}", metalake,
catalog, schema);
return Utils.doAs(
@@ -92,7 +92,10 @@ public class TopicOperations {
topics = topics == null ? new NameIdentifier[0] : topics;
topics =
MetadataFilterHelper.filterByExpression(
- metalake, loadTopicsAuthorizationExpression,
Entity.EntityType.TOPIC, topics);
+ metalake,
+
AuthorizationExpressionConstants.filterTopicsAuthorizationExpression,
+ Entity.EntityType.TOPIC,
+ topics);
Response response = Utils.ok(new EntityListResponse(topics));
LOG.info(
"List {} topics under schema: {}.{}.{}", topics.length,
metalake, catalog, schema);
@@ -156,7 +159,7 @@ public class TopicOperations {
@Timed(name = "load-topic." + MetricNames.HTTP_PROCESS_DURATION, absolute =
true)
@ResponseMetered(name = "load-topic", absolute = true)
@AuthorizationExpression(
- expression = loadTopicsAuthorizationExpression,
+ expression =
AuthorizationExpressionConstants.loadTopicsAuthorizationExpression,
accessMetadataType = MetadataObject.Type.TOPIC)
public Response loadTopic(
@PathParam("metalake") @AuthorizationMetadata(type =
Entity.EntityType.METALAKE)
diff --git
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestCatalogAuthorizationExpression.java
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestCatalogAuthorizationExpression.java
index 6728fea8ee..13ca35bba4 100644
---
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestCatalogAuthorizationExpression.java
+++
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestCatalogAuthorizationExpression.java
@@ -26,6 +26,7 @@ import ognl.OgnlException;
import org.apache.gravitino.dto.requests.CatalogCreateRequest;
import org.apache.gravitino.dto.requests.CatalogUpdatesRequest;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.rest.CatalogOperations;
import org.junit.jupiter.api.Test;
@@ -74,7 +75,8 @@ public class TestCatalogAuthorizationExpression {
@Test
public void testListCatalog() throws NoSuchFieldException,
IllegalAccessException, OgnlException {
Field loadTableAuthorizationExpressionField =
-
CatalogOperations.class.getDeclaredField("loadCatalogAuthorizationExpression");
+ AuthorizationExpressionConstants.class.getDeclaredField(
+ "loadCatalogAuthorizationExpression");
loadTableAuthorizationExpressionField.setAccessible(true);
String loadTableAuthExpression = (String)
loadTableAuthorizationExpressionField.get(null);
MockAuthorizationExpressionEvaluator mockEvaluator =
diff --git
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestFilesetAuthorizationExpression.java
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestFilesetAuthorizationExpression.java
index 806a7d0036..50e466b8c1 100644
---
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestFilesetAuthorizationExpression.java
+++
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestFilesetAuthorizationExpression.java
@@ -27,6 +27,7 @@ import ognl.OgnlException;
import org.apache.gravitino.dto.requests.FilesetCreateRequest;
import org.apache.gravitino.dto.requests.FilesetUpdatesRequest;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.rest.FilesetOperations;
import org.junit.jupiter.api.Test;
@@ -80,7 +81,8 @@ public class TestFilesetAuthorizationExpression {
@Test
public void testLoadFileset() throws OgnlException, NoSuchFieldException,
IllegalAccessException {
Field loadFilesetAuthorizationExpressionField =
-
FilesetOperations.class.getDeclaredField("loadFilesetAuthorizationExpression");
+ AuthorizationExpressionConstants.class.getDeclaredField(
+ "loadFilesetAuthorizationExpression");
loadFilesetAuthorizationExpressionField.setAccessible(true);
String loadFilesetAuthorizationExpression =
(String) loadFilesetAuthorizationExpressionField.get(null);
diff --git
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestModelAuthorizationExpression.java
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestModelAuthorizationExpression.java
index b000eebf8e..46643485c3 100644
---
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestModelAuthorizationExpression.java
+++
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestModelAuthorizationExpression.java
@@ -29,6 +29,7 @@ import org.apache.gravitino.dto.requests.ModelUpdatesRequest;
import org.apache.gravitino.dto.requests.ModelVersionLinkRequest;
import org.apache.gravitino.dto.requests.ModelVersionUpdatesRequest;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.rest.ModelOperations;
import org.junit.jupiter.api.Test;
@@ -83,7 +84,7 @@ public class TestModelAuthorizationExpression {
@Test
public void testLoadModel() throws OgnlException, NoSuchFieldException,
IllegalAccessException {
Field loadModelAuthorizationExpressionField =
-
ModelOperations.class.getDeclaredField("loadModelAuthorizationExpression");
+
AuthorizationExpressionConstants.class.getDeclaredField("loadModelAuthorizationExpression");
loadModelAuthorizationExpressionField.setAccessible(true);
String loadModelAuthExpression = (String)
loadModelAuthorizationExpressionField.get(null);
MockAuthorizationExpressionEvaluator mockEvaluator =
diff --git
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestSchemaAuthorizationExpression.java
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestSchemaAuthorizationExpression.java
index b2ddc646d3..62faa45303 100644
---
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestSchemaAuthorizationExpression.java
+++
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestSchemaAuthorizationExpression.java
@@ -26,6 +26,7 @@ import ognl.OgnlException;
import org.apache.gravitino.dto.requests.SchemaCreateRequest;
import org.apache.gravitino.dto.requests.SchemaUpdatesRequest;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.rest.SchemaOperations;
import org.junit.jupiter.api.Test;
@@ -93,7 +94,8 @@ public class TestSchemaAuthorizationExpression {
@Test
public void testListSchema() throws NoSuchFieldException,
IllegalAccessException, OgnlException {
Field loadTableAuthorizationExpressionField =
-
SchemaOperations.class.getDeclaredField("loadSchemaAuthorizationExpression");
+ AuthorizationExpressionConstants.class.getDeclaredField(
+ "loadSchemaAuthorizationExpression");
loadTableAuthorizationExpressionField.setAccessible(true);
String loadTableAuthExpression = (String)
loadTableAuthorizationExpressionField.get(null);
MockAuthorizationExpressionEvaluator mockEvaluator =
diff --git
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestTableAuthorizationExpression.java
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestTableAuthorizationExpression.java
index 5190327aa8..95e6189217 100644
---
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestTableAuthorizationExpression.java
+++
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestTableAuthorizationExpression.java
@@ -27,6 +27,7 @@ import ognl.OgnlException;
import org.apache.gravitino.dto.requests.TableCreateRequest;
import org.apache.gravitino.dto.requests.TableUpdatesRequest;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.rest.TableOperations;
import org.junit.jupiter.api.Test;
@@ -81,7 +82,7 @@ public class TestTableAuthorizationExpression {
@Test
public void testListTable() throws IllegalAccessException, OgnlException,
NoSuchFieldException {
Field loadTableAuthorizationExpressionField =
-
TableOperations.class.getDeclaredField("loadTableAuthorizationExpression");
+
AuthorizationExpressionConstants.class.getDeclaredField("loadTableAuthorizationExpression");
loadTableAuthorizationExpressionField.setAccessible(true);
String loadTableAuthExpression = (String)
loadTableAuthorizationExpressionField.get(null);
MockAuthorizationExpressionEvaluator mockEvaluator =
diff --git
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestTopicAuthorizationExpression.java
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestTopicAuthorizationExpression.java
index e9f5a32fc1..676be42aeb 100644
---
a/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestTopicAuthorizationExpression.java
+++
b/server/src/test/java/org/apache/gravitino/server/web/rest/authorization/TestTopicAuthorizationExpression.java
@@ -27,6 +27,7 @@ import ognl.OgnlException;
import org.apache.gravitino.dto.requests.TopicCreateRequest;
import org.apache.gravitino.dto.requests.TopicUpdatesRequest;
import
org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
+import
org.apache.gravitino.server.authorization.expression.AuthorizationExpressionConstants;
import org.apache.gravitino.server.web.rest.TopicOperations;
import org.junit.jupiter.api.Test;
@@ -75,7 +76,8 @@ public class TestTopicAuthorizationExpression {
@Test
public void testLoadTopics() throws OgnlException, NoSuchFieldException,
IllegalAccessException {
Field loadTopicsAuthorizationExpressionField =
-
TopicOperations.class.getDeclaredField("loadTopicsAuthorizationExpression");
+ AuthorizationExpressionConstants.class.getDeclaredField(
+ "loadTopicsAuthorizationExpression");
loadTopicsAuthorizationExpressionField.setAccessible(true);
String loadTopicsAuthorizationExpression =
(String) loadTopicsAuthorizationExpressionField.get(null);
