[I] [Bug report] Every Catalog Owner Has Others Catalog Permission In Ranger [gravitino]

[via GitHub]

an-shi-chi-fan opened a new issue, #8674:
URL: https://github.com/apache/gravitino/issues/8674

   ### Version
   
   main branch
   
   ### Describe what's wrong
   
   Jack.   has catalog  CatalogA
   Bob     has catalog  CatalogB
   
   jack and bob has role GRAVITINO_CATALOG_OWNER_ROLE
   
   jack can visit bob's catalog CatalogB
   
   ### Error message and/or stacktrace
   
   the code is here
   
   ``` java
    switch (metadataObject.type()) {
         case METALAKE:
         case CATALOG:
           // The metalake and catalog use role to manage the owner
           if (metadataObject.type() == MetadataObject.Type.METALAKE) {
             ownerRoleName = RangerHelper.GRAVITINO_METALAKE_OWNER_ROLE;
           } else {
             ownerRoleName = RangerHelper.GRAVITINO_CATALOG_OWNER_ROLE;
           }
           rangerHelper.createRangerRoleIfNotExists(ownerRoleName, true);
           
rangerHelper.createRangerRoleIfNotExists(RangerHelper.GRAVITINO_OWNER_ROLE, 
true);
           try {
             if (preOwnerUserName != null || preOwnerGroupName != null) {
               GrantRevokeRoleRequest revokeRoleRequest =
                   rangerHelper.createGrantRevokeRoleRequest(
                       ownerRoleName, preOwnerUserName, preOwnerGroupName);
               rangerClient.revokeRole(rangerServiceName, revokeRoleRequest);
             }
             if (newOwnerUserName != null || newOwnerGroupName != null) {
               GrantRevokeRoleRequest grantRoleRequest =
                   rangerHelper.createGrantRevokeRoleRequest(
                       ownerRoleName, newOwnerUserName, newOwnerGroupName);
               rangerClient.grantRole(rangerServiceName, grantRoleRequest);
             }
           } catch (RangerServiceException e) {
             // Ignore exception, support idempotent operation
             LOG.warn("Grant owner role: {} failed!", ownerRoleName, e);
           }
   
           rangerSecurableObjects.forEach(
               rangerSecurableObject -> {
                 RangerPolicy policy = findManagedPolicy(rangerSecurableObject);
                 try {
                   if (policy == null) {
                     policy = addOwnerRoleToNewPolicy(rangerSecurableObject, 
ownerRoleName);
                     rangerClient.createPolicy(policy);
                   } else {
                     rangerHelper.updatePolicyOwnerRole(policy, ownerRoleName);
                     rangerClient.updatePolicy(policy.getId(), policy);
                   }
                 } catch (RangerServiceException e) {
                   throw new AuthorizationPluginException(e, "Failed to add the 
owner to the Ranger!");
                 }
               });
           break;
   
   
   ```
   
   ### How to reproduce
   
   version all
   
   ### Additional context
   
   _No response_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@gravitino.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org