This is an automated email from the ASF dual-hosted git repository.
yuqi4733 pushed a commit to branch branch-1.1
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/branch-1.1 by this push:
new f8e77a00de [Cherry-pick to branch-1.1] [#9936][followup] fix(iceberg):
Fix the authz decode issue for table name (#9999) (#10008)
f8e77a00de is described below
commit f8e77a00deabdb5fe3b9de8b443664a65a07e9ad
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Wed Feb 25 17:42:56 2026 +0800
[Cherry-pick to branch-1.1] [#9936][followup] fix(iceberg): Fix the authz
decode issue for table name (#9999) (#10008)
**Cherry-pick Information:**
- Original commit: b4ffccc93187225bee2f3acd6991979b6f626971
- Target branch: `branch-1.1`
- Status: ✅ Clean cherry-pick (no conflicts)
---------
Co-authored-by: qqqttt123 <[email protected]>
Co-authored-by: Rory <[email protected]>
---
...bergMetadataAuthorizationMethodInterceptor.java | 4 +-
...bergMetadataAuthorizationMethodInterceptor.java | 178 +++++++++++++++++++++
2 files changed, 181 insertions(+), 1 deletion(-)
diff --git
a/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/server/web/filter/IcebergMetadataAuthorizationMethodInterceptor.java
b/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/server/web/filter/IcebergMetadataAuthorizationMethodInterceptor.java
index f5d9c997d2..858aa4b74e 100644
---
a/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/server/web/filter/IcebergMetadataAuthorizationMethodInterceptor.java
+++
b/iceberg/iceberg-rest-server/src/main/java/org/apache/gravitino/server/web/filter/IcebergMetadataAuthorizationMethodInterceptor.java
@@ -76,7 +76,9 @@ public class IcebergMetadataAuthorizationMethodInterceptor
break;
case TABLE:
nameIdentifierMap.put(
- EntityType.TABLE, NameIdentifierUtil.ofTable(metalakeName,
catalog, schema, value));
+ EntityType.TABLE,
+ NameIdentifierUtil.ofTable(
+ metalakeName, catalog, schema,
RESTUtil.decodeString(value)));
break;
default:
break;
diff --git
a/iceberg/iceberg-rest-server/src/test/java/org/apache/gravitino/server/web/filter/TestIcebergMetadataAuthorizationMethodInterceptor.java
b/iceberg/iceberg-rest-server/src/test/java/org/apache/gravitino/server/web/filter/TestIcebergMetadataAuthorizationMethodInterceptor.java
new file mode 100644
index 0000000000..7f06f783ed
--- /dev/null
+++
b/iceberg/iceberg-rest-server/src/test/java/org/apache/gravitino/server/web/filter/TestIcebergMetadataAuthorizationMethodInterceptor.java
@@ -0,0 +1,178 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.gravitino.server.web.filter;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertFalse;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.lang.reflect.Method;
+import java.lang.reflect.Parameter;
+import java.util.Map;
+import org.apache.gravitino.Entity;
+import org.apache.gravitino.NameIdentifier;
+import
org.apache.gravitino.iceberg.service.authorization.IcebergRESTServerContext;
+import org.apache.gravitino.iceberg.service.provider.IcebergConfigProvider;
+import
org.apache.gravitino.server.authorization.annotations.AuthorizationMetadata;
+import org.apache.gravitino.utils.NameIdentifierUtil;
+import org.apache.iceberg.rest.RESTUtil;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.TestInstance;
+import org.mockito.Mockito;
+
+/** Test for {@link IcebergMetadataAuthorizationMethodInterceptor}. */
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+public class TestIcebergMetadataAuthorizationMethodInterceptor {
+
+ private static final String TEST_METALAKE = "test_metalake";
+ private static final String TEST_CATALOG = "test_catalog";
+ private static final String TEST_SCHEMA = "test_schema";
+
+ @BeforeAll
+ public void init() {
+ // Initialize IcebergRESTServerContext with a mock config provider
+ IcebergConfigProvider mockConfigProvider =
Mockito.mock(IcebergConfigProvider.class);
+
Mockito.when(mockConfigProvider.getMetalakeName()).thenReturn(TEST_METALAKE);
+
Mockito.when(mockConfigProvider.getDefaultCatalogName()).thenReturn(TEST_CATALOG);
+ IcebergRESTServerContext.create(mockConfigProvider, false);
+ }
+
+ @Test
+ public void testExtractTableNameIdentifierWithEncodedTableName() throws
Exception {
+ IcebergMetadataAuthorizationMethodInterceptor interceptor =
+ new IcebergMetadataAuthorizationMethodInterceptor();
+
+ // Get the method with annotations
+ Method testMethod =
+ TestOperations.class.getMethod(
+ "testTableOperation", String.class, String.class, String.class);
+ Parameter[] parameters = testMethod.getParameters();
+
+ // Test with encoded table name (e.g., table name with special characters)
+ String encodedTableName = RESTUtil.encodeString("my-table");
+ Object[] args = new Object[] {TEST_CATALOG + "/", TEST_SCHEMA,
encodedTableName};
+
+ // Extract name identifiers
+ Map<Entity.EntityType, NameIdentifier> nameIdentifierMap =
+ interceptor.extractNameIdentifierFromParameters(parameters, args);
+
+ // Verify metalake
+ NameIdentifier metalakeId =
nameIdentifierMap.get(Entity.EntityType.METALAKE);
+ assertNotNull(metalakeId);
+ assertEquals(TEST_METALAKE, metalakeId.name());
+
+ // Verify catalog
+ NameIdentifier catalogId =
nameIdentifierMap.get(Entity.EntityType.CATALOG);
+ assertNotNull(catalogId);
+ assertEquals(TEST_CATALOG, catalogId.name());
+ assertEquals(
+ NameIdentifierUtil.ofCatalog(TEST_METALAKE, TEST_CATALOG).toString(),
catalogId.toString());
+
+ // Verify schema
+ NameIdentifier schemaId = nameIdentifierMap.get(Entity.EntityType.SCHEMA);
+ assertNotNull(schemaId);
+ assertEquals(TEST_SCHEMA, schemaId.name());
+ assertEquals(
+ NameIdentifierUtil.ofSchema(TEST_METALAKE, TEST_CATALOG,
TEST_SCHEMA).toString(),
+ schemaId.toString());
+
+ // Verify table - this tests that RESTUtil.decodeString is properly called
on line 81
+ NameIdentifier tableId = nameIdentifierMap.get(Entity.EntityType.TABLE);
+ assertNotNull(tableId);
+ assertEquals("my-table", tableId.name());
+ assertEquals(
+ NameIdentifierUtil.ofTable(TEST_METALAKE, TEST_CATALOG, TEST_SCHEMA,
"my-table").toString(),
+ tableId.toString());
+ }
+
+ @Test
+ public void testExtractTableNameIdentifierWithSpecialCharacters() throws
Exception {
+ IcebergMetadataAuthorizationMethodInterceptor interceptor =
+ new IcebergMetadataAuthorizationMethodInterceptor();
+
+ Method testMethod =
+ TestOperations.class.getMethod(
+ "testTableOperation", String.class, String.class, String.class);
+ Parameter[] parameters = testMethod.getParameters();
+
+ // Test with table name containing special characters that need URL
encoding
+ String tableNameWithSpecialChars = "table/with%special&chars";
+ String encodedTableName = RESTUtil.encodeString(tableNameWithSpecialChars);
+ Object[] args = new Object[] {TEST_CATALOG + "/", TEST_SCHEMA,
encodedTableName};
+
+ Map<Entity.EntityType, NameIdentifier> nameIdentifierMap =
+ interceptor.extractNameIdentifierFromParameters(parameters, args);
+
+ // Verify that the table name is properly decoded
+ NameIdentifier tableId = nameIdentifierMap.get(Entity.EntityType.TABLE);
+ assertNotNull(tableId);
+ assertEquals(tableNameWithSpecialChars, tableId.name());
+ }
+
+ @Test
+ public void testExtractTableNameIdentifierWithSimpleTableName() throws
Exception {
+ IcebergMetadataAuthorizationMethodInterceptor interceptor =
+ new IcebergMetadataAuthorizationMethodInterceptor();
+
+ Method testMethod =
+ TestOperations.class.getMethod(
+ "testTableOperation", String.class, String.class, String.class);
+ Parameter[] parameters = testMethod.getParameters();
+
+ // Test with simple table name (no special characters)
+ String simpleTableName = "simple_table";
+ Object[] args = new Object[] {TEST_CATALOG + "/", TEST_SCHEMA,
simpleTableName};
+
+ Map<Entity.EntityType, NameIdentifier> nameIdentifierMap =
+ interceptor.extractNameIdentifierFromParameters(parameters, args);
+
+ // Verify that the table name is properly processed
+ NameIdentifier tableId = nameIdentifierMap.get(Entity.EntityType.TABLE);
+ assertNotNull(tableId);
+ assertEquals(simpleTableName, tableId.name());
+ }
+
+ @Test
+ public void testIsExceptionPropagate() {
+ IcebergMetadataAuthorizationMethodInterceptor interceptor =
+ new IcebergMetadataAuthorizationMethodInterceptor();
+
+ // Test Iceberg exception propagation
+ Exception icebergException = new
org.apache.iceberg.exceptions.NoSuchTableException("test");
+ assertTrue(interceptor.isExceptionPropagate(icebergException));
+
+ // Test non-Iceberg exception
+ Exception otherException = new RuntimeException("test");
+ assertFalse(interceptor.isExceptionPropagate(otherException));
+ }
+
+ /** Test operations class to provide method annotations for testing. */
+ @SuppressWarnings("unused")
+ public static class TestOperations {
+ public void testTableOperation(
+ @AuthorizationMetadata(type = Entity.EntityType.CATALOG) String prefix,
+ @AuthorizationMetadata(type = Entity.EntityType.SCHEMA) String
namespace,
+ @AuthorizationMetadata(type = Entity.EntityType.TABLE) String table) {
+ // Test method
+ }
+ }
+}
