[#2967] feat(api,server): Add the more privileges #2965
Conversation
qqqttt123
force-pushed
the
ISSUE-2235-part2
branch
2 times, most recently
from
1f48ae3 to
c891960
Compare
qqqttt123
changed the title
qqqttt123
force-pushed
the
ISSUE-2235-part2
branch
from
c891960 to
f1231a7
Compare
qqqttt123
changed the title
|
The logic of this pull request is simple, there exists duplicate code, although this is a little large, so I don't divide it into two pull requests. |
qqqttt123
force-pushed
the
ISSUE-2235-part2
branch
from
f1231a7 to
f75aa10
Compare
|
Is it ready for reviewing? @qqqttt123 |
Yes. It is ready. |
| /** The privilege to drop a table. */ | ||
| DROP_TABLE, | ||
| /** The privilege to read a table. */ | ||
| READ_TABLE, |
There was a problem hiding this comment.
Do we need both LOAD_XXX and READ/WRITE_XXX? How will user use them?
There was a problem hiding this comment.
Also how do you distinguish whether the table has read or write privilege from Gravitino?
There was a problem hiding this comment.
- Yes, LOAD_TABLE is a meta data operation and the READ_TABLE is a data operation. They are different operations.
- Gravitino doesn't disitinguish the privilege. User doesn't use Gravitino to read or write table.
Gravitino set the privileges of read/ write table to the underlying system. The underlying system will judge the privilege of read/write when the users access the underlying system.
| @@ -33,12 +44,54 @@ | |||
| public class RoleOperations { | |||
| private static final Logger LOG = LoggerFactory.getLogger(RoleOperations.class); | |||
|
|
|||
| private static final String PRIVILEGE_ERROR_MSG = "%s shouldn't bind the privilege %s"; | |||
| private static final String UNSUPPORTED_ERROR_MSG = "%s uses an unsupported catalog type"; | |||
| private static final List<Privilege> CATALOG_PRIVILEGES = | |||
There was a problem hiding this comment.
As you mentioned before that catalog will have the schema privileges like create schema, how do you achieve this in this PR?
There was a problem hiding this comment.
You can see the comment of checkSecurableObjectPrivileges
| /** The privilege to read a topic. */ | ||
| READ_TOPIC, | ||
| /** The privilege to write a topic. */ | ||
| WRITE_TOPIC |
There was a problem hiding this comment.
The name here are too specific for metadata, users may not know it is, like LOAD? I think you'd better have a more suitable name for users easy to understand.
There was a problem hiding this comment.
LOAD_TOPIC means that we read the meta data of topic while READ_TOPIC means that we read data of topic.
|
@jerryshao I refactor the code
|
|
The CI pipeline of python failed. It's unrelated to this pull request. |
| @@ -33,12 +44,76 @@ | |||
| public class RoleOperations { | |||
| private static final Logger LOG = LoggerFactory.getLogger(RoleOperations.class); | |||
|
|
|||
| private static final String UNSUPPORTED_ERROR_MSG = "%s is an unsupported catalog type"; | |||
| private static final List<Privilege> CATALOG_PRIVILEGES_EXCEPT_FOR_LIST = | |||
There was a problem hiding this comment.
Why don't you put the code in core, what is the specific reason?
There was a problem hiding this comment.
The check logic needs to get the type of catalog. We should use tree lock to get the catalog. We usually use the tree lock in the operation instead of core.
|
I think you should really polish the code to make your check logic more clear and easy-to-understand before it is ready to review. |
I have no idea to make this pull request more clear. |
qqqttt123
force-pushed
the
ISSUE-2235-part2
branch
2 times, most recently
from
59773bc to
6763ffa
Compare
|
@jerryshao I have removed the check code and add more privileges. |
| /** The privilege to alter a catalog. */ | ||
| ALTER_CATALOG, | ||
| /** The privilege to drop a catalog. */ | ||
| DROP_CATALOG, |
There was a problem hiding this comment.
Maybe we can also add a bit to each privilege like 0x01, 0x10, so that later on when we have a privilege like ALL_PRIVILEGE that can be represented as a combination of several privileges, you can think of this.
| /** The privilege to drop a schema. */ | ||
| DROP_SCHEMA, | ||
| /** The privilege to show tables. */ | ||
| SHOW_TABLE, |
There was a problem hiding this comment.
SHOW_TABLES or SHOW_TABLE, I think for SHOW_XXX, it should add "s", right?
There was a problem hiding this comment.
From UI's view, to show resources tree. Maybe we don't need show metalakes, show tables, show schemas privilege. Every one should have the privilege. I want to remove them a little.
There was a problem hiding this comment.
Em...OK, I will correct this. My concern is that we don't use LOAD_A_SCHEMA. But I really want to all list entities this.
| USE_METALAKE, | ||
| /** The privilege to manage a metalake. */ | ||
| MANAGE_METALAKE, | ||
| /** The privilege to create a metalake. */ | ||
| CREATE_METALAKE, | ||
| /** The privilege to manage users. */ | ||
| MANAGE_USER, | ||
| /** The privilege to manage groups. */ | ||
| MANAGE_GROUP, | ||
| /** The privilege to manage roles. */ | ||
| MANAGE_ROLE, |
There was a problem hiding this comment.
These privileges should be explained well in the document and comment.
| * A role is used for access control. A role will indicate that it has some privileges to access | ||
| * some securable objects. | ||
| */ | ||
| ROLE |
There was a problem hiding this comment.
Why do we need a ROLE securable object?
There was a problem hiding this comment.
We will create a special role for one entity.
One creator of one entity should have the privilege to grant the owner role to others.
There was a problem hiding this comment.
Can you give an example? If it is user A who create a table "foo", so the privilege this "grant role", the securable object is table "foo", grant to user A, am I right? the securable object is table, not role, right?
There was a problem hiding this comment.
That's ok, too. I will remove the entity.
| * The type of securable object in the Gravitino system. Every type will map one kind of the entity | ||
| * of the underlying system. | ||
| */ | ||
| public enum SecurableObjectType { |
There was a problem hiding this comment.
I think these Type enum class can be an inner class in SecurableObject.
| List<SecurableObjectType> typeInDifferentLevels = | ||
| Lists.newArrayList(SecurableObjectType.CATALOG, SecurableObjectType.SCHEMA); | ||
|
|
||
| if (names.length == 1 && type != SecurableObjectType.CATALOG) { |
There was a problem hiding this comment.
For metalake, the length should also be 1?
There was a problem hiding this comment.
I will add some test code.
| if (names.length > 2) { | ||
| typeInDifferentLevels.add(type); | ||
| } |
There was a problem hiding this comment.
What's the meaning of these codes?
There was a problem hiding this comment.
I refactor these code to make it more clear.
| @@ -38,27 +76,39 @@ public static SecurableObject of(String... names) { | |||
| if (name.equals("*")) { | |||
| throw new IllegalArgumentException( | |||
| "Cannot create a securable object with `*` name. If you want to use a securable object which represents all catalogs," | |||
There was a problem hiding this comment.
all metalakes, not all catalogs.
There was a problem hiding this comment.
I will modify the comment. I will explain ofMetalake and ofAllMetalakes.
| @@ -144,16 +193,19 @@ private static void checkCatalog(SecurableObject catalog) { | |||
| } | |||
| } | |||
|
|
|||
| private static final SecurableObject ALL_CATALOGS = new SecurableObjectImpl(null, "*"); | |||
| private static final SecurableObject ALL_METALAKES = | |||
| new SecurableObjectImpl(null, "*", SecurableObjectType.CATALOG); | |||
There was a problem hiding this comment.
My fault. I will add some tests for this class.
|
@jerryshao All comments are addressed. |
qqqttt123
force-pushed
the
ISSUE-2235-part2
branch
from
73b7d97 to
91bb2b0
Compare
| /** The privilege to manage groups, including add,remove and get a group. */ | ||
| MANAGE_GROUP(1L << 23), | ||
| /** The privilege to manage roles, including create,drop,alter,grant and revoke a role. */ | ||
| MANAGE_ROLE(1L << 24); |
There was a problem hiding this comment.
I'm afraid that 64 bit may not be enough when we continue to add more fine-grained privileges, what do you think?
| * represent a fileset.<br> | ||
| * `*` can represent all th metalakes <br> | ||
| * `metalake` can represent all the catalogs of this metalake. <br> | ||
| * To use other securable objects which represents all entities," you can use their parent entity, |
There was a problem hiding this comment.
I would suggest you add more descriptions and examples about this securable object.
There was a problem hiding this comment.
I refactored the comment.
| for (int parentNum = names.length - 2; parentNum >= 0; parentNum--) { | ||
| curType = getParentSecurableObjectType(curType); | ||
| types.add(curType); | ||
| } |
There was a problem hiding this comment.
This part of code is a bit of hardcoded, can you please refine this code and remove this hardcoded numbers.
| * @return The created {@link SecurableObject} | ||
| */ | ||
| public static SecurableObject parse(String securableObjectIdentifier) { | ||
| public static SecurableObject parse(String securableObjectIdentifier, SecurableObject.Type type) { |
There was a problem hiding this comment.
It's a bit unknown about this securableObjectIdentifier, so I would suggest not introducing new name/concept, you can use "fullName" and add more comments.
| * @param names The names of the securable object. | ||
| * @return The created {@link SecurableObject} | ||
| */ | ||
| public static SecurableObject of(String... names) { | ||
| public static SecurableObject of(SecurableObject.Type type, String... names) { |
There was a problem hiding this comment.
This names maybe errorprone, you require that names be ordered like catalog, schema, table, but in your code you cannot do such enforcement, so I would suggest you redefine your interface to avoid misuse.
There was a problem hiding this comment.
I removed the public.
| MANAGE_USER(1L << 22), | ||
| /** The privilege to manage groups, including add,remove and get a group. */ | ||
| MANAGE_GROUP(1L << 23), | ||
| /** The privilege to manage roles, including create,drop,alter,grant and revoke a role. */ | ||
| MANAGE_ROLE(1L << 24); |
There was a problem hiding this comment.
I would suggest we use fine-grained privilege for USER, GROUP, ROLE.
|
@jerryshao All comments are addressed. |
| * `SecurableObjects.ofTopic("topic1")` to create the securable object, or you can use full name | ||
| * `catalog1.schema1.topic1` and type `TOPIC` in the RESTFUL API. <br> | ||
| * If you want to use a fileset named `fileset1` in the schema named `schema1`, you can use the code | ||
| * `SecurableObjects.ofFileset("fileset1)` to create the securable object, or you can use full name |
There was a problem hiding this comment.
I think it is different the API you offered, you miss the parent securable object.
|
I test this pull request with the commands as follows; It's ok. |
### What changes were proposed in this pull request? Add the more privileges and check the privilege constraint about securable object. ### Why are the changes needed? Fix: apache#2967 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Add new UT. --------- Co-authored-by: Heng Qin <qqtt@123.com>
What changes were proposed in this pull request?
Add the more privileges and check the privilege constraint about securable object.
Why are the changes needed?
Fix: #2967
Does this PR introduce any user-facing change?
No.
How was this patch tested?
Add new UT.