Skip to content

Commit

Permalink
Merge branch 'branch-0.6' into branch-0.6-ci-timeout
Browse files Browse the repository at this point in the history
  • Loading branch information
@yuqi1129
yuqi1129 authored Aug 28, 2024
2 parents f9b1679 + 60e58f3 commit 1a84669
Show file tree
Hide file tree
Showing 6 changed files with 237 additions and 58 deletions.
15 changes: 15 additions & 0 deletions clients/client-java/src/main/java/org/apache/gravitino/client/ErrorHandlers.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -564,6 +564,9 @@ public void accept(ErrorResponse errorResponse) {
case ErrorConstants.ALREADY_EXISTS_CODE:
throw new UserAlreadyExistsException(errorMessage);

case ErrorConstants.UNSUPPORTED_OPERATION_CODE:
throw new UnsupportedOperationException(errorMessage);

case ErrorConstants.INTERNAL_ERROR_CODE:
throw new RuntimeException(errorMessage);

Expand Down Expand Up @@ -599,6 +602,9 @@ public void accept(ErrorResponse errorResponse) {
case ErrorConstants.ALREADY_EXISTS_CODE:
throw new GroupAlreadyExistsException(errorMessage);

case ErrorConstants.UNSUPPORTED_OPERATION_CODE:
throw new UnsupportedOperationException(errorMessage);

case ErrorConstants.INTERNAL_ERROR_CODE:
throw new RuntimeException(errorMessage);

Expand Down Expand Up @@ -638,6 +644,9 @@ public void accept(ErrorResponse errorResponse) {
case ErrorConstants.ALREADY_EXISTS_CODE:
throw new RoleAlreadyExistsException(errorMessage);

case ErrorConstants.UNSUPPORTED_OPERATION_CODE:
throw new UnsupportedOperationException(errorMessage);

case ErrorConstants.INTERNAL_ERROR_CODE:
throw new RuntimeException(errorMessage);

Expand Down Expand Up @@ -675,6 +684,9 @@ public void accept(ErrorResponse errorResponse) {
throw new NotFoundException(errorMessage);
}

case ErrorConstants.UNSUPPORTED_OPERATION_CODE:
throw new UnsupportedOperationException(errorMessage);

case ErrorConstants.INTERNAL_ERROR_CODE:
throw new RuntimeException(errorMessage);

Expand Down Expand Up @@ -748,6 +760,9 @@ public void accept(ErrorResponse errorResponse) {
throw new NotFoundException(errorMessage);
}

case ErrorConstants.UNSUPPORTED_OPERATION_CODE:
throw new UnsupportedOperationException(errorMessage);

case ErrorConstants.INTERNAL_ERROR_CODE:
throw new RuntimeException(errorMessage);

Expand Down
1 change: 1 addition & 0 deletions clients/client-python/gravitino/constants/root.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,5 @@

MODULE_NAME = "gravitino"
PROJECT_HOME = Path(__file__).parent.parent.parent
PROJECT_ROOT = PROJECT_HOME.parent.parent
GRAVITINO_DIR = PROJECT_HOME / MODULE_NAME
24 changes: 20 additions & 4 deletions clients/client-python/scripts/generate_version.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,17 +17,35 @@
under the License.
"""

# coding=utf-8

import re
import configparser
import subprocess
from datetime import datetime
from gravitino.constants.root import PROJECT_ROOT

from gravitino.constants.version import Version, VERSION_INI, SETUP_FILE
from gravitino.exceptions.base import GravitinoRuntimeException

VERSION_PATTERN = r"version\s*=\s*['\"]([^'\"]+)['\"]"


def get_git_commit_id():
try:
commit_id = ""
git_path = f"{PROJECT_ROOT}/.git/"
with open(git_path + "HEAD", "r", encoding="utf-8") as file:
ref = file.readline().strip()

if ref.startswith("ref:"):
ref_path = ref.split(" ")[1]
with open(git_path + ref_path, "r", encoding="utf-8") as file:
commit_id = file.readline().strip()
return commit_id
except (FileNotFoundError, IOError):
return ""


def main():
with open(SETUP_FILE, "r", encoding="utf-8") as f:
setup_content = f.read()
Expand All @@ -37,9 +55,7 @@ def main():
else:
raise GravitinoRuntimeException("Can't find valid version info in setup.py")

git_commit = (
subprocess.check_output(["git", "rev-parse", "HEAD"]).decode("ascii").strip()
)
git_commit = get_git_commit_id()

compile_date = datetime.now().strftime("%d/%m/%Y %H:%M:%S")

Expand Down
84 changes: 42 additions & 42 deletions docs/security/access-control.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,83 +134,83 @@ You can also create a dedicated role for your business by API or the client.

### User privileges

| Name | Supports Securable Object | Operation |
|-------------|---------------------------|---------------------|
| ManageUsers | Metalake | Add or remove users |
| Name | Supports Securable Object | Operation |
|--------------|---------------------------|---------------------|
| MANAGE_USERS | Metalake | Add or remove users |

### Group privileges

| Name | Supports Securable Object | Operation |
|--------------|---------------------------|----------------------|
| ManageGroups | Metalake | Add or remove groups |
| Name | Supports Securable Object | Operation |
|---------------|---------------------------|----------------------|
| MANAGE_GROUPS | Metalake | Add or remove groups |

### Role privileges

| Name | Supports Securable Object | Operation |
|------------|---------------------------|---------------|
| CreateRole | Metalake | Create a role |
| Name | Supports Securable Object | Operation |
|-------------|---------------------------|---------------|
| CREATE_ROLE | Metalake | Create a role |

### Permission privileges

| Name | Supports Securable Object | Operation |
|--------------|---------------------------|------------------------|
| ManageGrants | Metalake | grant or revoke a role |
| Name | Supports Securable Object | Operation |
|---------------|---------------------------|------------------------|
| MANAGE_GRANTS | Metalake | grant or revoke a role |

### Catalog privileges

| Name | Supports Securable Object | Operation |
|---------------|---------------------------|------------------|
| CreateCatalog | Metalake | Create a catalog |
| UseCatalog | Metalake, Catalog | |
| Name | Supports Securable Object | Operation |
|----------------|---------------------------|------------------|
| CREATE_CATALOG | Metalake | Create a catalog |
| USE_CATALOG | Metalake, Catalog | |

:::info

`USE_CATALOG` is needed for a user to interact with any object within the catalog.

For example, to select data from a table, users need to have the SELECT_TABLE privilege on that table and
`USE CATALOG` privileges on its parent catalog as well as `USE SCHEMA` privileges on its parent schema.
For example, to select data from a table, users need to have the `SELECT_TABLE` privilege on that table and
`USE_CATALOG` privileges on its parent catalog as well as `USE_SCHEMA` privileges on its parent schema.

:::

### Schema privileges

| Name | Supports Securable Object | Operation |
|--------------|---------------------------|-----------------|
| CreateSchema | Metalake, Catalog | Create a schema |
| UseSchema | Metalake, Catalog, Schema | Use a schema |
| Name | Supports Securable Object | Operation |
|---------------|---------------------------|-----------------|
| CREATE_SCHEMA | Metalake, Catalog | Create a schema |
| USE_SCHEMA | Metalake, Catalog, Schema | Use a schema |

:::info

`UseSchema`is needed for a user to interact with any object within the schema.
`USE_SCHEMA`is needed for a user to interact with any object within the schema.

For example, to select data from a table, users need to have the `SELECT_TABLE` privilege on that table
and `USE SCHEMA` privileges on its parent schema.
and `USE_SCHEMA` privileges on its parent schema.

:::

### Table privileges

| Name | Supports Securable Object | Operation |
|-------------|-----------------------------------|------------------------------------------------|
| CreateTable | Metalake, Catalog, Schema | Create a table |
| ModifyTable | Metalake, Catalog, Schema, Table | Use the SQL `UPDATE`,`DELETE`,`INSERT` a table |
| SelectTable | Metalake, Catalog, Schema, Table | Use the SQL `SELECT` data from a table |
| Name | Supports Securable Object | Operation |
|--------------|-----------------------------------|------------------------------------------------|
| CREATE_TABLE | Metalake, Catalog, Schema | Create a table |
| MODIFY_TABLE | Metalake, Catalog, Schema, Table | Use the SQL `UPDATE`,`DELETE`,`INSERT` a table |
| SELECT_TABLE | Metalake, Catalog, Schema, Table | Use the SQL `SELECT` data from a table |

### Topic privileges

| Name | Supports Securable Object | Operation |
|--------------|----------------------------------|-------------------------------------------|
| CreateTopic | Metalake, Catalog, Schema | Create a topic |
| ProduceTopic | Metalake, Catalog, Schema, Topic | Produce a topic (including alter a topic) |
| ConsumeTopic | Metalake, Catalog, Schema, Topic | Consume a topic |
| Name | Supports Securable Object | Operation |
|---------------|----------------------------------|-------------------------------------------|
| CREATE_TOPIC | Metalake, Catalog, Schema | Create a topic |
| PRODUCE_TOPIC | Metalake, Catalog, Schema, Topic | Produce a topic (including alter a topic) |
| CONSUME_TOPIC | Metalake, Catalog, Schema, Topic | Consume a topic |

### Fileset privileges

| Name | Supports Securable Object | Operation |
|---------------|------------------------------------|---------------------------------------------|
| CreateFileset | Metalake, Catalog, Schema | Create a fileset |
| WriteFileset | Metalake, Catalog, Schema, Fileset | Write a fileset (including alter a fileset) |
| ReadFileset | Metalake, Catalog, Schema, Fileset | read a fileset |
| Name | Supports Securable Object | Operation |
|----------------|------------------------------------|---------------------------------------------|
| CREATE_FILESET | Metalake, Catalog, Schema | Create a fileset |
| WRITE_FILESET | Metalake, Catalog, Schema, Fileset | Write a fileset (including alter a fileset) |
| READ_FILESET | Metalake, Catalog, Schema, Fileset | read a fileset |

## Inheritance Model

Expand All @@ -224,9 +224,9 @@ will be able to select(read) all tables in that catalog.

## Privilege Condition

The privilege supports two condition: `allow` and `deny`. `allow` means that you are able to use the privilege,
`deny` means that you aren't able to use the privilege.
`deny` condition is prior to `allow` condition. If a role has the `allow` condition and `deny` condition at the same time.
The privilege supports two condition: `ALLOW` and `DENY`. `ALLOW` means that you are able to use the privilege,
`DENY` means that you aren't able to use the privilege.
`DENY` condition is prior to `ALLOW` condition. If a role has the `ALLOW` condition and `DENY` condition at the same time.
The user won't be able to use the privilege.

If parent securable object has the same privilege name with different condition, the securable object won't override the parent object privilege.
Expand Down
153 changes: 153 additions & 0 deletions ...est/java/org/apache/gravitino/integration/test/authorization/AccessControlNotAllowIT.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.gravitino.integration.test.authorization;

import com.google.common.collect.Lists;
import java.util.Collections;
import org.apache.gravitino.MetadataObject;
import org.apache.gravitino.MetadataObjects;
import org.apache.gravitino.authorization.Owner;
import org.apache.gravitino.authorization.Privileges;
import org.apache.gravitino.authorization.SecurableObjects;
import org.apache.gravitino.client.GravitinoMetalake;
import org.apache.gravitino.integration.test.util.AbstractIT;
import org.apache.gravitino.utils.RandomNameUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

public class AccessControlNotAllowIT extends AbstractIT {

public static String metalakeTestName = RandomNameUtils.genRandomName("test");

@Test
public void testNotAllowFilter() {
GravitinoMetalake metalake =
client.createMetalake(metalakeTestName, "metalake test", Collections.emptyMap());

Exception e =
Assertions.assertThrows(
UnsupportedOperationException.class, () -> metalake.addUser("test"));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class, () -> metalake.removeUser("test"));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class, () -> metalake.getUser("test"));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class, () -> metalake.addGroup("test"));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class, () -> metalake.getGroup("test"));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class, () -> metalake.removeGroup("test"));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class,
() ->
metalake.createRole(
"test",
Collections.emptyMap(),
Lists.newArrayList(
SecurableObjects.ofMetalake(
"test", Lists.newArrayList(Privileges.SelectTable.allow())))));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class, () -> metalake.getRole("test"));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class, () -> metalake.deleteRole("test"));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class,
() -> metalake.grantRolesToGroup(Lists.newArrayList("test"), "test"));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class,
() -> metalake.grantRolesToUser(Lists.newArrayList("test"), "test"));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class,
() -> metalake.revokeRolesFromGroup(Lists.newArrayList("test"), "test"));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class,
() -> metalake.revokeRolesFromUser(Lists.newArrayList("test"), "test"));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class,
() ->
metalake.setOwner(
MetadataObjects.of(null, "test", MetadataObject.Type.METALAKE),
"test",
Owner.Type.USER));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

e =
Assertions.assertThrows(
UnsupportedOperationException.class,
() ->
metalake.getOwner(MetadataObjects.of(null, "test", MetadataObject.Type.METALAKE)));
Assertions.assertTrue(
e.getMessage().contains("You should set 'gravitino.authorization.enable'"));

client.dropMetalake(metalakeTestName);
}
}
Loading

0 comments on commit 1a84669

Please sign in to comment.