[#4886] feat(server,core): Supports to list roles by object #5023
Conversation
jerqi
force-pushed
the
ISSUE-4886
branch
2 times, most recently
from
c089126 to
447ae0a
Compare
| case ROLE_GROUP_REL: | ||
| if (identType == Entity.EntityType.ROLE) { | ||
| return (List<E>) GroupMetaService.getInstance().listGroupsByRoleIdent(nameIdentifier); | ||
| } else { | ||
| throw new IllegalArgumentException( | ||
| String.format("ROLE_GROUP_REL doesn't support type %s", identType.name())); | ||
| String.format( | ||
| "ROLE_GROUP_REL doesn't support type %s or loading all fields", |
There was a problem hiding this comment.
Is it possible that ROLE_GROUP_REL does not support all fields?
There was a problem hiding this comment.
Now, we don't support all fields. We can support fetch all fields in the next pull request.
There was a problem hiding this comment.
What is the meaning of this error message, I cannot quite follow your meaning.
There was a problem hiding this comment.
Fixed the error message, remove wrong message or loading all fields.
core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java
Outdated
Show resolved
Hide resolved
|
|
||
| @NameBindings.AccessControlInterfaces | ||
| @Path("/metalakes/{metalake}/objects/{type}/{fullName}/roles") | ||
| public class ObjectRoleOperations { |
There was a problem hiding this comment.
Can we rename it to MetadataObjectRoleOperations?
| } | ||
|
|
||
| /** | ||
| * List the entities according to a give entity in a specific relation. |
| */ | ||
| public String[] listRoleNamesByObject(MetadataObject object) | ||
| throws NoSuchMetalakeException, NoSuchMetadataObjectException { | ||
| return getMetalake().listRoleNamesByObject(object); |
There was a problem hiding this comment.
It is better to design the APIs like tags, list roles from different entity object.
There was a problem hiding this comment.
Different from Tag API, role is related to authorization. Only we enable authorization, entity can list roles. So I prefer making a dedicated API to do this. WDYT?
There was a problem hiding this comment.
Do you honor authorization here? I don't see you honor the authorization here even you put the code here.
There was a problem hiding this comment.
OK, I can refer to the Tag to modify here.
There was a problem hiding this comment.
Think twice. Different from tag, tag don't support metalake type. role supportsmetalake.
If we add listObjectRoleNames API. It may make users confusing.
What's the difference between listObjectRoleNames and listRoleNames for a metalake.
If it's ok, I can modify this logic.
There was a problem hiding this comment.
We don't want to expose GravitinoMetalake. If we want to list roles for GravitinoMetalake, it's hard.
There was a problem hiding this comment.
How about using different method name like "listBindingRoleNames"?
There was a problem hiding this comment.
You can add more descriptions to tell about the difference.
There was a problem hiding this comment.
OK, I modified this code according to your suggestion.
jerqi
changed the title
|
|
||
| // List roles by the object | ||
| roleNames = metalake.listBindingRoleNames(); | ||
| Arrays.sort(roleNames); |
There was a problem hiding this comment.
Can you test list roles for different objects other than metalake?
There was a problem hiding this comment.
Added the test cases of catalog, schema and fileset.
|
|
||
| private final RESTClient restClient; | ||
|
|
||
| private final String tagRequestPath; |
There was a problem hiding this comment.
The variable name here is not correct.
| httpRequest, | ||
| () -> | ||
| TreeLockUtils.doWithTreeLock( | ||
| NameIdentifier.of(metalake), |
There was a problem hiding this comment.
You'd better lock the metadata object, not the metalake here.
| import org.apache.gravitino.annotation.Evolving; | ||
|
|
||
| /** | ||
| * Interface for supporting list role names for objects. This interface will be mixed with metadata |
There was a problem hiding this comment.
SupportsTags use similar grammar.
| /** | ||
| * List all the role names associated with this metadata object. For the metalake metadata object, | ||
| * this method will only return the roles contains metalake object instead of all the roles in the | ||
| * metalake. |
There was a problem hiding this comment.
For the metalake metadata object,
- this method will only return the roles contains metalake object instead of all the roles in the
- metalake.
Can you clarify it? I can't get the meaning.
There was a problem hiding this comment.
Removed confusing comment.
| * | ||
| * @return The role name list associated with this metadata object. | ||
| */ | ||
| String[] listBindingRoleNames(); |
There was a problem hiding this comment.
Why not give it a default implementation and throw UnsupportUnsupportedOperationException?
There was a problem hiding this comment.
supportsRoles has throw UnSupportedOperationExcetion. supportsTags doesn't throw UnSupportedOperationException, too.
server/src/main/java/org/apache/gravitino/server/web/rest/MetadataObjectRoleOperations.java
Outdated
Show resolved
Hide resolved
| POConverters.fromRolePO( | ||
| po, listSecurableObjects(po), AuthorizationUtils.ofRoleNamespace(metalake))) | ||
| po -> { | ||
| if (allFields) { |
There was a problem hiding this comment.
When will you set this to true for list roles by metadata object?
There was a problem hiding this comment.
This is used for internal implement. I used it in the FutureGrantManager, I need find all the roles contains metalake metadata object. For example, I find the role contains CREATE TABLE for a metalake and apply the role for newly created catalog.
| POConverters.fromSecurableObjectPO( | ||
| fullName, securableObjectPO, getType(securableObjectPO.getType()))); | ||
| } else { | ||
| LOG.info( |
There was a problem hiding this comment.
Can you please change to the warning log.
There was a problem hiding this comment.
Besides, looks like if the object is deleted, then we will always get null result, maybe we should also delete the relation to role when we delete the object.
There was a problem hiding this comment.
Besides, looks like if the object is deleted, then we will always get null result, maybe we should also delete the relation to role when we delete the object.
I have created an issue #5029 to track it.
### What changes were proposed in this pull request? Supports to list roles by object ### Why are the changes needed? Fix: #4886 ### Does this PR introduce _any_ user-facing change? I will add the document later. ### How was this patch tested? Add new UT.
What changes were proposed in this pull request?
Supports to list roles by object
Why are the changes needed?
Fix: #4886
Does this PR introduce any user-facing change?
I will add the document later.
How was this patch tested?
Add new UT.