Merge branch 'main' into remove-dw-from-core

apache · Nov 22, 2024 · 1e713ff · 1e713ff
2 parents c343504 + 4560245
commit 1e713ff
Show file tree

Hide file tree

Showing 35 changed files with 1,585 additions and 1,003 deletions.
diff --git a/build-logic/src/main/kotlin/polaris-java.gradle.kts b/build-logic/src/main/kotlin/polaris-java.gradle.kts
@@ -80,6 +80,7 @@ spotless {
     licenseHeaderFile(rootProject.file("codestyle/copyright-header-java.txt"))
     endWithNewline()
     custom("disallowWildcardImports", disallowWildcardImports)
+    toggleOffOn()
   }
   kotlinGradle {
     ktfmt().googleStyle()

diff --git a/build-logic/src/main/kotlin/publishing/rootProject.kt b/build-logic/src/main/kotlin/publishing/rootProject.kt
@@ -151,16 +151,15 @@ internal fun configureOnRootProject(project: Project) =
               I propose that we release the following RC as the official
               $asfProjectName $versionNoRc release.
 
-              The commit ID is 229d8f6fcd109e6c8943ea7cbb41dab746c6d0ed
               * This corresponds to the tag: apache-$asfName-$version
               * https://github.com/apache/$asfName/commits/apache-$asfName-$version
               * https://github.com/apache/$asfName/tree/$gitCommitId
 
               The release tarball, signature, and checksums are here:
-              * https://dist.apache.org/repos/dist/dev/$asfName/apache-$asfName-$version
+              * https://dist.apache.org/repos/dist/dev/incubator/$asfName/apache-$asfName-$version
 
               You can find the KEYS file here:
-              * https://dist.apache.org/repos/dist/dev/$asfName/KEYS
+              * https://dist.apache.org/repos/dist/release/incubator/$asfName/KEYS
 
               Convenience binary artifacts are staged on Nexus. The Maven repository URL is:
               * $staginRepoUrl
@@ -169,14 +168,17 @@ internal fun configureOnRootProject(project: Project) =
 
               Please vote in the next 72 hours.
 
-              [ ] +1 Release this as Apache Iceberg 1.6.0
+              [ ] +1 Release this as Apache $asfName $version
               [ ] +0
               [ ] -1 Do not release this because...
 
-              Only PMC members have binding votes, but other community members are
+              Only PPMC members and mentors have binding votes, but other community members are
               encouraged to cast non-binding votes. This vote will pass if there are
               3 binding +1 votes and more binding +1 votes than -1 votes.
 
+              NB: if this vote pass, a new vote has to be started on the Incubator general mailing
+              list.
+
               Thanks
               Regards
             """

diff --git a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisGrantManager.java b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisGrantManager.java
@@ -0,0 +1,276 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.core.auth;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import org.apache.polaris.core.PolarisCallContext;
+import org.apache.polaris.core.entity.PolarisBaseEntity;
+import org.apache.polaris.core.entity.PolarisEntityCore;
+import org.apache.polaris.core.entity.PolarisGrantRecord;
+import org.apache.polaris.core.entity.PolarisPrivilege;
+import org.apache.polaris.core.persistence.BaseResult;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+/** Manage grants for Polaris entities. */
+public interface PolarisGrantManager {
+  /**
+   * Grant usage on a role to a grantee, for example granting usage on a catalog role to a principal
+   * role or granting a principal role to a principal.
+   *
+   * @param callCtx call context
+   * @param catalog if the role is a catalog role, the caller needs to pass-in the catalog entity
+   *     which was used to resolve that granted. Else null.
+   * @param role resolved catalog or principal role
+   * @param grantee principal role or principal as resolved by the caller
+   * @return the grant record we created for this grant. Will return ENTITY_NOT_FOUND if the
+   *     specified role couldn't be found. Should be retried in that case
+   */
+  @NotNull
+  PrivilegeResult grantUsageOnRoleToGrantee(
+      @NotNull PolarisCallContext callCtx,
+      @Nullable PolarisEntityCore catalog,
+      @NotNull PolarisEntityCore role,
+      @NotNull PolarisEntityCore grantee);
+
+  /**
+   * Revoke usage on a role (a catalog or a principal role) from a grantee (e.g. a principal role or
+   * a principal).
+   *
+   * @param callCtx call context
+   * @param catalog if the granted is a catalog role, the caller needs to pass-in the catalog entity
+   *     which was used to resolve that role. Else null should be passed-in.
+   * @param role a catalog/principal role as resolved by the caller
+   * @param grantee resolved principal role or principal
+   * @return the result. Will return ENTITY_NOT_FOUND if the * specified role couldn't be found.
+   *     Should be retried in that case. Will return GRANT_NOT_FOUND if the grant to revoke cannot
+   *     be found
+   */
+  @NotNull
+  PrivilegeResult revokeUsageOnRoleFromGrantee(
+      @NotNull PolarisCallContext callCtx,
+      @Nullable PolarisEntityCore catalog,
+      @NotNull PolarisEntityCore role,
+      @NotNull PolarisEntityCore grantee);
+
+  /**
+   * Grant a privilege on a catalog securable to a grantee.
+   *
+   * @param callCtx call context
+   * @param grantee resolved role, the grantee
+   * @param catalogPath path to that entity, cannot be null or empty unless securable is top-level
+   * @param securable securable entity, must have been resolved by the client. Can be the catalog
+   *     itself
+   * @param privilege privilege to grant
+   * @return the grant record we created for this grant. Will return ENTITY_NOT_FOUND if the
+   *     specified role couldn't be found. Should be retried in that case
+   */
+  @NotNull
+  PrivilegeResult grantPrivilegeOnSecurableToRole(
+      @NotNull PolarisCallContext callCtx,
+      @NotNull PolarisEntityCore grantee,
+      @Nullable List<PolarisEntityCore> catalogPath,
+      @NotNull PolarisEntityCore securable,
+      @NotNull PolarisPrivilege privilege);
+
+  /**
+   * Revoke a privilege on a catalog securable from a grantee.
+   *
+   * @param callCtx call context
+   * @param grantee resolved role, the grantee
+   * @param catalogPath path to that entity, cannot be null or empty unless securable is top-level
+   * @param securable securable entity, must have been resolved by the client. Can be the catalog
+   *     itself.
+   * @param privilege privilege to revoke
+   * @return the result. Will return ENTITY_NOT_FOUND if the * specified role couldn't be found.
+   *     Should be retried in that case. Will return GRANT_NOT_FOUND if the grant to revoke cannot
+   *     be found
+   */
+  @NotNull
+  PrivilegeResult revokePrivilegeOnSecurableFromRole(
+      @NotNull PolarisCallContext callCtx,
+      @NotNull PolarisEntityCore grantee,
+      @Nullable List<PolarisEntityCore> catalogPath,
+      @NotNull PolarisEntityCore securable,
+      @NotNull PolarisPrivilege privilege);
+
+  /**
+   * This method should be used by the Polaris app to cache all grant records on a securable.
+   *
+   * @param callCtx call context
+   * @param securableCatalogId id of the catalog this securable belongs to
+   * @param securableId id of the securable
+   * @return the list of grants and the version of the grant records. We will return
+   *     ENTITY_NOT_FOUND if the securable cannot be found
+   */
+  @NotNull
+  LoadGrantsResult loadGrantsOnSecurable(
+      @NotNull PolarisCallContext callCtx, long securableCatalogId, long securableId);
+
+  /**
+   * This method should be used by the Polaris app to load all grants made to a grantee, either a
+   * role or a principal.
+   *
+   * @param callCtx call context
+   * @param granteeCatalogId id of the catalog this grantee belongs to
+   * @param granteeId id of the grantee
+   * @return the list of grants and the version of the grant records. We will return NULL if the
+   *     grantee does not exist
+   */
+  @NotNull
+  LoadGrantsResult loadGrantsToGrantee(
+      PolarisCallContext callCtx, long granteeCatalogId, long granteeId);
+
+  /** Result of a grant/revoke privilege call */
+  class PrivilegeResult extends BaseResult {
+
+    // null if not success.
+    private final PolarisGrantRecord grantRecord;
+
+    /**
+     * Constructor for an error
+     *
+     * @param errorCode error code, cannot be SUCCESS
+     * @param extraInformation extra information
+     */
+    public PrivilegeResult(
+        @NotNull BaseResult.ReturnStatus errorCode, @Nullable String extraInformation) {
+      super(errorCode, extraInformation);
+      this.grantRecord = null;
+    }
+
+    /**
+     * Constructor for success
+     *
+     * @param grantRecord grant record being granted or revoked
+     */
+    public PrivilegeResult(@NotNull PolarisGrantRecord grantRecord) {
+      super(BaseResult.ReturnStatus.SUCCESS);
+      this.grantRecord = grantRecord;
+    }
+
+    @JsonCreator
+    private PrivilegeResult(
+        @JsonProperty("returnStatus") @NotNull BaseResult.ReturnStatus returnStatus,
+        @JsonProperty("extraInformation") String extraInformation,
+        @JsonProperty("grantRecord") PolarisGrantRecord grantRecord) {
+      super(returnStatus, extraInformation);
+      this.grantRecord = grantRecord;
+    }
+
+    public PolarisGrantRecord getGrantRecord() {
+      return grantRecord;
+    }
+  }
+
+  /** Result of a load grants call */
+  class LoadGrantsResult extends BaseResult {
+    // true if success. If false, the caller should retry because of some concurrent change
+    private final int grantsVersion;
+
+    // null if not success. Else set of grants records on a securable or to a grantee
+    private final List<PolarisGrantRecord> grantRecords;
+
+    // null if not success. Else, for each grant record, list of securable or grantee entities
+    private final List<PolarisBaseEntity> entities;
+
+    /**
+     * Constructor for an error
+     *
+     * @param errorCode error code, cannot be SUCCESS
+     * @param extraInformation extra information
+     */
+    public LoadGrantsResult(
+        @NotNull BaseResult.ReturnStatus errorCode, @Nullable String extraInformation) {
+      super(errorCode, extraInformation);
+      this.grantsVersion = 0;
+      this.grantRecords = null;
+      this.entities = null;
+    }
+
+    /**
+     * Constructor for success
+     *
+     * @param grantsVersion version of the grants
+     * @param grantRecords set of grant records
+     */
+    public LoadGrantsResult(
+        int grantsVersion,
+        @NotNull List<PolarisGrantRecord> grantRecords,
+        List<PolarisBaseEntity> entities) {
+      super(BaseResult.ReturnStatus.SUCCESS);
+      this.grantsVersion = grantsVersion;
+      this.grantRecords = grantRecords;
+      this.entities = entities;
+    }
+
+    @JsonCreator
+    private LoadGrantsResult(
+        @JsonProperty("returnStatus") @NotNull BaseResult.ReturnStatus returnStatus,
+        @JsonProperty("extraInformation") String extraInformation,
+        @JsonProperty("grantsVersion") int grantsVersion,
+        @JsonProperty("grantRecords") List<PolarisGrantRecord> grantRecords,
+        @JsonProperty("entities") List<PolarisBaseEntity> entities) {
+      super(returnStatus, extraInformation);
+      this.grantsVersion = grantsVersion;
+      this.grantRecords = grantRecords;
+      // old GS code might not serialize this argument
+      this.entities = entities;
+    }
+
+    public int getGrantsVersion() {
+      return grantsVersion;
+    }
+
+    public List<PolarisGrantRecord> getGrantRecords() {
+      return grantRecords;
+    }
+
+    public List<PolarisBaseEntity> getEntities() {
+      return entities;
+    }
+
+    @JsonIgnore
+    public Map<Long, PolarisBaseEntity> getEntitiesAsMap() {
+      return (this.getEntities() == null)
+          ? null
+          : this.getEntities().stream()
+              .collect(Collectors.toMap(PolarisBaseEntity::getId, entity -> entity));
+    }
+
+    @Override
+    public String toString() {
+      return "LoadGrantsResult{"
+          + "grantsVersion="
+          + grantsVersion
+          + ", grantRecords="
+          + grantRecords
+          + ", entities="
+          + entities
+          + ", returnStatus="
+          + getReturnStatus()
+          + '}';
+    }
+  }
+}