-
Notifications
You must be signed in to change notification settings - Fork 319
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[#4886] feat(server,core): Supports to list roles by object #5023
Conversation
c089126
to
447ae0a
Compare
case ROLE_GROUP_REL: | ||
if (identType == Entity.EntityType.ROLE) { | ||
return (List<E>) GroupMetaService.getInstance().listGroupsByRoleIdent(nameIdentifier); | ||
} else { | ||
throw new IllegalArgumentException( | ||
String.format("ROLE_GROUP_REL doesn't support type %s", identType.name())); | ||
String.format( | ||
"ROLE_GROUP_REL doesn't support type %s or loading all fields", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it possible that ROLE_GROUP_REL does not support all fields?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now, we don't support all fields. We can support fetch all fields in the next pull request.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the meaning of this error message, I cannot quite follow your meaning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed the error message, remove wrong message or loading all fields
.
core/src/main/java/org/apache/gravitino/storage/relational/service/RoleMetaService.java
Outdated
Show resolved
Hide resolved
|
||
@NameBindings.AccessControlInterfaces | ||
@Path("/metalakes/{metalake}/objects/{type}/{fullName}/roles") | ||
public class ObjectRoleOperations { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we rename it to MetadataObjectRoleOperations
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK.
} | ||
|
||
/** | ||
* List the entities according to a give entity in a specific relation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: give-> given
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK.
*/ | ||
public String[] listRoleNamesByObject(MetadataObject object) | ||
throws NoSuchMetalakeException, NoSuchMetadataObjectException { | ||
return getMetalake().listRoleNamesByObject(object); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is better to design the APIs like tags, list roles from different entity object.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Different from Tag API, role is related to authorization. Only we enable authorization, entity can list roles. So I prefer making a dedicated API to do this. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you honor authorization here? I don't see you honor the authorization here even you put the code here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I can refer to the Tag to modify here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think twice. Different from tag, tag don't support metalake
type. role supportsmetalake
.
If we add listObjectRoleNames
API. It may make users confusing.
What's the difference between listObjectRoleNames
and listRoleNames
for a metalake.
If it's ok, I can modify this logic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't want to expose GravitinoMetalake
. If we want to list roles for GravitinoMetalake
, it's hard.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about using different method name like "listBindingRoleNames"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can add more descriptions to tell about the difference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I modified this code according to your suggestion.
|
||
// List roles by the object | ||
roleNames = metalake.listBindingRoleNames(); | ||
Arrays.sort(roleNames); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you test list roles for different objects other than metalake?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added the test cases of catalog, schema and fileset.
|
||
private final RESTClient restClient; | ||
|
||
private final String tagRequestPath; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The variable name here is not correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
httpRequest, | ||
() -> | ||
TreeLockUtils.doWithTreeLock( | ||
NameIdentifier.of(metalake), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'd better lock the metadata object, not the metalake here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK.
import org.apache.gravitino.annotation.Evolving; | ||
|
||
/** | ||
* Interface for supporting list role names for objects. This interface will be mixed with metadata |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
be combined
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SupportsTags use similar grammar.
/** | ||
* List all the role names associated with this metadata object. For the metalake metadata object, | ||
* this method will only return the roles contains metalake object instead of all the roles in the | ||
* metalake. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the metalake metadata object,
- this method will only return the roles contains metalake object instead of all the roles in the
- metalake.
Can you clarify it? I can't get the meaning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed confusing comment.
* | ||
* @return The role name list associated with this metadata object. | ||
*/ | ||
String[] listBindingRoleNames(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not give it a default implementation and throw UnsupportUnsupportedOperationException
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
supportsRoles
has throw UnSupportedOperationExcetion. supportsTags
doesn't throw UnSupportedOperationException, too.
server/src/main/java/org/apache/gravitino/server/web/rest/MetadataObjectRoleOperations.java
Outdated
Show resolved
Hide resolved
POConverters.fromRolePO( | ||
po, listSecurableObjects(po), AuthorizationUtils.ofRoleNamespace(metalake))) | ||
po -> { | ||
if (allFields) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When will you set this to true
for list roles by metadata object?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is used for internal implement. I used it in the FutureGrantManager, I need find all the roles contains metalake metadata object. For example, I find the role contains CREATE TABLE
for a metalake and apply the role for newly created catalog.
POConverters.fromSecurableObjectPO( | ||
fullName, securableObjectPO, getType(securableObjectPO.getType()))); | ||
} else { | ||
LOG.info( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please change to the warning log.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Besides, looks like if the object is deleted, then we will always get null result, maybe we should also delete the relation to role when we delete the object.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Besides, looks like if the object is deleted, then we will always get null result, maybe we should also delete the relation to role when we delete the object.
I have created an issue #5029 to track it.
### What changes were proposed in this pull request? Supports to list roles by object ### Why are the changes needed? Fix: #4886 ### Does this PR introduce _any_ user-facing change? I will add the document later. ### How was this patch tested? Add new UT.
What changes were proposed in this pull request?
Supports to list roles by object
Why are the changes needed?
Fix: #4886
Does this PR introduce any user-facing change?
I will add the document later.
How was this patch tested?
Add new UT.