Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[#4886] feat(server,core): Supports to list roles by object #5023

Merged
merged 14 commits into from
Sep 27, 2024

Conversation

jerqi
Copy link
Collaborator

@jerqi jerqi commented Sep 26, 2024

What changes were proposed in this pull request?

Supports to list roles by object

Why are the changes needed?

Fix: #4886

Does this PR introduce any user-facing change?

I will add the document later.

How was this patch tested?

Add new UT.

@jerqi jerqi force-pushed the ISSUE-4886 branch 2 times, most recently from c089126 to 447ae0a Compare September 26, 2024 03:11
case ROLE_GROUP_REL:
if (identType == Entity.EntityType.ROLE) {
return (List<E>) GroupMetaService.getInstance().listGroupsByRoleIdent(nameIdentifier);
} else {
throw new IllegalArgumentException(
String.format("ROLE_GROUP_REL doesn't support type %s", identType.name()));
String.format(
"ROLE_GROUP_REL doesn't support type %s or loading all fields",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible that ROLE_GROUP_REL does not support all fields?

Copy link
Collaborator Author

@jerqi jerqi Sep 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now, we don't support all fields. We can support fetch all fields in the next pull request.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the meaning of this error message, I cannot quite follow your meaning.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed the error message, remove wrong message or loading all fields.


@NameBindings.AccessControlInterfaces
@Path("/metalakes/{metalake}/objects/{type}/{fullName}/roles")
public class ObjectRoleOperations {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we rename it to MetadataObjectRoleOperations?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK.

}

/**
* List the entities according to a give entity in a specific relation.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: give-> given

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK.

*/
public String[] listRoleNamesByObject(MetadataObject object)
throws NoSuchMetalakeException, NoSuchMetadataObjectException {
return getMetalake().listRoleNamesByObject(object);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is better to design the APIs like tags, list roles from different entity object.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Different from Tag API, role is related to authorization. Only we enable authorization, entity can list roles. So I prefer making a dedicated API to do this. WDYT?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you honor authorization here? I don't see you honor the authorization here even you put the code here.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I can refer to the Tag to modify here.

Copy link
Collaborator Author

@jerqi jerqi Sep 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think twice. Different from tag, tag don't support metalake type. role supportsmetalake.
If we add listObjectRoleNames API. It may make users confusing.
What's the difference between listObjectRoleNames and listRoleNames for a metalake.
If it's ok, I can modify this logic.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't want to expose GravitinoMetalake. If we want to list roles for GravitinoMetalake, it's hard.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about using different method name like "listBindingRoleNames"?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can add more descriptions to tell about the difference.

Copy link
Collaborator Author

@jerqi jerqi Sep 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I modified this code according to your suggestion.

@jerqi jerqi changed the title [#4886] feat(server, core): Supports to list roles by object [#4886] feat(server,core): Supports to list roles by object Sep 26, 2024
@jerqi jerqi added the branch-0.6 Automatically cherry-pick commit to branch-0.6 label Sep 26, 2024

// List roles by the object
roleNames = metalake.listBindingRoleNames();
Arrays.sort(roleNames);
Copy link
Contributor

@jerryshao jerryshao Sep 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you test list roles for different objects other than metalake?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the test cases of catalog, schema and fileset.


private final RESTClient restClient;

private final String tagRequestPath;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable name here is not correct.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

httpRequest,
() ->
TreeLockUtils.doWithTreeLock(
NameIdentifier.of(metalake),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'd better lock the metadata object, not the metalake here.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK.

import org.apache.gravitino.annotation.Evolving;

/**
* Interface for supporting list role names for objects. This interface will be mixed with metadata
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

be combined

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SupportsTags use similar grammar.

/**
* List all the role names associated with this metadata object. For the metalake metadata object,
* this method will only return the roles contains metalake object instead of all the roles in the
* metalake.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the metalake metadata object,

  • this method will only return the roles contains metalake object instead of all the roles in the
  • metalake.

Can you clarify it? I can't get the meaning.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed confusing comment.

*
* @return The role name list associated with this metadata object.
*/
String[] listBindingRoleNames();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not give it a default implementation and throw UnsupportUnsupportedOperationException?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

supportsRoles has throw UnSupportedOperationExcetion. supportsTags doesn't throw UnSupportedOperationException, too.

POConverters.fromRolePO(
po, listSecurableObjects(po), AuthorizationUtils.ofRoleNamespace(metalake)))
po -> {
if (allFields) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When will you set this to true for list roles by metadata object?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is used for internal implement. I used it in the FutureGrantManager, I need find all the roles contains metalake metadata object. For example, I find the role contains CREATE TABLE for a metalake and apply the role for newly created catalog.

POConverters.fromSecurableObjectPO(
fullName, securableObjectPO, getType(securableObjectPO.getType())));
} else {
LOG.info(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please change to the warning log.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides, looks like if the object is deleted, then we will always get null result, maybe we should also delete the relation to role when we delete the object.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Besides, looks like if the object is deleted, then we will always get null result, maybe we should also delete the relation to role when we delete the object.

I have created an issue #5029 to track it.

@jerryshao jerryshao merged commit dab92a5 into apache:main Sep 27, 2024
26 checks passed
github-actions bot pushed a commit that referenced this pull request Sep 27, 2024
### What changes were proposed in this pull request?
Supports to list roles by object

### Why are the changes needed?

Fix: #4886

### Does this PR introduce _any_ user-facing change?

I will add the document later.

### How was this patch tested?

Add new UT.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
branch-0.6 Automatically cherry-pick commit to branch-0.6
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Improvement] Supports to list roles according to the metadata object
3 participants