From 8b6e87f357e7a42984846a2343f895587991acb1 Mon Sep 17 00:00:00 2001 From: Xun Date: Wed, 30 Oct 2024 15:11:57 +0800 Subject: [PATCH] [#5364] feat(auth-ranger): Throw AuthorizationPluginException in authorization plugin --- .../AuthorizationPluginException.java | 11 +++-- .../ranger/RangerAuthorizationPlugin.java | 49 +++++++++++-------- .../authorization/ranger/RangerHelper.java | 6 ++- .../ranger/integration/test/RangerHiveIT.java | 42 +++++++++++++--- .../ranger/integration/test/RangerITEnv.java | 13 +++-- .../RoleAuthorizationPlugin.java | 33 +++++++------ .../UserGroupAuthorizationPlugin.java | 29 +++++------ 7 files changed, 116 insertions(+), 67 deletions(-) diff --git a/api/src/main/java/org/apache/gravitino/exceptions/AuthorizationPluginException.java b/api/src/main/java/org/apache/gravitino/exceptions/AuthorizationPluginException.java index a57944c94a6..c61e35e1427 100644 --- a/api/src/main/java/org/apache/gravitino/exceptions/AuthorizationPluginException.java +++ b/api/src/main/java/org/apache/gravitino/exceptions/AuthorizationPluginException.java @@ -22,7 +22,7 @@ import com.google.errorprone.annotations.FormatString; /** An exception thrown when an authorization plugin operation failed. */ -public class AuthorizationPluginException extends IllegalArgumentException { +public class AuthorizationPluginException extends GravitinoRuntimeException { /** * Constructs a new exception with the specified detail message. @@ -36,11 +36,14 @@ public AuthorizationPluginException(@FormatString String message, Object... args } /** - * Constructs a new exception with the specified cause. + * Constructs a new exception with the specified detail message and cause. * * @param cause the cause. + * @param message the detail message. + * @param args the arguments to the message. */ - public AuthorizationPluginException(Throwable cause) { - super(cause); + @FormatMethod + public AuthorizationPluginException(Throwable cause, @FormatString String message, Object... args) { + super(cause, message, args); } } diff --git a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java index ff26d1ca67d..b0e46d5c140 100644 --- a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java +++ b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerAuthorizationPlugin.java @@ -113,7 +113,7 @@ protected RangerAuthorizationPlugin(Map config) { * 2. Save role name in the Policy items.
*/ @Override - public Boolean onRoleCreated(Role role) throws RuntimeException { + public Boolean onRoleCreated(Role role) throws AuthorizationPluginException { if (!validAuthorizationOperation(role.securableObjects())) { return false; } @@ -127,7 +127,7 @@ public Boolean onRoleCreated(Role role) throws RuntimeException { } @Override - public Boolean onRoleAcquired(Role role) throws RuntimeException { + public Boolean onRoleAcquired(Role role) throws AuthorizationPluginException { if (!validAuthorizationOperation(role.securableObjects())) { return false; } @@ -136,7 +136,7 @@ public Boolean onRoleAcquired(Role role) throws RuntimeException { /** Remove the role name from the Ranger policy item, and delete this Role in the Ranger.
*/ @Override - public Boolean onRoleDeleted(Role role) throws RuntimeException { + public Boolean onRoleDeleted(Role role) throws AuthorizationPluginException { if (!validAuthorizationOperation(role.securableObjects())) { return false; } @@ -157,7 +157,8 @@ public Boolean onRoleDeleted(Role role) throws RuntimeException { } @Override - public Boolean onRoleUpdated(Role role, RoleChange... changes) throws RuntimeException { + public Boolean onRoleUpdated(Role role, RoleChange... changes) + throws AuthorizationPluginException { for (RoleChange change : changes) { if (change instanceof RoleChange.AddSecurableObject) { SecurableObject securableObject = @@ -171,7 +172,7 @@ public Boolean onRoleUpdated(Role role, RoleChange... changes) throws RuntimeExc .forEach( rangerSecurableObject -> { if (!doAddSecurableObject(role.name(), rangerSecurableObject)) { - throw new RuntimeException( + throw new AuthorizationPluginException( "Failed to add the securable object to the Ranger policy!"); } }); @@ -187,7 +188,7 @@ public Boolean onRoleUpdated(Role role, RoleChange... changes) throws RuntimeExc .forEach( rangerSecurableObject -> { if (!doRemoveSecurableObject(role.name(), rangerSecurableObject)) { - throw new RuntimeException( + throw new AuthorizationPluginException( "Failed to add the securable object to the Ranger policy!"); } }); @@ -276,7 +277,7 @@ public Boolean onMetadataUpdated(MetadataObjectChange... changes) throws Runtime */ @Override public Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner, Owner newOwner) - throws RuntimeException { + throws AuthorizationPluginException { Preconditions.checkArgument(newOwner != null, "The newOwner must be not null"); // Add the user or group to the Ranger @@ -365,7 +366,8 @@ public Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner, Owner n rangerClient.updatePolicy(policy.getId(), policy); } } catch (RangerServiceException e) { - throw new RuntimeException(e); + throw new AuthorizationPluginException( + e, "Failed to add the owner to the Ranger!"); } }); break; @@ -385,7 +387,8 @@ public Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner, Owner n rangerClient.updatePolicy(policy.getId(), policy); } } catch (RangerServiceException e) { - throw new RuntimeException(e); + throw new AuthorizationPluginException( + e, "Failed to add the owner to the Ranger!"); } }); break; @@ -408,7 +411,8 @@ public Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner, Owner n * @param user The user to grant the roles. */ @Override - public Boolean onGrantedRolesToUser(List roles, User user) throws RuntimeException { + public Boolean onGrantedRolesToUser(List roles, User user) + throws AuthorizationPluginException { if (roles.stream().anyMatch(role -> !validAuthorizationOperation(role.securableObjects()))) { return false; } @@ -443,7 +447,8 @@ public Boolean onGrantedRolesToUser(List roles, User user) throws RuntimeE * @param user The user to revoke the roles. */ @Override - public Boolean onRevokedRolesFromUser(List roles, User user) throws RuntimeException { + public Boolean onRevokedRolesFromUser(List roles, User user) + throws AuthorizationPluginException { if (roles.stream().anyMatch(role -> !validAuthorizationOperation(role.securableObjects()))) { return false; } @@ -477,7 +482,8 @@ public Boolean onRevokedRolesFromUser(List roles, User user) throws Runtim * @param group The group to grant the roles. */ @Override - public Boolean onGrantedRolesToGroup(List roles, Group group) throws RuntimeException { + public Boolean onGrantedRolesToGroup(List roles, Group group) + throws AuthorizationPluginException { if (roles.stream().anyMatch(role -> !validAuthorizationOperation(role.securableObjects()))) { return false; } @@ -510,7 +516,8 @@ public Boolean onGrantedRolesToGroup(List roles, Group group) throws Runti * @param group The group to revoke the roles. */ @Override - public Boolean onRevokedRolesFromGroup(List roles, Group group) throws RuntimeException { + public Boolean onRevokedRolesFromGroup(List roles, Group group) + throws AuthorizationPluginException { if (roles.stream().anyMatch(role -> !validAuthorizationOperation(role.securableObjects()))) { return false; } @@ -533,7 +540,7 @@ public Boolean onRevokedRolesFromGroup(List roles, Group group) throws Run } @Override - public Boolean onUserAdded(User user) throws RuntimeException { + public Boolean onUserAdded(User user) throws AuthorizationPluginException { VXUserList list = rangerClient.searchUser(ImmutableMap.of("name", user.name())); if (list.getListSize() > 0) { LOG.warn("The user({}) already exists in the Ranger!", user.name()); @@ -545,7 +552,7 @@ public Boolean onUserAdded(User user) throws RuntimeException { } @Override - public Boolean onUserRemoved(User user) throws RuntimeException { + public Boolean onUserRemoved(User user) throws AuthorizationPluginException { VXUserList list = rangerClient.searchUser(ImmutableMap.of("name", user.name())); if (list.getListSize() == 0) { LOG.warn("The user({}) doesn't exist in the Ranger!", user); @@ -556,7 +563,7 @@ public Boolean onUserRemoved(User user) throws RuntimeException { } @Override - public Boolean onUserAcquired(User user) throws RuntimeException { + public Boolean onUserAcquired(User user) throws AuthorizationPluginException { VXUserList list = rangerClient.searchUser(ImmutableMap.of("name", user.name())); if (list.getListSize() == 0) { LOG.warn("The user({}) doesn't exist in the Ranger!", user); @@ -566,13 +573,13 @@ public Boolean onUserAcquired(User user) throws RuntimeException { } @Override - public Boolean onGroupAdded(Group group) throws RuntimeException { + public Boolean onGroupAdded(Group group) throws AuthorizationPluginException { return rangerClient.createGroup( VXGroup.builder().withName(group.name()).withDescription(group.name()).build()); } @Override - public Boolean onGroupRemoved(Group group) throws RuntimeException { + public Boolean onGroupRemoved(Group group) throws AuthorizationPluginException { VXGroupList list = rangerClient.searchGroup(ImmutableMap.of("name", group.name())); if (list.getListSize() == 0) { LOG.warn("The group({}) doesn't exist in the Ranger!", group); @@ -650,7 +657,8 @@ private boolean doAddSecurableObject(String roleName, RangerSecurableObject secu rangerClient.updatePolicy(policy.getId(), policy); } } catch (RangerServiceException e) { - throw new RuntimeException(e); + throw new AuthorizationPluginException( + e, "Failed to add the securable object to the Ranger!"); } return true; @@ -720,7 +728,8 @@ private boolean doRemoveSecurableObject( } } catch (RangerServiceException e) { LOG.error("Failed to remove the policy item from the Ranger policy {}!", policy); - throw new RuntimeException(e); + throw new AuthorizationPluginException( + e, "Failed to remove the securable object from Ranger!"); } return true; } diff --git a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java index 86ed2ee88a7..f8619e71f82 100644 --- a/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java +++ b/authorizations/authorization-ranger/src/main/java/org/apache/gravitino/authorization/ranger/RangerHelper.java @@ -246,7 +246,8 @@ protected boolean checkRangerRole(String roleName) throws AuthorizationPluginExc try { rangerClient.getRole(roleName, rangerAdminName, rangerServiceName); } catch (RangerServiceException e) { - throw new AuthorizationPluginException(e); + throw new AuthorizationPluginException( + e, "Failed to check the role(%s) in the Ranger", roleName); } return true; } @@ -302,7 +303,8 @@ protected RangerRole createRangerRoleIfNotExists(String roleName, boolean isOwne rangerClient.createRole(rangerServiceName, rangerRole); } } catch (RangerServiceException e) { - throw new RuntimeException(e); + throw new AuthorizationPluginException( + e, "Failed to create the role(%s) in the Ranger", roleName); } return rangerRole; } diff --git a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java index 00a231e8068..06426ed8395 100644 --- a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java +++ b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveIT.java @@ -22,6 +22,7 @@ import static org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.rangerClient; import static org.apache.gravitino.authorization.ranger.integration.test.RangerITEnv.verifyRoleInRanger; +import com.google.common.base.Joiner; import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableSet; import com.google.common.collect.Lists; @@ -49,6 +50,7 @@ import org.apache.gravitino.authorization.ranger.RangerPrivileges; import org.apache.gravitino.authorization.ranger.RangerSecurableObject; import org.apache.gravitino.authorization.ranger.reference.RangerDefines; +import org.apache.gravitino.exceptions.AuthorizationPluginException; import org.apache.gravitino.integration.test.util.GravitinoITUtils; import org.apache.gravitino.meta.AuditInfo; import org.apache.gravitino.meta.GroupEntity; @@ -325,16 +327,20 @@ public void testFindManagedPolicy() { String dbName = currentFunName(); createHivePolicy( Lists.newArrayList(String.format("%s*", dbName), "*"), - GravitinoITUtils.genRandomName(currentFunName())); + GravitinoITUtils.genRandomName(currentFunName()), + true); createHivePolicy( Lists.newArrayList(String.format("%s*", dbName), "tab*"), - GravitinoITUtils.genRandomName(currentFunName())); + GravitinoITUtils.genRandomName(currentFunName()), + true); createHivePolicy( Lists.newArrayList(String.format("%s3", dbName), "*"), - GravitinoITUtils.genRandomName(currentFunName())); + GravitinoITUtils.genRandomName(currentFunName()), + true); createHivePolicy( Lists.newArrayList(String.format("%s3", dbName), "tab*"), - GravitinoITUtils.genRandomName(currentFunName())); + GravitinoITUtils.genRandomName(currentFunName()), + true); // findManagedPolicy function use precise search, so return null RangerSecurableObject rangerSecurableObject = rangerAuthHivePlugin.generateRangerSecurableObject( @@ -348,12 +354,33 @@ public void testFindManagedPolicy() { // Add a policy for `db3.tab1` createHivePolicy( Lists.newArrayList(String.format("%s3", dbName), "tab1"), - GravitinoITUtils.genRandomName(currentFunName())); + GravitinoITUtils.genRandomName(currentFunName()), + true); // findManagedPolicy function use precise search, so return not null Assertions.assertNotNull(rangerHelper.findManagedPolicy(rangerSecurableObject)); } - static void createHivePolicy(List metaObjects, String roleName) { + @Test + public void testManagedByGravitinoLabel() { + RoleEntity role = mock3TableRole(currentFunName()); + role.securableObjects().stream() + .forEach( + securableObject -> { + Joiner DOT_JOINER = Joiner.on('.'); + List names = + Lists.newArrayList( + SecurableObjects.DOT_SPLITTER.splitToList(securableObject.fullName())); + names.remove(0); // remove catalog node + // Manual create the Ranger Policy + createHivePolicy(Lists.newArrayList(names), DOT_JOINER.join(names), false); + }); + // Use role to create Ranger Policy + Assertions.assertThrows( + AuthorizationPluginException.class, () -> rangerAuthHivePlugin.onRoleCreated(role)); + } + + static void createHivePolicy( + List metaObjects, String roleName, boolean labelManagedByGravitino) { Assertions.assertTrue(metaObjects.size() < 4); Map policyResourceMap = new HashMap<>(); for (int i = 0; i < metaObjects.size(); i++) { @@ -377,7 +404,8 @@ static void createHivePolicy(List metaObjects, String roleName) { RangerITEnv.RANGER_HIVE_REPO_NAME, roleName, policyResourceMap, - Collections.singletonList(policyItem)); + Collections.singletonList(policyItem), + labelManagedByGravitino); } static boolean deleteHivePolicy(RangerSecurableObject rangerSecurableObject) { diff --git a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java index be653bd3dbc..fdc2d8fab18 100644 --- a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java +++ b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerITEnv.java @@ -180,7 +180,8 @@ static void allowAnyoneAccessHDFS() { RANGER_HDFS_REPO_NAME, policyName, policyResourceMap, - Collections.singletonList(policyItem)); + Collections.singletonList(policyItem), + false); } /** @@ -217,7 +218,8 @@ static void allowAnyoneAccessInformationSchema() { RANGER_HIVE_REPO_NAME, policyName, policyResourceMap, - Collections.singletonList(policyItem)); + Collections.singletonList(policyItem), + false); } public void createRangerTrinoRepository(String trinoIp) { @@ -513,7 +515,8 @@ protected static void updateOrCreateRangerPolicy( String serviceName, String policyName, Map policyResourceMap, - List policyItems) { + List policyItems, + boolean labelManagedByGravitino) { Map resourceFilter = new HashMap<>(); // use to match the precise policy Map policyFilter = new HashMap<>(); @@ -572,7 +575,9 @@ protected static void updateOrCreateRangerPolicy( policy.setServiceType(type); policy.setService(serviceName); policy.setName(policyName); - policy.setPolicyLabels(Lists.newArrayList(RangerHelper.MANAGED_BY_GRAVITINO)); + if (labelManagedByGravitino) { + policy.setPolicyLabels(Lists.newArrayList(RangerHelper.MANAGED_BY_GRAVITINO)); + } policy.setResources(policyResourceMap); policy.setPolicyItems(policyItems); rangerClient.createPolicy(policy); diff --git a/core/src/main/java/org/apache/gravitino/connector/authorization/RoleAuthorizationPlugin.java b/core/src/main/java/org/apache/gravitino/connector/authorization/RoleAuthorizationPlugin.java index 67dec8fff35..e5d8db85926 100644 --- a/core/src/main/java/org/apache/gravitino/connector/authorization/RoleAuthorizationPlugin.java +++ b/core/src/main/java/org/apache/gravitino/connector/authorization/RoleAuthorizationPlugin.java @@ -23,6 +23,7 @@ import org.apache.gravitino.authorization.Role; import org.apache.gravitino.authorization.RoleChange; import org.apache.gravitino.authorization.User; +import org.apache.gravitino.exceptions.AuthorizationPluginException; /** Interface for authorization Role plugin operation of the underlying access control system */ interface RoleAuthorizationPlugin { @@ -32,9 +33,9 @@ interface RoleAuthorizationPlugin { * * @param role The entity of the Role. * @return True if the create operation success; False if the create operation failed. - * @throws RuntimeException If creating the Role encounters storage issues. + * @throws AuthorizationPluginException If creating the Role encounters storage issues. */ - Boolean onRoleCreated(Role role) throws RuntimeException; + Boolean onRoleCreated(Role role) throws AuthorizationPluginException; /** * After acquiring a role from Gravitino, this method is called to acquire the role in the @@ -45,10 +46,10 @@ interface RoleAuthorizationPlugin { * * @param role The entity of the Role. * @return IF exist return true, else return false. - * @throws RuntimeException If getting the Role encounters underlying access control system + * @throws AuthorizationPluginException If getting the Role encounters underlying access control system * issues. */ - Boolean onRoleAcquired(Role role) throws RuntimeException; + Boolean onRoleAcquired(Role role) throws AuthorizationPluginException; /** * After deleting a role from Gravitino, this method is called to delete the role in the @@ -56,9 +57,9 @@ interface RoleAuthorizationPlugin { * * @param role The entity of the Role. * @return True if the Role was successfully deleted, false only when there's no such role - * @throws RuntimeException If deleting the Role encounters storage issues. + * @throws AuthorizationPluginException If deleting the Role encounters storage issues. */ - Boolean onRoleDeleted(Role role) throws RuntimeException; + Boolean onRoleDeleted(Role role) throws AuthorizationPluginException; /** * After updating a role in Gravitino, this method is called to update the role in the underlying @@ -67,9 +68,9 @@ interface RoleAuthorizationPlugin { * @param role The entity of the Role. * @param changes role changes apply to the role. * @return True if the update operation is successful; False if the update operation fails. - * @throws RuntimeException If update role encounters storage issues. + * @throws AuthorizationPluginException If update role encounters storage issues. */ - Boolean onRoleUpdated(Role role, RoleChange... changes) throws RuntimeException; + Boolean onRoleUpdated(Role role, RoleChange... changes) throws AuthorizationPluginException; /** * After granting roles to a user from Gravitino, this method is called to grant roles to the user @@ -78,9 +79,9 @@ interface RoleAuthorizationPlugin { * @param user The entity of the User. * @param roles The entities of the Roles. * @return True if the Grant was successful, false if the Grant was failed. - * @throws RuntimeException If granting roles to a user encounters storage issues. + * @throws AuthorizationPluginException If granting roles to a user encounters storage issues. */ - Boolean onGrantedRolesToUser(List roles, User user) throws RuntimeException; + Boolean onGrantedRolesToUser(List roles, User user) throws AuthorizationPluginException; /** * After revoking roles from a user from Gravitino, this method is called to revoke roles from the @@ -89,9 +90,9 @@ interface RoleAuthorizationPlugin { * @param user The entity of the User. * @param roles The entities of the Roles. * @return True if the revoke was successfully removed, false if the revoke failed. - * @throws RuntimeException If revoking roles from a user encounters storage issues. + * @throws AuthorizationPluginException If revoking roles from a user encounters storage issues. */ - Boolean onRevokedRolesFromUser(List roles, User user) throws RuntimeException; + Boolean onRevokedRolesFromUser(List roles, User user) throws AuthorizationPluginException; /** * After granting roles to a group from Gravitino, this method is called to grant roles to the @@ -100,9 +101,9 @@ interface RoleAuthorizationPlugin { * @param group The entity of the Group. * @param roles The entities of the Roles. * @return True if the revoke was successfully removed, False if the revoke failed. - * @throws RuntimeException If granting roles to a group encounters storage issues. + * @throws AuthorizationPluginException If granting roles to a group encounters storage issues. */ - Boolean onGrantedRolesToGroup(List roles, Group group) throws RuntimeException; + Boolean onGrantedRolesToGroup(List roles, Group group) throws AuthorizationPluginException; /** * After revoking roles from a group from Gravitino, this method is called to revoke roles from @@ -111,7 +112,7 @@ interface RoleAuthorizationPlugin { * @param group The entity of the Group. * @param roles The entities of the Roles. * @return True if the revoke was successfully removed, False if the revoke failed. - * @throws RuntimeException If revoking roles from a group encounters storage issues. + * @throws AuthorizationPluginException If revoking roles from a group encounters storage issues. */ - Boolean onRevokedRolesFromGroup(List roles, Group group) throws RuntimeException; + Boolean onRevokedRolesFromGroup(List roles, Group group) throws AuthorizationPluginException; } diff --git a/core/src/main/java/org/apache/gravitino/connector/authorization/UserGroupAuthorizationPlugin.java b/core/src/main/java/org/apache/gravitino/connector/authorization/UserGroupAuthorizationPlugin.java index 973b7a8152e..fd643290a47 100644 --- a/core/src/main/java/org/apache/gravitino/connector/authorization/UserGroupAuthorizationPlugin.java +++ b/core/src/main/java/org/apache/gravitino/connector/authorization/UserGroupAuthorizationPlugin.java @@ -22,6 +22,7 @@ import org.apache.gravitino.authorization.Group; import org.apache.gravitino.authorization.Owner; import org.apache.gravitino.authorization.User; +import org.apache.gravitino.exceptions.AuthorizationPluginException; /** * Interface for authorization User and Group plugin operation of the underlying access control @@ -34,9 +35,9 @@ interface UserGroupAuthorizationPlugin { * * @param user The user entity. * @return True if the add User was successfully added, false if the add User failed. - * @throws RuntimeException If adding the User encounters storage issues. + * @throws AuthorizationPluginException If adding the User encounters storage issues. */ - Boolean onUserAdded(User user) throws RuntimeException; + Boolean onUserAdded(User user) throws AuthorizationPluginException; /** * After removing a User from Gravitino, this method is called to remove the User from the @@ -44,9 +45,9 @@ interface UserGroupAuthorizationPlugin { * * @param user The user entity. * @return True if the User was successfully removed, false if the remove User failed. - * @throws RuntimeException If removing the User encounters storage issues. + * @throws AuthorizationPluginException If removing the User encounters storage issues. */ - Boolean onUserRemoved(User user) throws RuntimeException; + Boolean onUserRemoved(User user) throws AuthorizationPluginException; /** * After acquiring a User from Gravitino, this method is called to acquire the User in the @@ -57,10 +58,10 @@ interface UserGroupAuthorizationPlugin { * * @param user The user entity. * @return IF exist return true, else return false. - * @throws RuntimeException If getting the User encounters underlying access control system + * @throws AuthorizationPluginException If getting the User encounters underlying access control system * issues. */ - Boolean onUserAcquired(User user) throws RuntimeException; + Boolean onUserAcquired(User user) throws AuthorizationPluginException; /** * After adding a Group to Gravitino, this method is called to add the Group to the underlying @@ -68,9 +69,9 @@ interface UserGroupAuthorizationPlugin { * * @param group The group entity. * @return True if the add Group was successfully added, false if the add Group failed. - * @throws RuntimeException If adding the Group encounters storage issues. + * @throws AuthorizationPluginException If adding the Group encounters storage issues. */ - Boolean onGroupAdded(Group group) throws RuntimeException; + Boolean onGroupAdded(Group group) throws AuthorizationPluginException; /** * After removing a Group from Gravitino, this method is called to remove the Group from the @@ -79,9 +80,9 @@ interface UserGroupAuthorizationPlugin { * @param group The group entity. * @return True if the remove Group was successfully removed, false if the remove Group was * failed. - * @throws RuntimeException If removing the Group encounters storage issues. + * @throws AuthorizationPluginException If removing the Group encounters storage issues. */ - Boolean onGroupRemoved(Group group) throws RuntimeException; + Boolean onGroupRemoved(Group group) throws AuthorizationPluginException; /** * After acquiring a Group from Gravitino, this method is called to acquire the Group in the @@ -92,10 +93,10 @@ interface UserGroupAuthorizationPlugin { * * @param group The group entity. * @return If exist return true, else return false. - * @throws RuntimeException If getting the Group encounters underlying access control system + * @throws AuthorizationPluginException If getting the Group encounters underlying access control system * issues. */ - Boolean onGroupAcquired(Group group) throws RuntimeException; + Boolean onGroupAcquired(Group group) throws AuthorizationPluginException; /** * After set a Owner to Gravitino, this method is called to set the Owner to the underlying @@ -105,8 +106,8 @@ interface UserGroupAuthorizationPlugin { * @param preOwner The previous owner. * @param newOwner The new owner. * @return True if the set Owner was successfully set, false if the set Owner failed. - * @throws RuntimeException If adding the Group encounters storage issues. + * @throws AuthorizationPluginException If adding the Group encounters storage issues. */ Boolean onOwnerSet(MetadataObject metadataObject, Owner preOwner, Owner newOwner) - throws RuntimeException; + throws AuthorizationPluginException; }