[#8942]feat(authz): support tag access control#9018
Conversation
|
PHAL @jerqi |
|
|
||
| @Override | ||
| public boolean canBindTo(MetadataObject.Type type) { | ||
| return true; |
There was a problem hiding this comment.
Could the tag and role be tagged?
There was a problem hiding this comment.
It seems there are no restrictions in TagManager.
There was a problem hiding this comment.
Could the tag and role be tagged?
I misunderstood earlier—CREATE_TAG should be bound to the metalake.
|
Could u add the documents for this PR? |
docs/security/access-control.md
Outdated
| | set owner | The owner of the securable object | | ||
| | list tags | The owner of the metalake can see all the tags. Others can see his owned tags. | | ||
| | create tag | `CREATE_TAG` on the metalake or the owner of the metalake | | ||
| | get tag | The owner of the metalake or the tag. | |
There was a problem hiding this comment.
I have some concern about this. Maybe we can't use this.
|
| metadataObject, | ||
| authorizationPlugin -> | ||
| authorizationPlugin.onOwnerSet(metadataObject, originOwner.orElse(null), newOwner)); | ||
| if (metadataObject.type() != MetadataObject.Type.TAG) { |
There was a problem hiding this comment.
org.apache.gravitino.authorization.AuthorizationUtils#callAuthorizationPluginForMetadataObject can not handle tag
There was a problem hiding this comment.
We should let this method handle the tag. Because tag becomes a metadata object.
There was a problem hiding this comment.
We should let this method handle the tag. Because tag becomes a metadata object.
This method seems to be for handling pushdown, tags shouldn’t be in the underlying engine, right?
# Conflicts: # api/src/main/java/org/apache/gravitino/authorization/Privilege.java # api/src/main/java/org/apache/gravitino/authorization/Privileges.java # core/src/main/java/org/apache/gravitino/GravitinoEnv.java # docs/security/access-control.md
| .forEach( | ||
| tag -> { | ||
| boolean result = | ||
| new AuthorizationExpressionEvaluator( |
There was a problem hiding this comment.
Why do we this instead of expression?
There was a problem hiding this comment.
Authorization expressions are also used here, but interceptor is not used.
Just like with list operations, it's challenging in interceptors to extract an array from the request body and perform authorization and filtering on it.
There was a problem hiding this comment.
If we have the tag which we don't have privilege, we should forbid the behaviour.
You should move the logic to GravitinoInterceptionService
We can add the new annotation for the request like
AuthorizationRequest authorizeRequest =
parameter.getAnnotation(AuthorizationRequest.class);
then
preAuthzRequest(authorizeRequest);
There was a problem hiding this comment.
AuthorizationExpressionEvaluator and authorization expressions are not suitable for authorizing lists/arrays—or even multiple metadata objects within multiple lists/arrays(tagsToAdd, tagsToRemove). Should we consider designing a new authorization mechanism specifically for this scenario?
There was a problem hiding this comment.
Maybe we should design this. We should have the semantics like scala forall.
|
We would like to load a metadata object first. Then, we associate the metadata object with tags. It requires we must have the privilege to load the table. Actually, if we have the privilege @jerryshao WDYT? |
| @Timed(name = "get-object-tag." + MetricNames.HTTP_PROCESS_DURATION, absolute = true) | ||
| @ResponseMetered(name = "get-object-tag", absolute = true) | ||
| @AuthorizationExpression(expression = "CAN_ACCESS_METADATA && ( METALAKE::OWNER || TAG::OWNER)") | ||
| public Response getTagForObject( |
There was a problem hiding this comment.
This expression is wrong
METALAKE_OWNER || (CAN_LOAD_OBJECT && CAN_LOAD_TAG)
# Conflicts: # server-common/src/main/java/org/apache/gravitino/server/authorization/expression/AuthorizationExpressionConstants.java
| expression); | ||
|
|
||
| return buildNoAuthResponse(errorMessage, accessMetadataName, currentUser, methodName); | ||
| if (!isBatch) { |
There was a problem hiding this comment.
Could extract some classes to handle the conditions?
server/src/main/java/org/apache/gravitino/server/web/filter/GravitinoInterceptionService.java
Show resolved
Hide resolved
| extractAuthorizationRequestTypeFromParameters(parameters); | ||
| executor = | ||
| switch (requestType) { | ||
| case COMMON -> new CommonAuthorizerExecutor( |
There was a problem hiding this comment.
Could extract these classes to single files?
|
|
||
| // Authorize both 'tagsToAdd' and 'tagsToRemove' fields. | ||
| // Short-circuit on first failure. | ||
| return authorizeTagField(request, "tagsToAdd", context, targetType) |
There was a problem hiding this comment.
We don't need use reflection here.
# Conflicts: # server/src/main/java/org/apache/gravitino/server/web/filter/GravitinoInterceptionService.java
|
|
||
| public static void callAuthorizationPluginForMetadataObject( | ||
| String metalake, MetadataObject metadataObject, Consumer<AuthorizationPlugin> consumer) { | ||
| if (metadataObject.type() == MetadataObject.Type.TAG) { |
There was a problem hiding this comment.
Yes, otherwise setting the tag's owner here will throw an exception.
There was a problem hiding this comment.
We have already handled this in this method.
| try { | ||
| // Set the creator as the owner of the catalog. | ||
| OwnerDispatcher ownerDispatcher = GravitinoEnv.getInstance().ownerDispatcher(); | ||
| if (ownerDispatcher != null) { |
There was a problem hiding this comment.
Why do we need try catch here?
| * @return The created tag. | ||
| */ | ||
| Tag createTag(String metalake, String name, String comment, Map<String, String> properties); | ||
| Tag createTag(String metalake, String name, String comment, Map<String, String> properties) |
There was a problem hiding this comment.
Why do need to throw Exception here?
This reverts commit 4ba420c.
| return authorizeTagField(tagsAssociateRequest.getTagsToAdd(), context, targetType) | ||
| && authorizeTagField(tagsAssociateRequest.getTagsToRemove(), context, targetType); | ||
| } | ||
| throw new UnsupportedOperationException("Unsupported request type: " + request.getClass()); |
There was a problem hiding this comment.
Could you use Precondition.checkArguments(). This should throw illegalAgurmentException here.
.../org/apache/gravitino/server/web/filter/authorization/AssociateTagAuthorizationExecutor.java
Show resolved
Hide resolved
.../org/apache/gravitino/server/web/filter/authorization/AssociateTagAuthorizationExecutor.java
Show resolved
Hide resolved
.../org/apache/gravitino/server/web/filter/authorization/AssociateTagAuthorizationExecutor.java
Show resolved
Hide resolved
2 participants
What changes were proposed in this pull request?
support tag access control
Why are the changes needed?
Fix: #8942
Does this PR introduce any user-facing change?
None
How was this patch tested?
org.apache.gravitino.client.integration.test.authorization.TagOperationsAuthorizationIT