Merge branch 'main' into support-oauth2-in-pygvfs

apache · Oct 8, 2024 · 2fe2c27 · 2fe2c27
2 parents f9cf17d + dd1a930
commit 2fe2c27
Show file tree

Hide file tree

Showing 103 changed files with 4,490 additions and 340 deletions.
diff --git a/.github/workflows/python-integration-test.yml b/.github/workflows/python-integration-test.yml
@@ -48,7 +48,7 @@ jobs:
     needs: changes
     if: needs.changes.outputs.source_changes == 'true'
     runs-on: ubuntu-latest
-    timeout-minutes: 30
+    timeout-minutes: 45
     strategy:
       matrix:
         # Integration test for AMD64 architecture
@@ -92,4 +92,4 @@ jobs:
             distribution/package/logs/gravitino-server.out
             distribution/package/logs/gravitino-server.log
             catalogs/**/*.log
-            catalogs/**/*.tar
+            catalogs/**/*.tar
diff --git a/api/src/main/java/org/apache/gravitino/Catalog.java b/api/src/main/java/org/apache/gravitino/Catalog.java
@@ -21,6 +21,7 @@
 import java.util.Locale;
 import java.util.Map;
 import org.apache.gravitino.annotation.Evolving;
+import org.apache.gravitino.authorization.SupportsRoles;
 import org.apache.gravitino.file.FilesetCatalog;
 import org.apache.gravitino.messaging.TopicCatalog;
 import org.apache.gravitino.rel.TableCatalog;
@@ -181,4 +182,12 @@ default TopicCatalog asTopicCatalog() throws UnsupportedOperationException {
   default SupportsTags supportsTags() throws UnsupportedOperationException {
     throw new UnsupportedOperationException("Catalog does not support tag operations");
   }
+
+  /**
+   * @return the {@link SupportsRoles} if the catalog supports role operations.
+   * @throws UnsupportedOperationException if the catalog does not support role operations.
+   */
+  default SupportsRoles supportsRoles() throws UnsupportedOperationException {
+    throw new UnsupportedOperationException("Catalog does not support role operations");
+  }
 }
diff --git a/api/src/main/java/org/apache/gravitino/Metalake.java b/api/src/main/java/org/apache/gravitino/Metalake.java
@@ -20,6 +20,7 @@
 
 import java.util.Map;
 import org.apache.gravitino.annotation.Evolving;
+import org.apache.gravitino.authorization.SupportsRoles;
 
 /**
  * The interface of a metalake. The metalake is the top level entity in the Apache Gravitino system,
@@ -50,4 +51,12 @@ public interface Metalake extends Auditable {
    * @return The properties of the metalake.
    */
   Map<String, String> properties();
+
+  /**
+   * @return the {@link SupportsRoles} if the metalake supports role operations.
+   * @throws UnsupportedOperationException if the metalake does not support role operations.
+   */
+  default SupportsRoles supportsRoles() {
+    throw new UnsupportedOperationException("Metalake does not support role operations.");
+  }
 }
diff --git a/api/src/main/java/org/apache/gravitino/Schema.java b/api/src/main/java/org/apache/gravitino/Schema.java
@@ -22,6 +22,7 @@
 import java.util.Map;
 import javax.annotation.Nullable;
 import org.apache.gravitino.annotation.Evolving;
+import org.apache.gravitino.authorization.SupportsRoles;
 import org.apache.gravitino.tag.SupportsTags;
 
 /**
@@ -56,4 +57,12 @@ default Map<String, String> properties() {
   default SupportsTags supportsTags() {
     throw new UnsupportedOperationException("Schema does not support tag operations.");
   }
+
+  /**
+   * @return the {@link SupportsRoles} if the schema supports role operations.
+   * @throws UnsupportedOperationException if the schema does not support role operations.
+   */
+  default SupportsRoles supportsRoles() {
+    throw new UnsupportedOperationException("Schema does not support role operations.");
+  }
 }
diff --git a/api/src/main/java/org/apache/gravitino/authorization/Privilege.java b/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
@@ -18,6 +18,7 @@
  */
 package org.apache.gravitino.authorization;
 
+import org.apache.gravitino.MetadataObject;
 import org.apache.gravitino.annotation.Unstable;
 
 /**
@@ -39,6 +40,15 @@ public interface Privilege {
    */
   Condition condition();
 
+  /**
+   * If the privilege can bind to a securable object, then this method will return true, otherwise
+   * false.
+   *
+   * @param type The securable object type.
+   * @return It will return true if the privilege can bind to a securable object, otherwise false.
+   */
+  boolean canBindTo(MetadataObject.Type type);
+
   /** The name of this privilege. */
   enum Name {
     /** The privilege to create a catalog. */

diff --git a/api/src/main/java/org/apache/gravitino/authorization/Privileges.java b/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
@@ -18,11 +18,37 @@
  */
 package org.apache.gravitino.authorization;
 
+import com.google.common.collect.Sets;
 import java.util.Objects;
+import java.util.Set;
+import org.apache.gravitino.MetadataObject;
 
 /** The helper class for {@link Privilege}. */
 public class Privileges {
 
+  private static final Set<MetadataObject.Type> TABLE_SUPPORTED_TYPES =
+      Sets.immutableEnumSet(
+          MetadataObject.Type.METALAKE,
+          MetadataObject.Type.CATALOG,
+          MetadataObject.Type.SCHEMA,
+          MetadataObject.Type.TABLE);
+  private static final Set<MetadataObject.Type> TOPIC_SUPPORTED_TYPES =
+      Sets.immutableEnumSet(
+          MetadataObject.Type.METALAKE,
+          MetadataObject.Type.CATALOG,
+          MetadataObject.Type.SCHEMA,
+          MetadataObject.Type.TOPIC);
+  private static final Set<MetadataObject.Type> SCHEMA_SUPPORTED_TYPES =
+      Sets.immutableEnumSet(
+          MetadataObject.Type.METALAKE, MetadataObject.Type.CATALOG, MetadataObject.Type.SCHEMA);
+
+  private static final Set<MetadataObject.Type> FILESET_SUPPORTED_TYPES =
+      Sets.immutableEnumSet(
+          MetadataObject.Type.METALAKE,
+          MetadataObject.Type.CATALOG,
+          MetadataObject.Type.SCHEMA,
+          MetadataObject.Type.FILESET);
+
   /**
    * Returns the Privilege with allow condition from the string representation.
    *
@@ -241,6 +267,11 @@ public static CreateCatalog allow() {
     public static CreateCatalog deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE;
+    }
   }
 
   /** The privilege to use a catalog. */
@@ -263,6 +294,11 @@ public static UseCatalog allow() {
     public static UseCatalog deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE || type == MetadataObject.Type.CATALOG;
+    }
   }
 
   /** The privilege to use a schema. */
@@ -283,6 +319,11 @@ public static UseSchema allow() {
     public static UseSchema deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return SCHEMA_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to create a schema. */
@@ -305,6 +346,11 @@ public static CreateSchema allow() {
     public static CreateSchema deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE || type == MetadataObject.Type.CATALOG;
+    }
   }
 
   /** The privilege to create a table. */
@@ -327,6 +373,11 @@ public static CreateTable allow() {
     public static CreateTable deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return SCHEMA_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to select data from a table. */
@@ -349,6 +400,11 @@ public static SelectTable allow() {
     public static SelectTable deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return TABLE_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to execute SQL `ALTER`, `INSERT`, `UPDATE`, or `DELETE` for a table. */
@@ -371,6 +427,11 @@ public static ModifyTable allow() {
     public static ModifyTable deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return TABLE_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to create a fileset. */
@@ -393,6 +454,11 @@ public static CreateFileset allow() {
     public static CreateFileset deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return SCHEMA_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to read a fileset. */
@@ -415,6 +481,11 @@ public static ReadFileset allow() {
     public static ReadFileset deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return FILESET_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to write a fileset. */
@@ -437,6 +508,11 @@ public static WriteFileset allow() {
     public static WriteFileset deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return FILESET_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to create a topic. */
@@ -459,6 +535,11 @@ public static CreateTopic allow() {
     public static CreateTopic deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return SCHEMA_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to consume from a topic. */
@@ -481,6 +562,11 @@ public static ConsumeTopic allow() {
     public static ConsumeTopic deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return TOPIC_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to produce to a topic. */
@@ -503,6 +589,11 @@ public static ProduceTopic allow() {
     public static ProduceTopic deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return TOPIC_SUPPORTED_TYPES.contains(type);
+    }
   }
 
   /** The privilege to manage users. */
@@ -525,6 +616,11 @@ public static ManageUsers allow() {
     public static ManageUsers deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE;
+    }
   }
 
   /** The privilege to manage groups. */
@@ -547,6 +643,11 @@ public static ManageGroups allow() {
     public static ManageGroups deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE;
+    }
   }
 
   /** The privilege to create a role. */
@@ -569,6 +670,11 @@ public static CreateRole allow() {
     public static CreateRole deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE;
+    }
   }
 
   /** The privilege to grant or revoke a role for the user or the group. */
@@ -591,5 +697,10 @@ public static ManageGrants allow() {
     public static ManageGrants deny() {
       return DENY_INSTANCE;
     }
+
+    @Override
+    public boolean canBindTo(MetadataObject.Type type) {
+      return type == MetadataObject.Type.METALAKE;
+    }
   }
 }
diff --git a/api/src/main/java/org/apache/gravitino/authorization/SupportsRoles.java b/api/src/main/java/org/apache/gravitino/authorization/SupportsRoles.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.gravitino.authorization;
+
+import org.apache.gravitino.annotation.Evolving;
+
+/**
+ * Interface for supporting list role names for objects. This interface will be mixed with metadata
+ * objects to provide listing role operations.
+ */
+@Evolving
+public interface SupportsRoles {
+
+  /**
+   * List all the role names associated with this metadata object.
+   *
+   * @return The role name list associated with this metadata object.
+   */
+  String[] listBindingRoleNames();
+}