[#9254,#9168] improvement(authz): Optimize metadata authorization in the list metalake and list role. (#9255)

### What changes were proposed in this pull request?

Optimize metadata authorization in the list metalake and list role.

### Why are the changes needed?

Fix: #9254 #9168 

### Does this PR introduce _any_ user-facing change?

None

### How was this patch tested?

Existing test case in
org.apache.gravitino.client.integration.test.authorization.MetalakeAuthorizationIT
Existing test case in
org.apache.gravitino.client.integration.test.authorization.RoleAuthorizationIT

Author: hdygxsj

server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java

@@ -33,6 +33,7 @@
 import org.apache.gravitino.Configs;
 import org.apache.gravitino.Entity;
 import org.apache.gravitino.GravitinoEnv;
+import org.apache.gravitino.Metalake;
 import org.apache.gravitino.NameIdentifier;
 import org.apache.gravitino.authorization.AuthorizationRequestContext;
 import org.apache.gravitino.authorization.GravitinoAuthorizer;
@@ -88,6 +89,25 @@ public static NameIdentifier[] filterByPrivilege(
         .toArray(NameIdentifier[]::new);
   }
 
+  public static Metalake[] filterMetalakes(Metalake[] metalakes, String expression) {
+    if (!enableAuthorization()) {
+      return metalakes;
+    }
+    checkExecutor();
+    AuthorizationRequestContext authorizationRequestContext = new AuthorizationRequestContext();
+    return doFilter(
+        expression,
+        metalakes,
+        GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer(),
+        authorizationRequestContext,
+        metalake -> {
+          String metalakeName = metalake.name();
+          return splitMetadataNames(
+              metalakeName,
+              Entity.EntityType.METALAKE,
+              NameIdentifierUtil.ofMetalake(metalakeName));
+        });
+  }
   /**
    * Call {@link AuthorizationExpressionEvaluator} to filter the metadata list
    *
@@ -102,41 +122,7 @@ public static NameIdentifier[] filterByExpression(
       String expression,
       Entity.EntityType entityType,
       NameIdentifier[] nameIdentifiers) {
-    if (!enableAuthorization()) {
-      return nameIdentifiers;
-    }
-    checkExecutor();
-    AuthorizationRequestContext authorizationRequestContext = new AuthorizationRequestContext();
-    List<CompletableFuture<NameIdentifier>> futures = new ArrayList<>();
-    for (NameIdentifier nameIdentifier : nameIdentifiers) {
-      Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal();
-      futures.add(
-          CompletableFuture.supplyAsync(
-              () -> {
-                try {
-                  return PrincipalUtils.doAs(
-                      currentPrincipal,
-                      () -> {
-                        Map<Entity.EntityType, NameIdentifier> nameIdentifierMap =
-                            spiltMetadataNames(metalake, entityType, nameIdentifier);
-                        AuthorizationExpressionEvaluator authorizationExpressionEvaluator =
-                            new AuthorizationExpressionEvaluator(expression);
-                        return authorizationExpressionEvaluator.evaluate(
-                                nameIdentifierMap, authorizationRequestContext)
-                            ? nameIdentifier
-                            : null;
-                      });
-                } catch (Exception e) {
-                  LOG.error("GravitinoAuthorize error:{}", e.getMessage(), e);
-                  return null;
-                }
-              },
-              executor));
-    }
-    return futures.stream()
-        .map(CompletableFuture::join)
-        .filter(Objects::nonNull)
-        .toArray(NameIdentifier[]::new);
+    return filterByExpression(metalake, expression, entityType, nameIdentifiers, e -> e);
   }
 
   /**
@@ -155,7 +141,7 @@ public static boolean checkAccess(
 
     String metalake = NameIdentifierUtil.getMetalake(identifier);
     Map<Entity.EntityType, NameIdentifier> nameIdentifierMap =
-        spiltMetadataNames(metalake, entityType, identifier);
+        splitMetadataNames(metalake, entityType, identifier);
     AuthorizationExpressionEvaluator authorizationExpressionEvaluator =
         new AuthorizationExpressionEvaluator(expression);
     return authorizationExpressionEvaluator.evaluate(
@@ -181,9 +167,8 @@ public static <E> E[] filterByExpression(
       Function<E, NameIdentifier> toNameIdentifier) {
     GravitinoAuthorizer authorizer =
         GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer();
-    Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal();
     return filterByExpression(
-        metalake, expression, entityType, entities, toNameIdentifier, currentPrincipal, authorizer);
+        metalake, expression, entityType, entities, toNameIdentifier, authorizer);
   }
 
   /**
@@ -195,7 +180,6 @@ public static <E> E[] filterByExpression(
    * @param entityType entity type
    * @param entities metadata entities
    * @param toNameIdentifier function to convert entity to NameIdentifier
-   * @param currentPrincipal current principal
    * @param authorizer authorizer to filter metadata
    * @return Filtered Metadata Entity
    * @param <E> Entity class
@@ -206,13 +190,30 @@ public static <E> E[] filterByExpression(
       Entity.EntityType entityType,
       E[] entities,
       Function<E, NameIdentifier> toNameIdentifier,
-      Principal currentPrincipal,
       GravitinoAuthorizer authorizer) {
     if (!enableAuthorization()) {
       return entities;
     }
     checkExecutor();
     AuthorizationRequestContext authorizationRequestContext = new AuthorizationRequestContext();
+    return doFilter(
+        expression,
+        entities,
+        authorizer,
+        authorizationRequestContext,
+        (entity) -> {
+          NameIdentifier nameIdentifier = toNameIdentifier.apply(entity);
+          return splitMetadataNames(metalake, entityType, nameIdentifier);
+        });
+  }
+
+  private static <E> E[] doFilter(
+      String expression,
+      E[] entities,
+      GravitinoAuthorizer authorizer,
+      AuthorizationRequestContext authorizationRequestContext,
+      Function<E, Map<Entity.EntityType, NameIdentifier>> extractMetadataNamesMap) {
+    Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal();
     List<CompletableFuture<E>> futures = new ArrayList<>();
     for (E entity : entities) {
       futures.add(
@@ -224,11 +225,8 @@ public static <E> E[] filterByExpression(
                       () -> {
                         AuthorizationExpressionEvaluator authorizationExpressionEvaluator =
                             new AuthorizationExpressionEvaluator(expression, authorizer);
-                        NameIdentifier nameIdentifier = toNameIdentifier.apply(entity);
-                        Map<Entity.EntityType, NameIdentifier> nameIdentifierMap =
-                            spiltMetadataNames(metalake, entityType, nameIdentifier);
                         return authorizationExpressionEvaluator.evaluate(
-                                nameIdentifierMap, authorizationRequestContext)
+                                extractMetadataNamesMap.apply(entity), authorizationRequestContext)
                             ? entity
                             : null;
                       });
@@ -255,7 +253,7 @@ public static <E> E[] filterByExpression(
    * @param nameIdentifier metadata name
    * @return A map containing the metadata object and all its parent objects, keyed by their types
    */
-  public static Map<Entity.EntityType, NameIdentifier> spiltMetadataNames(
+  public static Map<Entity.EntityType, NameIdentifier> splitMetadataNames(
       String metalake, Entity.EntityType entityType, NameIdentifier nameIdentifier) {
     Map<Entity.EntityType, NameIdentifier> nameIdentifierMap = new HashMap<>();
     nameIdentifierMap.put(Entity.EntityType.METALAKE, NameIdentifierUtil.ofMetalake(metalake));

server/src/main/java/org/apache/gravitino/server/web/filter/ParameterUtil.java

@@ -171,7 +171,7 @@ public static Map<Entity.EntityType, NameIdentifier> extractNameIdentifierFromPa
       NameIdentifier nameIdentifier =
           MetadataObjectUtil.toEntityIdent(metalake, MetadataObjects.parse(fullName, type));
       nameIdentifierMap.putAll(
-          MetadataAuthzHelper.spiltMetadataNames(
+          MetadataAuthzHelper.splitMetadataNames(
               metalake, MetadataObjectUtil.toEntityType(type), nameIdentifier));
     }
 

server/src/main/java/org/apache/gravitino/server/web/rest/MetalakeOperations.java

@@ -89,22 +89,7 @@ public Response listMetalakes() {
           httpRequest,
           () -> {
             Metalake[] metalakes = metalakeDispatcher.listMetalakes();
-            metalakes =
-                Arrays.stream(metalakes)
-                    .filter(
-                        metalake -> {
-                          NameIdentifier[] nameIdentifiers =
-                              new NameIdentifier[] {NameIdentifierUtil.ofMetalake(metalake.name())};
-                          return MetadataAuthzHelper.filterByExpression(
-                                      metalake.name(),
-                                      "METALAKE_USER",
-                                      Entity.EntityType.METALAKE,
-                                      nameIdentifiers)
-                                  .length
-                              > 0;
-                        })
-                    .toList()
-                    .toArray(new Metalake[0]);
+            metalakes = MetadataAuthzHelper.filterMetalakes(metalakes, "METALAKE_USER");
             MetalakeDTO[] metalakeDTOs =
                 Arrays.stream(metalakes).map(DTOConverters::toDTO).toArray(MetalakeDTO[]::new);
             Response response = Utils.ok(new MetalakeListResponse(metalakeDTOs));

server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java

@@ -38,7 +38,6 @@
 import org.apache.gravitino.GravitinoEnv;
 import org.apache.gravitino.MetadataObject;
 import org.apache.gravitino.MetadataObjects;
-import org.apache.gravitino.NameIdentifier;
 import org.apache.gravitino.authorization.AccessControlDispatcher;
 import org.apache.gravitino.authorization.AuthorizationUtils;
 import org.apache.gravitino.authorization.Privilege;
@@ -92,22 +91,12 @@ public Response listRoles(
           () -> {
             String[] names = accessControlManager.listRoleNames(metalake);
             names =
-                Arrays.stream(names)
-                    .filter(
-                        role -> {
-                          NameIdentifier[] nameIdentifiers =
-                              new NameIdentifier[] {NameIdentifierUtil.ofRole(metalake, role)};
-                          return MetadataAuthzHelper.filterByExpression(
-                                      metalake,
-                                      AuthorizationExpressionConstants
-                                          .loadRoleAuthorizationExpression,
-                                      Entity.EntityType.ROLE,
-                                      nameIdentifiers)
-                                  .length
-                              > 0;
-                        })
-                    .collect(Collectors.toList())
-                    .toArray(new String[0]);
+                MetadataAuthzHelper.filterByExpression(
+                    metalake,
+                    AuthorizationExpressionConstants.loadRoleAuthorizationExpression,
+                    Entity.EntityType.ROLE,
+                    names,
+                    roleName -> NameIdentifierUtil.ofRole(metalake, roleName));
             return Utils.ok(new NameListResponse(names));
           });
     } catch (Exception e) {