Fix the 404 issue

Author: jerryshao

clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/TagOperationsAuthorizationIT.java

@@ -25,6 +25,7 @@
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Maps;
 import java.io.IOException;
+import java.lang.reflect.Method;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
@@ -38,6 +39,7 @@
 import org.apache.gravitino.authorization.SecurableObject;
 import org.apache.gravitino.authorization.SecurableObjects;
 import org.apache.gravitino.client.GravitinoMetalake;
+import org.apache.gravitino.dto.MetalakeDTO;
 import org.apache.gravitino.exceptions.ForbiddenException;
 import org.apache.gravitino.integration.test.container.ContainerSuite;
 import org.apache.gravitino.integration.test.container.HiveContainer;
@@ -294,6 +296,82 @@ public void testDropTag() {
     gravitinoMetalake.deleteTag("tag1");
   }
 
+  @Test
+  @Order(9)
+  public void testTagOperationsWithNonExistentMetalake() throws Exception {
+    // Test that all tag operations with @AuthorizationExpression return 403 Forbidden
+    // when the metalake doesn't exist, instead of inconsistent 404 responses
+    String nonExistentMetalake = "nonExistentMetalake";
+
+    // Access the restClient from normalUserClient using reflection
+    Method restClientMethod =
+        normalUserClient.getClass().getSuperclass().getDeclaredMethod("restClient");
+    restClientMethod.setAccessible(true);
+    Object restClient = restClientMethod.invoke(normalUserClient);
+
+    // Create a MetalakeDTO for the non-existent metalake
+    MetalakeDTO metalakeDTO =
+        MetalakeDTO.builder()
+            .withName(nonExistentMetalake)
+            .withComment("test")
+            .withProperties(Maps.newHashMap())
+            .withAudit(
+                org.apache.gravitino.dto.AuditDTO.builder()
+                    .withCreator("test")
+                    .withCreateTime(java.time.Instant.now())
+                    .build())
+            .build();
+
+    // Use DTOConverters.toMetaLake() via reflection to create GravitinoMetalake
+    Class<?> dtoConvertersClass = Class.forName("org.apache.gravitino.client.DTOConverters");
+    Method toMetaLakeMethod =
+        dtoConvertersClass.getDeclaredMethod(
+            "toMetaLake",
+            MetalakeDTO.class,
+            Class.forName("org.apache.gravitino.client.RESTClient"));
+    toMetaLakeMethod.setAccessible(true);
+    GravitinoMetalake nonExistentMetalakeObj =
+        (GravitinoMetalake) toMetaLakeMethod.invoke(null, metalakeDTO, restClient);
+
+    // Test createTag - should return 403 ForbiddenException
+    assertThrows(
+        ForbiddenException.class,
+        () -> nonExistentMetalakeObj.createTag("testTag", "comment", Maps.newHashMap()));
+
+    // Test getTag - should return 403 ForbiddenException
+    assertThrows(ForbiddenException.class, () -> nonExistentMetalakeObj.getTag("testTag"));
+
+    // Test alterTag - should return 403 ForbiddenException
+    assertThrows(
+        ForbiddenException.class,
+        () -> nonExistentMetalakeObj.alterTag("testTag", TagChange.rename("newName")));
+
+    // Test deleteTag - should return 403 ForbiddenException
+    assertThrows(
+        ForbiddenException.class,
+        () -> {
+          nonExistentMetalakeObj.deleteTag("testTag");
+        });
+
+    // Test listTags - now has @AuthorizationExpression with empty expression,
+    // should return 403 ForbiddenException
+    assertThrows(ForbiddenException.class, nonExistentMetalakeObj::listTags);
+
+    // Test listTagsInfo - now has @AuthorizationExpression with empty expression,
+    // should return 403 ForbiddenException
+    assertThrows(ForbiddenException.class, nonExistentMetalakeObj::listTagsInfo);
+
+    // Test associateTags for metadata object - should return 403 ForbiddenException
+    // when trying to associate tags to a catalog in a non-existent metalake
+    assertThrows(
+        ForbiddenException.class,
+        () ->
+            nonExistentMetalakeObj
+                .loadCatalog(CATALOG)
+                .supportsTags()
+                .associateTags(new String[] {"testTag"}, null));
+  }
+
   private Column[] createColumns() {
     return new Column[] {Column.of("col1", Types.StringType.get())};
   }

gradle.properties

@@ -36,7 +36,7 @@ defaultScalaVersion = 2.12
 pythonVersion = 3.9
 
 # skipDockerTests is used to skip the tests that require Docker to be running.
-skipDockerTests = true
+skipDockerTests = false
 
 # enableFuse is used to enable the fuse module in the build.
 enableFuse = false

server/src/main/java/org/apache/gravitino/server/web/filter/GravitinoInterceptionService.java

@@ -37,9 +37,14 @@
 import org.aopalliance.intercept.MethodInvocation;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.gravitino.Entity;
+import org.apache.gravitino.GravitinoEnv;
 import org.apache.gravitino.MetadataObject;
 import org.apache.gravitino.NameIdentifier;
 import org.apache.gravitino.authorization.AuthorizationUtils;
+import org.apache.gravitino.exceptions.ForbiddenException;
+import org.apache.gravitino.exceptions.MetalakeNotInUseException;
+import org.apache.gravitino.exceptions.NoSuchMetalakeException;
+import org.apache.gravitino.metalake.MetalakeManager;
 import org.apache.gravitino.server.authorization.annotations.AuthorizationExpression;
 import org.apache.gravitino.server.authorization.annotations.AuthorizationRequest;
 import org.apache.gravitino.server.authorization.expression.AuthorizationExpressionEvaluator;
@@ -131,37 +136,6 @@ public Object invoke(MethodInvocation methodInvocation) throws Throwable {
       AuthorizationExpression expressionAnnotation =
           method.getAnnotation(AuthorizationExpression.class);
 
-      // Check current user exists in metalake before authorization
-      if (expressionAnnotation != null) {
-        Object[] args = methodInvocation.getArguments();
-        Map<Entity.EntityType, NameIdentifier> metadataContext =
-            extractNameIdentifierFromParameters(parameters, args);
-
-        // Check if current user exists in the metalake.
-        NameIdentifier metalakeIdent = metadataContext.get(Entity.EntityType.METALAKE);
-
-        if (metalakeIdent != null) {
-          String currentUser = PrincipalUtils.getCurrentUserName();
-          try {
-            AuthorizationUtils.checkCurrentUser(metalakeIdent.name(), currentUser);
-          } catch (org.apache.gravitino.exceptions.ForbiddenException ex) {
-            LOG.warn(
-                "User validation failed - User: {}, Metalake: {}, Reason: {}",
-                currentUser,
-                metalakeIdent.name(),
-                ex.getMessage());
-            return Utils.forbidden(ex.getMessage(), ex);
-          } catch (Exception ex) {
-            LOG.error(
-                "Unexpected error during user validation - User: {}, Metalake: {}",
-                currentUser,
-                metalakeIdent.name(),
-                ex);
-            return Utils.internalError("Failed to validate user", ex);
-          }
-        }
-      }
-
       try {
         AuthorizationExecutor executor;
         if (expressionAnnotation != null) {
@@ -172,22 +146,57 @@ public Object invoke(MethodInvocation methodInvocation) throws Throwable {
               extractNameIdentifierFromParameters(parameters, args);
 
           Map<String, Object> pathParams = Utils.extractPathParamsFromParameters(parameters, args);
-          AuthorizationExpressionEvaluator authorizationExpressionEvaluator =
-              new AuthorizationExpressionEvaluator(expression);
-          AuthorizationRequest.RequestType requestType =
-              extractAuthorizationRequestTypeFromParameters(parameters);
-          executor =
-              AuthorizeExecutorFactory.create(
-                  requestType,
-                  metadataContext,
-                  authorizationExpressionEvaluator,
-                  pathParams,
-                  entityType,
-                  parameters,
-                  args);
-          boolean authorizeResult = executor.execute();
-          if (!authorizeResult) {
-            return buildNoAuthResponse(expressionAnnotation, metadataContext, method, expression);
+
+          // Check metalake and user existence before authorization
+          NameIdentifier metalakeIdent = metadataContext.get(Entity.EntityType.METALAKE);
+          if (metalakeIdent != null) {
+            try {
+              MetalakeManager.checkMetalake(
+                  metalakeIdent, GravitinoEnv.getInstance().entityStore());
+            } catch (NoSuchMetalakeException | MetalakeNotInUseException ex) {
+              // If metalake doesn't exist or is not in use, return no auth response
+              return buildNoAuthResponse(expressionAnnotation, metadataContext, method, expression);
+            }
+
+            String currentUser = PrincipalUtils.getCurrentUserName();
+            try {
+              AuthorizationUtils.checkCurrentUser(metalakeIdent.name(), currentUser);
+            } catch (ForbiddenException ex) {
+              LOG.warn(
+                  "User validation failed - User: {}, Metalake: {}, Reason: {}",
+                  currentUser,
+                  metalakeIdent.name(),
+                  ex.getMessage());
+              return Utils.forbidden(ex.getMessage(), ex);
+            } catch (Exception ex) {
+              LOG.error(
+                  "Unexpected error during user validation - User: {}, Metalake: {}",
+                  currentUser,
+                  metalakeIdent.name(),
+                  ex);
+              return Utils.internalError("Failed to validate user", ex);
+            }
+          }
+
+          // If expression is empty, skip authorization check (method handles its own filtering)
+          if (StringUtils.isNotBlank(expression)) {
+            AuthorizationExpressionEvaluator authorizationExpressionEvaluator =
+                new AuthorizationExpressionEvaluator(expression);
+            AuthorizationRequest.RequestType requestType =
+                extractAuthorizationRequestTypeFromParameters(parameters);
+            executor =
+                AuthorizeExecutorFactory.create(
+                    requestType,
+                    metadataContext,
+                    authorizationExpressionEvaluator,
+                    pathParams,
+                    entityType,
+                    parameters,
+                    args);
+            boolean authorizeResult = executor.execute();
+            if (!authorizeResult) {
+              return buildNoAuthResponse(expressionAnnotation, metadataContext, method, expression);
+            }
           }
         }
         return methodInvocation.proceed();

server/src/main/java/org/apache/gravitino/server/web/rest/TagOperations.java

@@ -87,8 +87,10 @@ public TagOperations(TagDispatcher tagDispatcher) {
   @Produces("application/vnd.gravitino.v1+json")
   @Timed(name = "list-tags." + MetricNames.HTTP_PROCESS_DURATION, absolute = true)
   @ResponseMetered(name = "list-tags", absolute = true)
+  @AuthorizationExpression(expression = "", accessMetadataType = MetadataObject.Type.METALAKE)
   public Response listTags(
-      @PathParam("metalake") String metalake,
+      @PathParam("metalake") @AuthorizationMetadata(type = Entity.EntityType.METALAKE)
+          String metalake,
       @QueryParam("details") @DefaultValue("false") boolean verbose) {
     LOG.info(
         "Received list tag {} request for metalake: {}", verbose ? "infos" : "names", metalake);
@@ -261,8 +263,11 @@ public Response deleteTag(
   @Produces("application/vnd.gravitino.v1+json")
   @Timed(name = "list-objects-for-tag." + MetricNames.HTTP_PROCESS_DURATION, absolute = true)
   @ResponseMetered(name = "list-objects-for-tag", absolute = true)
+  @AuthorizationExpression(expression = "", accessMetadataType = MetadataObject.Type.TAG)
   public Response listMetadataObjectsForTag(
-      @PathParam("metalake") String metalake, @PathParam("tag") String tagName) {
+      @PathParam("metalake") @AuthorizationMetadata(type = Entity.EntityType.METALAKE)
+          String metalake,
+      @PathParam("tag") @AuthorizationMetadata(type = Entity.EntityType.TAG) String tagName) {
     LOG.info("Received list objects for tag: {} under metalake: {}", tagName, metalake);
 
     try {