From 121784a2e0d789a523416b3e26fa51600ab54087 Mon Sep 17 00:00:00 2001 From: zhongyangyang <1161623489@qq.com> Date: Tue, 25 Nov 2025 22:03:56 +0800 Subject: [PATCH 1/7] Optimize metadata authorization in the list metalake. --- .../authorization/MetadataAuthzHelper.java | 41 +++++++++++++++++++ .../server/web/rest/MetalakeOperations.java | 17 +------- 2 files changed, 42 insertions(+), 16 deletions(-) diff --git a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java index 661f4749c24..6e65a528079 100644 --- a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java +++ b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java @@ -33,6 +33,7 @@ import org.apache.gravitino.Configs; import org.apache.gravitino.Entity; import org.apache.gravitino.GravitinoEnv; +import org.apache.gravitino.Metalake; import org.apache.gravitino.NameIdentifier; import org.apache.gravitino.authorization.AuthorizationRequestContext; import org.apache.gravitino.authorization.GravitinoAuthorizer; @@ -88,6 +89,46 @@ public static NameIdentifier[] filterByPrivilege( .toArray(NameIdentifier[]::new); } + public static Metalake[] filterMetalakes(Metalake[] metalakes, String expression) { + if (!enableAuthorization()) { + return metalakes; + } + checkExecutor(); + AuthorizationRequestContext authorizationRequestContext = new AuthorizationRequestContext(); + List> futures = new ArrayList<>(); + for (Metalake metalake : metalakes) { + Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal(); + futures.add( + CompletableFuture.supplyAsync( + () -> { + try { + return PrincipalUtils.doAs( + currentPrincipal, + () -> { + Map nameIdentifierMap = + spiltMetadataNames( + metalake.name(), + Entity.EntityType.METALAKE, + NameIdentifierUtil.ofMetalake(metalake.name())); + AuthorizationExpressionEvaluator authorizationExpressionEvaluator = + new AuthorizationExpressionEvaluator(expression); + return authorizationExpressionEvaluator.evaluate( + nameIdentifierMap, authorizationRequestContext) + ? NameIdentifierUtil.ofMetalake(metalake.name()) + : null; + }); + } catch (Exception e) { + LOG.error("GravitinoAuthorize error:{}", e.getMessage(), e); + return null; + } + }, + executor)); + } + return futures.stream() + .map(CompletableFuture::join) + .filter(Objects::nonNull) + .toArray(Metalake[]::new); + } /** * Call {@link AuthorizationExpressionEvaluator} to filter the metadata list * diff --git a/server/src/main/java/org/apache/gravitino/server/web/rest/MetalakeOperations.java b/server/src/main/java/org/apache/gravitino/server/web/rest/MetalakeOperations.java index 0d0895b11b5..5c94b5517f4 100644 --- a/server/src/main/java/org/apache/gravitino/server/web/rest/MetalakeOperations.java +++ b/server/src/main/java/org/apache/gravitino/server/web/rest/MetalakeOperations.java @@ -89,22 +89,7 @@ public Response listMetalakes() { httpRequest, () -> { Metalake[] metalakes = metalakeDispatcher.listMetalakes(); - metalakes = - Arrays.stream(metalakes) - .filter( - metalake -> { - NameIdentifier[] nameIdentifiers = - new NameIdentifier[] {NameIdentifierUtil.ofMetalake(metalake.name())}; - return MetadataAuthzHelper.filterByExpression( - metalake.name(), - "METALAKE_USER", - Entity.EntityType.METALAKE, - nameIdentifiers) - .length - > 0; - }) - .toList() - .toArray(new Metalake[0]); + metalakes = MetadataAuthzHelper.filterMetalakes(metalakes, "METALAKE_USER"); MetalakeDTO[] metalakeDTOs = Arrays.stream(metalakes).map(DTOConverters::toDTO).toArray(MetalakeDTO[]::new); Response response = Utils.ok(new MetalakeListResponse(metalakeDTOs)); From 0c41108cb446b1c88f99c38c5cfb05c8dcfae7b4 Mon Sep 17 00:00:00 2001 From: zhongyangyang <1161623489@qq.com> Date: Tue, 25 Nov 2025 23:36:19 +0800 Subject: [PATCH 2/7] fix ci --- .../gravitino/server/authorization/MetadataAuthzHelper.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java index 6e65a528079..5c2a5a05712 100644 --- a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java +++ b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java @@ -95,7 +95,7 @@ public static Metalake[] filterMetalakes(Metalake[] metalakes, String expression } checkExecutor(); AuthorizationRequestContext authorizationRequestContext = new AuthorizationRequestContext(); - List> futures = new ArrayList<>(); + List> futures = new ArrayList<>(); for (Metalake metalake : metalakes) { Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal(); futures.add( @@ -114,7 +114,7 @@ public static Metalake[] filterMetalakes(Metalake[] metalakes, String expression new AuthorizationExpressionEvaluator(expression); return authorizationExpressionEvaluator.evaluate( nameIdentifierMap, authorizationRequestContext) - ? NameIdentifierUtil.ofMetalake(metalake.name()) + ? metalake : null; }); } catch (Exception e) { From 7e0aed56370a2cd33562738e1e6e7327c006e39d Mon Sep 17 00:00:00 2001 From: yangyang zhong <35210666+hdygxsj@users.noreply.github.com> Date: Wed, 26 Nov 2025 19:35:06 +0800 Subject: [PATCH 3/7] Update server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../gravitino/server/authorization/MetadataAuthzHelper.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java index 5c2a5a05712..725f0c23c73 100644 --- a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java +++ b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java @@ -105,11 +105,12 @@ public static Metalake[] filterMetalakes(Metalake[] metalakes, String expression return PrincipalUtils.doAs( currentPrincipal, () -> { + String metalakeName = metalake.name(); Map nameIdentifierMap = spiltMetadataNames( - metalake.name(), + metalakeName, Entity.EntityType.METALAKE, - NameIdentifierUtil.ofMetalake(metalake.name())); + NameIdentifierUtil.ofMetalake(metalakeName)); AuthorizationExpressionEvaluator authorizationExpressionEvaluator = new AuthorizationExpressionEvaluator(expression); return authorizationExpressionEvaluator.evaluate( From c4fd592d0b42178d27088bc5e8b27320f9bfa447 Mon Sep 17 00:00:00 2001 From: yangyang zhong <35210666+hdygxsj@users.noreply.github.com> Date: Wed, 26 Nov 2025 19:35:16 +0800 Subject: [PATCH 4/7] Update server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../gravitino/server/authorization/MetadataAuthzHelper.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java index 725f0c23c73..512c89e6ef3 100644 --- a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java +++ b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java @@ -119,7 +119,7 @@ public static Metalake[] filterMetalakes(Metalake[] metalakes, String expression : null; }); } catch (Exception e) { - LOG.error("GravitinoAuthorize error:{}", e.getMessage(), e); + LOG.error("GravitinoAuthorization error:{}", e.getMessage(), e); return null; } }, From 4d5b3ac54381d67202667916b0251e3340a0f564 Mon Sep 17 00:00:00 2001 From: zhongyangyang <1161623489@qq.com> Date: Wed, 26 Nov 2025 20:01:27 +0800 Subject: [PATCH 5/7] fix comments --- .../authorization/MetadataAuthzHelper.java | 110 ++++++------------ 1 file changed, 33 insertions(+), 77 deletions(-) diff --git a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java index 512c89e6ef3..4776acc514b 100644 --- a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java +++ b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java @@ -95,40 +95,18 @@ public static Metalake[] filterMetalakes(Metalake[] metalakes, String expression } checkExecutor(); AuthorizationRequestContext authorizationRequestContext = new AuthorizationRequestContext(); - List> futures = new ArrayList<>(); - for (Metalake metalake : metalakes) { - Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal(); - futures.add( - CompletableFuture.supplyAsync( - () -> { - try { - return PrincipalUtils.doAs( - currentPrincipal, - () -> { - String metalakeName = metalake.name(); - Map nameIdentifierMap = - spiltMetadataNames( - metalakeName, - Entity.EntityType.METALAKE, - NameIdentifierUtil.ofMetalake(metalakeName)); - AuthorizationExpressionEvaluator authorizationExpressionEvaluator = - new AuthorizationExpressionEvaluator(expression); - return authorizationExpressionEvaluator.evaluate( - nameIdentifierMap, authorizationRequestContext) - ? metalake - : null; - }); - } catch (Exception e) { - LOG.error("GravitinoAuthorization error:{}", e.getMessage(), e); - return null; - } - }, - executor)); - } - return futures.stream() - .map(CompletableFuture::join) - .filter(Objects::nonNull) - .toArray(Metalake[]::new); + return doFilter( + expression, + metalakes, + GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer(), + authorizationRequestContext, + metalake -> { + String metalakeName = metalake.name(); + return spiltMetadataNames( + metalakeName, + Entity.EntityType.METALAKE, + NameIdentifierUtil.ofMetalake(metalakeName)); + }); } /** * Call {@link AuthorizationExpressionEvaluator} to filter the metadata list @@ -144,41 +122,7 @@ public static NameIdentifier[] filterByExpression( String expression, Entity.EntityType entityType, NameIdentifier[] nameIdentifiers) { - if (!enableAuthorization()) { - return nameIdentifiers; - } - checkExecutor(); - AuthorizationRequestContext authorizationRequestContext = new AuthorizationRequestContext(); - List> futures = new ArrayList<>(); - for (NameIdentifier nameIdentifier : nameIdentifiers) { - Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal(); - futures.add( - CompletableFuture.supplyAsync( - () -> { - try { - return PrincipalUtils.doAs( - currentPrincipal, - () -> { - Map nameIdentifierMap = - spiltMetadataNames(metalake, entityType, nameIdentifier); - AuthorizationExpressionEvaluator authorizationExpressionEvaluator = - new AuthorizationExpressionEvaluator(expression); - return authorizationExpressionEvaluator.evaluate( - nameIdentifierMap, authorizationRequestContext) - ? nameIdentifier - : null; - }); - } catch (Exception e) { - LOG.error("GravitinoAuthorize error:{}", e.getMessage(), e); - return null; - } - }, - executor)); - } - return futures.stream() - .map(CompletableFuture::join) - .filter(Objects::nonNull) - .toArray(NameIdentifier[]::new); + return filterByExpression(metalake, expression, entityType, nameIdentifiers, e -> e); } /** @@ -219,9 +163,8 @@ public static E[] filterByExpression( Function toNameIdentifier) { GravitinoAuthorizer authorizer = GravitinoAuthorizerProvider.getInstance().getGravitinoAuthorizer(); - Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal(); return filterByExpression( - metalake, expression, entityType, entities, toNameIdentifier, currentPrincipal, authorizer); + metalake, expression, entityType, entities, toNameIdentifier, authorizer); } /** @@ -233,7 +176,6 @@ public static E[] filterByExpression( * @param entityType entity type * @param entities metadata entities * @param toNameIdentifier function to convert entity to NameIdentifier - * @param currentPrincipal current principal * @param authorizer authorizer to filter metadata * @return Filtered Metadata Entity * @param Entity class @@ -244,13 +186,30 @@ public static E[] filterByExpression( Entity.EntityType entityType, E[] entities, Function toNameIdentifier, - Principal currentPrincipal, GravitinoAuthorizer authorizer) { if (!enableAuthorization()) { return entities; } checkExecutor(); AuthorizationRequestContext authorizationRequestContext = new AuthorizationRequestContext(); + return doFilter( + expression, + entities, + authorizer, + authorizationRequestContext, + (entity) -> { + NameIdentifier nameIdentifier = toNameIdentifier.apply(entity); + return spiltMetadataNames(metalake, entityType, nameIdentifier); + }); + } + + private static E[] doFilter( + String expression, + E[] entities, + GravitinoAuthorizer authorizer, + AuthorizationRequestContext authorizationRequestContext, + Function> extractMetadataNamesMap) { + Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal(); List> futures = new ArrayList<>(); for (E entity : entities) { futures.add( @@ -262,11 +221,8 @@ public static E[] filterByExpression( () -> { AuthorizationExpressionEvaluator authorizationExpressionEvaluator = new AuthorizationExpressionEvaluator(expression, authorizer); - NameIdentifier nameIdentifier = toNameIdentifier.apply(entity); - Map nameIdentifierMap = - spiltMetadataNames(metalake, entityType, nameIdentifier); return authorizationExpressionEvaluator.evaluate( - nameIdentifierMap, authorizationRequestContext) + extractMetadataNamesMap.apply(entity), authorizationRequestContext) ? entity : null; }); From 547179621404cb2c9f1b2e11c195ac22db61a942 Mon Sep 17 00:00:00 2001 From: zhongyangyang <1161623489@qq.com> Date: Wed, 26 Nov 2025 20:06:53 +0800 Subject: [PATCH 6/7] fix ai comments --- .../server/authorization/MetadataAuthzHelper.java | 8 ++++---- .../apache/gravitino/server/web/filter/ParameterUtil.java | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java index 4776acc514b..d02576682c9 100644 --- a/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java +++ b/server-common/src/main/java/org/apache/gravitino/server/authorization/MetadataAuthzHelper.java @@ -102,7 +102,7 @@ public static Metalake[] filterMetalakes(Metalake[] metalakes, String expression authorizationRequestContext, metalake -> { String metalakeName = metalake.name(); - return spiltMetadataNames( + return splitMetadataNames( metalakeName, Entity.EntityType.METALAKE, NameIdentifierUtil.ofMetalake(metalakeName)); @@ -137,7 +137,7 @@ public static boolean checkAccess( NameIdentifier identifier, Entity.EntityType entityType, String expression) { String metalake = NameIdentifierUtil.getMetalake(identifier); Map nameIdentifierMap = - spiltMetadataNames(metalake, entityType, identifier); + splitMetadataNames(metalake, entityType, identifier); AuthorizationExpressionEvaluator authorizationExpressionEvaluator = new AuthorizationExpressionEvaluator(expression); return authorizationExpressionEvaluator.evaluate( @@ -199,7 +199,7 @@ public static E[] filterByExpression( authorizationRequestContext, (entity) -> { NameIdentifier nameIdentifier = toNameIdentifier.apply(entity); - return spiltMetadataNames(metalake, entityType, nameIdentifier); + return splitMetadataNames(metalake, entityType, nameIdentifier); }); } @@ -249,7 +249,7 @@ private static E[] doFilter( * @param nameIdentifier metadata name * @return A map containing the metadata object and all its parent objects, keyed by their types */ - public static Map spiltMetadataNames( + public static Map splitMetadataNames( String metalake, Entity.EntityType entityType, NameIdentifier nameIdentifier) { Map nameIdentifierMap = new HashMap<>(); nameIdentifierMap.put(Entity.EntityType.METALAKE, NameIdentifierUtil.ofMetalake(metalake)); diff --git a/server/src/main/java/org/apache/gravitino/server/web/filter/ParameterUtil.java b/server/src/main/java/org/apache/gravitino/server/web/filter/ParameterUtil.java index 8658374d368..ac4f5480263 100644 --- a/server/src/main/java/org/apache/gravitino/server/web/filter/ParameterUtil.java +++ b/server/src/main/java/org/apache/gravitino/server/web/filter/ParameterUtil.java @@ -171,7 +171,7 @@ public static Map extractNameIdentifierFromPa NameIdentifier nameIdentifier = MetadataObjectUtil.toEntityIdent(metalake, MetadataObjects.parse(fullName, type)); nameIdentifierMap.putAll( - MetadataAuthzHelper.spiltMetadataNames( + MetadataAuthzHelper.splitMetadataNames( metalake, MetadataObjectUtil.toEntityType(type), nameIdentifier)); } From be3f6f7ab570a05cc2963adbcb21e26028011478 Mon Sep 17 00:00:00 2001 From: "1161623489@qq.com" <1161623489@qq.com> Date: Thu, 27 Nov 2025 15:39:18 +0800 Subject: [PATCH 7/7] fix list role --- .../server/web/rest/RoleOperations.java | 23 +++++-------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java b/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java index 42578191565..52463c1cffd 100644 --- a/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java +++ b/server/src/main/java/org/apache/gravitino/server/web/rest/RoleOperations.java @@ -38,7 +38,6 @@ import org.apache.gravitino.GravitinoEnv; import org.apache.gravitino.MetadataObject; import org.apache.gravitino.MetadataObjects; -import org.apache.gravitino.NameIdentifier; import org.apache.gravitino.authorization.AccessControlDispatcher; import org.apache.gravitino.authorization.AuthorizationUtils; import org.apache.gravitino.authorization.Privilege; @@ -89,22 +88,12 @@ public Response listRoles(@PathParam("metalake") String metalake) { () -> { String[] names = accessControlManager.listRoleNames(metalake); names = - Arrays.stream(names) - .filter( - role -> { - NameIdentifier[] nameIdentifiers = - new NameIdentifier[] {NameIdentifierUtil.ofRole(metalake, role)}; - return MetadataAuthzHelper.filterByExpression( - metalake, - AuthorizationExpressionConstants - .loadRoleAuthorizationExpression, - Entity.EntityType.ROLE, - nameIdentifiers) - .length - > 0; - }) - .collect(Collectors.toList()) - .toArray(new String[0]); + MetadataAuthzHelper.filterByExpression( + metalake, + AuthorizationExpressionConstants.loadRoleAuthorizationExpression, + Entity.EntityType.ROLE, + names, + roleName -> NameIdentifierUtil.ofRole(metalake, roleName)); return Utils.ok(new NameListResponse(names)); }); } catch (Exception e) {