[#2235][part-1] feat(api,core): Add the role entity #2772
Conversation
qqqttt123
force-pushed
the
ISSUE-2235_feat
branch
4 times, most recently
from
3516475 to
c76cd2e
Compare
| String simpleString(); | ||
|
|
||
| /** The name of this privilege. */ | ||
| enum Name { |
There was a problem hiding this comment.
We only list parts of privileges to avoid a too large pull request. The extra privileges will be submitted by another pull request.
core/src/main/java/com/datastrato/gravitino/authorization/RoleManager.java
Outdated
Show resolved
Hide resolved
qqqttt123
force-pushed
the
ISSUE-2235_feat
branch
6 times, most recently
from
d567611 to
65a1916
Compare
qqqttt123
force-pushed
the
ISSUE-2235_feat
branch
2 times, most recently
from
5e1f6b1 to
7715876
Compare
qqqttt123
changed the title
qqqttt123
changed the title
qqqttt123
force-pushed
the
ISSUE-2235_feat
branch
from
7715876 to
748ffbb
Compare
core/src/main/java/com/datastrato/gravitino/authorization/AccessControlManager.java
Show resolved
Hide resolved
qqqttt123
changed the title
qqqttt123
force-pushed
the
ISSUE-2235_feat
branch
from
748ffbb to
bd564ac
Compare
qqqttt123
force-pushed
the
ISSUE-2235_feat
branch
from
bd564ac to
83d897e
Compare
qqqttt123
force-pushed
the
ISSUE-2235_feat
branch
from
f2d5a18 to
46e2879
Compare
qqqttt123
force-pushed
the
ISSUE-2235_feat
branch
from
46e2879 to
03c627f
Compare
| * The resource is the entity of the authorization. Gravitino organizes the resources using tree | ||
| * structure. The resource may be a catalog, a table or a schema, etc. For example, | ||
| * `catalog1.schema1.table1` represents a table named `table1`. It's in the schema named `schema1`. | ||
| * The schema is in the catalog named `catalog1`. |
There was a problem hiding this comment.
How do you represent the resources with name "*", would you please add more comments about the different types of resources and how you define them?
There was a problem hiding this comment.
I moved some comments from other places.
| * | ||
| * @return The parent resource. | ||
| */ | ||
| Resource parent(); |
There was a problem hiding this comment.
Can you tag this method as @Nullable?
| + " If you want to create an another resource which represents all entities," | ||
| + " you can use its parent entity, For example," | ||
| + " if you want to have read table privileges of all tables of `catalog1.schema1`," | ||
| + " you can use add `read table` privilege for `catalog1.schema1` directly"); |
There was a problem hiding this comment.
Frankly saying, It's weird to add table privilege to the schema, it will confuse the users. Why do you hesitate to use "*"?
There was a problem hiding this comment.
Now, we give a resource a privileges list. It's a little weird to add load catalog and load schema privilege to catalog1.*.
There was a problem hiding this comment.
Databricks follows similar style. Parent doesn't use *. https://docs.databricks.com/en/sql/language-manual/sql-ref-privileges.html
| * @param names The names of the resource | ||
| * @return The created {@link Resource} | ||
| */ | ||
| public static Resource of(String... names) { |
There was a problem hiding this comment.
How do users use this Resource concept, what is the relationship to the catalogs, schemas, and tables? I think the introduction of Resource increase the understanding burden to users, users may not know how to use it, I was thinking if there's a better way to clearly define it, which will be easy for users to use.
There was a problem hiding this comment.
How about letting me user pass the names like
ofCatalog. ofCatalog.ofSchema.
There was a problem hiding this comment.
Databricks has the similar concept securable objects .
Snowflake use securable object, too. I will change the name to securable object.
| @@ -292,6 +292,10 @@ public Catalog createCatalog( | |||
| throw new IllegalArgumentException("Can't create a catalog with with reserved name `system`"); | |||
| } | |||
|
|
|||
| if (Entity.RESOURCE_ENTITY_RESERVED_NAME.equals(ident.name())) { | |||
There was a problem hiding this comment.
I think it is the basic name constraint for entities, better to let @mchades know about this and do it using Capability framework.
| @Override | ||
| public String toString() { | ||
| if (parent != null) { | ||
| return parent + "." + name; |
There was a problem hiding this comment.
Can you explicitly write like parent.toString() + "." + name to let others know that this method is recursive?
What changes were proposed in this pull request?
This pull request adds the role entity and one privilege.
I avoid to create a large pull request. I will add more privileges in the later pull request.
Why are the changes needed?
Fix: #2235
Does this PR introduce any user-facing change?
No.
How was this patch tested?
new ut.