apache · qqqttt123 · Apr 18, 2024 · Apr 8, 2024 · Apr 14, 2024 · Apr 15, 2024
diff --git a/core/src/main/java/com/datastrato/gravitino/authorization/AccessControlManager.java b/core/src/main/java/com/datastrato/gravitino/authorization/AccessControlManager.java
@@ -30,13 +30,15 @@ public class AccessControlManager {
   private final UserGroupManager userGroupManager;
   private final AdminManager adminManager;
   private final RoleManager roleManager;
+  private final PermissionManager permissionManager;
   private final Object adminOperationLock = new Object();
   private final Object nonAdminOperationLock = new Object();
 
   public AccessControlManager(EntityStore store, IdGenerator idGenerator, Config config) {
     this.userGroupManager = new UserGroupManager(store, idGenerator);
     this.adminManager = new AdminManager(store, idGenerator, config);
     this.roleManager = new RoleManager(store, idGenerator);
+    this.permissionManager = new PermissionManager(store);
   }
 
   /**
@@ -106,7 +108,7 @@ public boolean removeGroup(String metalake, String group) {
    * Gets a Group.
    *
    * @param metalake The Metalake of the Group.
-   * @param group THe name of the Group.
+   * @param group The name of the Group.
    * @return The getting Group instance.
    * @throws NoSuchGroupException If the Group with the given identifier does not exist.
    * @throws RuntimeException If getting the Group encounters storage issues.
@@ -115,6 +117,70 @@ public Group getGroup(String metalake, String group) throws NoSuchGroupException
     return doWithNonAdminLock(() -> userGroupManager.getGroup(metalake, group));
   }
 
+  /**
+   * Grant a role to a user.
+   *
+   * @param metalake The metalake of the User.
+   * @param user The name of the User.
+   * @return true` if the User was successfully granted, `false` otherwise.
+   * @throws NoSuchUserException If the User with the given identifier does not exist.
+   * @throws NoSuchRoleException If the Role with the given identifier does not exist.
+   * @throws RoleAlreadyExistsException If the Role with the given identifier already exists in the
+   *     User.
+   * @throws RuntimeException If granting a role to a user encounters storage issues.
+   */
+  public boolean grantRoleToUser(String metalake, String role, String user) {
+    return doWithNonAdminLock(() -> permissionManager.grantRoleToUser(metalake, role, user));
+  }
+
+  /**
+   * Grant a role to a group.
+   *
+   * @param metalake The metalake of the Group.
+   * @param group THe name of the Group.
+   * @return true` if the Group was successfully granted, `false` otherwise.
+   * @throws NoSuchGroupException If the Group with the given identifier does not exist.
+   * @throws NoSuchRoleException If the Role with the given identifier does not exist.
+   * @throws RoleAlreadyExistsException If the Role with the given identifier already exists in the
+   *     Group.
+   * @throws RuntimeException If granting a role to a group encounters storage issues.
+   */
+  public boolean grantRoleToGroup(String metalake, String role, String group) {
+    return doWithNonAdminLock(() -> permissionManager.grantRoleToGroup(metalake, role, group));
+  }
+
+  /**
+   * Revoke a role from a group.
+   *
+   * @param metalake The metalake of the Group.
+   * @param group The name of the Group.
+   * @return true` if the Group was successfully revoked, `false` otherwise.
+   * @throws NoSuchGroupException If the Group with the given identifier does not exist.
+   * @throws NoSuchRoleException If the Role with the given identifier does not exist.
+   * @throws RoleAlreadyExistsException If the Role with the given identifier already exists in the
+   *     Group.
+   * @throws RuntimeException If revoking a role from a group encounters storage issues.
+   */
+  public boolean revokeRoleFromGroup(String metalake, String role, String group) {
+    return doWithNonAdminLock(() -> permissionManager.revokeRoleFromGroup(metalake, role, group));
+  }
+
+  /**
+   * Revoke a role from a user.
+   *
+   * @param metalake The metalake of the User.
+   * @param user The name of the User.
+   * @return true` if the User was successfully revoked, `false` otherwise.
+   * @throws NoSuchUserException If the User with the given identifier does not exist.
+   * @throws NoSuchRoleException If the Role with the given identifier does not exist.
+   * @throws RoleAlreadyExistsException If the Role with the given identifier already exists in the
+   *     User.
+   * @throws RuntimeException If revoking a role from a user encounters storage issues.
+   */
+  public boolean revokeRoleFromUser(String metalake, String role, String user) {
+    return doWithNonAdminLock(() -> permissionManager.revokeRoleFromUser(metalake, role, user));
+  }
+
   /**
    * Adds a new metalake admin.
    *

diff --git a/core/src/main/java/com/datastrato/gravitino/authorization/AdminManager.java b/core/src/main/java/com/datastrato/gravitino/authorization/AdminManager.java
@@ -63,7 +63,7 @@ public User addMetalakeAdmin(String user) {
                     Entity.SYSTEM_METALAKE_RESERVED_NAME,
                     Entity.AUTHORIZATION_CATALOG_NAME,
                     Entity.ADMIN_SCHEMA_NAME))
-            .withRoles(Lists.newArrayList())
+            .withRoleNames(Lists.newArrayList())
             .withAuditInfo(
                 AuditInfo.builder()
                     .withCreator(PrincipalUtils.getCurrentPrincipal().getName())

diff --git a/core/src/main/java/com/datastrato/gravitino/authorization/AuthorizationUtils.java b/core/src/main/java/com/datastrato/gravitino/authorization/AuthorizationUtils.java
@@ -15,6 +15,9 @@
 /* The utilization class of authorization module*/
 class AuthorizationUtils {
 
+  static final String USER_DOES_NOT_EXIST_MSG = "User %s does not exist in th metalake %s";
+  static final String GROUP_DOES_NOT_EXIST_MSG = "Group %s does not exist in th metalake %s";
+  static final String ROLE_DOES_NOT_EXIST_MSG = "Role %s does not exist in th metalake %s";
   private static final Logger LOG = LoggerFactory.getLogger(AuthorizationUtils.class);
   private static final String METALAKE_DOES_NOT_EXIST_MSG = "Metalake %s does not exist";
 

diff --git a/core/src/main/java/com/datastrato/gravitino/authorization/NameIdentifierUtils.java b/core/src/main/java/com/datastrato/gravitino/authorization/NameIdentifierUtils.java
@@ -0,0 +1,28 @@
+/*
+ * Copyright 2024 Datastrato Pvt Ltd.
+ * This software is licensed under the Apache License version 2.
+ */
+package com.datastrato.gravitino.authorization;
+
+import com.datastrato.gravitino.Entity;
+import com.datastrato.gravitino.NameIdentifier;
+
+class NameIdentifierUtils {
+
+  private NameIdentifierUtils() {}
+
+  public static NameIdentifier ofUser(String metalake, String user) {
+    return NameIdentifier.of(
+        metalake, Entity.SYSTEM_CATALOG_RESERVED_NAME, Entity.USER_SCHEMA_NAME, user);
+  }
+
+  public static NameIdentifier ofGroup(String metalake, String group) {
+    return NameIdentifier.of(
+        metalake, Entity.SYSTEM_CATALOG_RESERVED_NAME, Entity.GROUP_SCHEMA_NAME, group);
+  }
+
+  public static NameIdentifier ofRole(String metalake, String role) {
+    return NameIdentifier.of(
+        metalake, Entity.SYSTEM_CATALOG_RESERVED_NAME, Entity.ROLE_SCHEMA_NAME, role);
+  }
+}