mchades opened a new pull request, #10811:
URL: https://github.com/apache/gravitino/pull/10811
### What changes were proposed in this pull request?
Add the `FUNCTION` metadata object type and three new function-level
privileges
(`REGISTER_FUNCTION`, `EXECUTE_FUNCTION`, `MODIFY_FUNCTION`) to the Gravitino
authorization API, following the design in
`design-docs/gravitino-function-privilege.md`.
Key changes:
- `MetadataObject.Type.FUNCTION` — new FUNCTION type
- `Privilege.Name.REGISTER_FUNCTION/EXECUTE_FUNCTION/MODIFY_FUNCTION` —
three new privilege names
- `Privileges.RegisterFunction/ExecuteFunction/ModifyFunction` —
corresponding privilege classes with correct supported-type bindings
- `SecurableObjects.ofFunction()` — convenience factory for function
securable objects
- `MetadataObjects` — FUNCTION added to valid three-level name types
### Why are the changes needed?
Gravitino manages user-defined functions (UDFs) but provides no access
control at the function level. This PR is the API foundation for
end-to-end function privilege enforcement.
Fix: #9535
### Does this PR introduce _any_ user-facing change?
- New public API types and classes: `MetadataObject.Type.FUNCTION`,
`Privilege.Name.REGISTER_FUNCTION`, `EXECUTE_FUNCTION`, `MODIFY_FUNCTION`
- New `Privileges.RegisterFunction`, `ExecuteFunction`, `ModifyFunction`
classes
- New `SecurableObjects.ofFunction(...)` factory method
### How was this patch tested?
- `TestMetadataObjects.testFunctionObject` — validates FUNCTION metadata
object construction
- `TestSecurableObjects` — new entries for `canBindTo` and `manageGrants
FUNCTION` binding
- All unit tests pass: `./gradlew :api:test -PskipITs`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
