bharos opened a new pull request, #10867: URL: https://github.com/apache/gravitino/pull/10867
### What changes were proposed in this pull request? Extend `JcasbinAuthorizer` to recognize group-based ownership. When a metadata object is owned by a group, all members of that group are now treated as owners and granted owner privileges. Key changes: - **`OwnerInfo` inner class**: Replaces the raw `Long` owner ID in the cache with a struct that stores `id`, `type` (USER/GROUP), and `name`. - **`ownerRel` cache type**: Changed from `Cache<Long, Optional<Long>>` to `Cache<Long, Optional<OwnerInfo>>`. - **`loadOwnerPolicy()`**: Now handles `GroupEntity` alongside `UserEntity` when populating the owner cache. - **`checkOwnership()`**: New method that resolves both user and group owners — for USER owners it compares entity IDs, for GROUP owners it checks whether the principal's groups include the owning group. - **`isOwner()` and `authorizeByJcasbin()`**: Refactored to delegate to `checkOwnership()`, eliminating duplicated ownership logic. - **Documentation**: Removed "group ownership not supported" info boxes from `docs/security/access-control.md` and added group ownership bullet. ### Why are the changes needed? Currently, when a metadata object's owner is set to a group (supported since #10848), the `JcasbinAuthorizer` does not recognize group ownership — only individual user ownership is checked. This means group members are denied owner privileges even when the group is the registered owner. This PR is part 2 of a 3-PR series for #10412: 1. **#10848** — Core/API: `OwnerManager.setOwner` accepts GROUP (**merged**) 2. **This PR** — Enforcement: `JcasbinAuthorizer` recognizes group ownership 3. **Planned** — Role inheritance: `loadRolePrivilege` queries `ROLE_GROUP_REL` Fix: #10412 ### Does this PR introduce _any_ user-facing change? Yes. Users who assign group ownership to metadata objects will now have all group members recognized as owners by the JCasbin authorization plugin. ### How was this patch tested? Unit tests in `TestJcasbinAuthorizer`: - `testAuthorizeByGroupOwner`: Verifies a principal whose groups include the owning group is recognized as owner, a non-member group is denied, and clearing ownership returns false. - Existing tests (`testIsOwner`, `testOwnerCacheInvalidation`, `testCacheInitialization`) updated for `OwnerInfo` type. - All 8 tests pass: `./gradlew :server-common:test --tests "...TestJcasbinAuthorizer"` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
