bharos opened a new pull request, #10868: URL: https://github.com/apache/gravitino/pull/10868
> **Stacked on PR #10867** — review that PR first. This diff will auto-update once #10867 merges. ### What changes were proposed in this pull request? Extend `JcasbinAuthorizer` to support role-based authorization inherited through group membership. This is PR #3 of the [group-based access control epic (#10404)](https://github.com/apache/gravitino/issues/10404). **Changes:** 1. **`loadRolePrivilege`**: After loading a user's direct roles via `ROLE_USER_REL`, iterate the principal's groups and load each group's assigned roles into the jCasbin enforcers. Roles inherited from groups are treated identically to directly-assigned roles (same enforcer mappings, same async policy loading, same caching). 2. **`isSelf` (ROLE branch)**: After checking direct user-role assignment, also check if the role is assigned to any of the user's groups by loading the `GroupEntity` and checking its `roleIds()`. 3. **`addRoleForUserAndLoadPolicies`**: Extracted helper method to avoid duplication between user-direct and group-inherited role loading paths. **Design decisions:** - Uses `GroupEntity.roleIds()`/`roleNames()` from `entityStore.get()` rather than `ROLE_GROUP_REL` direction in `SupportsRelationOperations` (which only supports role-to-groups, not group-to-roles). This avoids core module changes. - No cache invalidation changes needed — `handleRolePrivilegeChange(roleId)` already invalidates by roleId regardless of whether the role was user-direct or group-inherited. ### Why are the changes needed? Currently, `JcasbinAuthorizer` only loads roles directly assigned to users. If a user belongs to a group that has a role with certain privileges, those privileges are not enforced. This means group-based role management does not work for authorization, which is a core requirement for the group-based access control feature. Fix: #10412 ### Does this PR introduce _any_ user-facing change? No API changes. Users who assign roles to groups will now see those role privileges correctly enforced for all members of the group during authorization. ### How was this patch tested? Two new unit tests in `TestJcasbinAuthorizer`: - **`testAuthorizeByGroupRole`**: Verifies that a user with no direct roles is authorized via a role assigned to their group, and that a user without groups is denied. - **`testIsSelfRoleViaGroup`**: Verifies that `isSelf` returns true when a role is assigned to the user's group, and false when the user has no groups. All 10 tests in `TestJcasbinAuthorizer` pass. Formatting verified with `spotlessCheck`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
