[PR] [#9535] feat(server): enforce function privileges on FunctionOperations [gravitino]

Mon, 27 Apr 2026 21:28:08 -0700 


mchades opened a new pull request, #10882:
URL: https://github.com/apache/gravitino/pull/10882

   ### What changes were proposed in this pull request?
   
   Implement server-side authorization enforcement for function operations and 
add end-to-end integration tests.
   
   **Server authorization (`server-common`, `server`)**:
   - `AuthorizationExpressionConstants` — add 
`LOAD_FUNCTION_AUTHORIZATION_EXPRESSION` and 
`FILTER_FUNCTION_AUTHORIZATION_EXPRESSION`
   - `AuthorizationExpressionConverter` — wire `FUNCTION` into the 
`CAN_ACCESS_METADATA` template, and add `ANY_REGISTER_FUNCTION`, 
`ANY_EXECUTE_FUNCTION`, `ANY_MODIFY_FUNCTION` expansions
   - `FunctionOperations` — annotate all 5 endpoints (`registerFunction`, 
`listFunctions`, `getFunction`, `alterFunction`, `dropFunction`) with 
`@AuthorizationExpression`/`@AuthorizationMetadata`; filter `listFunctions` 
results via `MetadataAuthzHelper#filterByExpression`
   
   **Integration test (`client-java`)**:
   - `FunctionAuthorizationIT` — covers register / list / get / alter / drop 
flows using `Catalog.Type.MODEL` schemas (no Docker container needed), 
mirroring `ModelAuthorizationIT`; verifies `REGISTER_FUNCTION`, 
`EXECUTE_FUNCTION`, `MODIFY_FUNCTION` enforcement and list-visibility filtering
   
   ### Why are the changes needed?
   
   Without these changes, function endpoints are accessible to any 
authenticated user regardless of their granted privileges.
   
   Fix: #9535
   
   ### Does this PR introduce _any_ user-facing change?
   
   Function REST endpoints now enforce privilege checks:
   - `POST /functions` requires `REGISTER_FUNCTION` (or ownership)
   - `GET /functions/{function}` requires `EXECUTE_FUNCTION` or 
`MODIFY_FUNCTION` (or ownership)
   - `PUT /functions/{function}` requires `MODIFY_FUNCTION` (or ownership)
   - `DELETE /functions/{function}` requires `MODIFY_FUNCTION` (or ownership)
   - `GET /functions` returns only functions visible to the caller
   
   ### How was this patch tested?
   
   Integration test `FunctionAuthorizationIT` (5 ordered tests) passes locally:
   ```
   ./gradlew :clients:client-java:test --tests "*FunctionAuthorizationIT*" 
-PskipTests -PskipDockerTests=false
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to