bharos opened a new pull request, #10984: URL: https://github.com/apache/gravitino/pull/10984
### What changes were proposed in this pull request? Follow-up to #10868. Adds add-first-then-prune logic to `loadRolePrivilege` to clean up stale g-rows (user→role mappings) in the jCasbin enforcer when a user's group membership changes at the IdP level. **Changes:** - Collect all currently valid roleIds into a `desiredRoleIds` set during role loading - After all role futures complete, call `getRolesForUser` on the enforcer and remove any role not in the desired set via `deleteRoleForUser` - Update tests to reflect that stale g-rows are now pruned immediately ### Why are the changes needed? Without this change, when a user is removed from a group at the IdP level (e.g., LDAP/OIDC), the stale role mappings persist in the enforcer until the cache TTL expires. This means the user retains permissions from the removed group for up to the cache expiration period. The add-first-then-prune approach was chosen over alternatives: - **`deleteUser` then re-add**: Creates a false-denial window where concurrent requests see zero roles - **userId→groups cache**: Not future-proof for multi-node (group membership comes from IdP token, not DB, so can't be invalidated via DB versioning) - **Add-then-prune** (this PR): No false-denial window, no extra cache, multi-node friendly — each node converges independently Follow-up for: #10868 ### Does this PR introduce _any_ user-facing change? No. Internal authorization enforcement behavior only. ### How was this patch tested? - Updated `testAuthorize` — verifies that when a user's role changes, the old role is pruned immediately - Updated `testUserRemovedFromGroupAtIdpDeniesAccess` — verifies that removing a user from a group at IdP level immediately denies access (no longer a known limitation) - All 20 existing tests pass: `./gradlew :server-common:test --tests "*.TestJcasbinAuthorizer"` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
