Add authorization decorator for connector services to restrict catalog access (#688)

Implements connector-level authorization based on the userName from the
request context. This allows catalogs to restrict access to specific
authenticated callers.

Key changes:
- Add AuthorizingConnectorCatalogService decorator
- Add AuthorizingConnectorDatabaseService decorator
- Add AuthorizingConnectorTableService decorator
- Add AuthorizingConnectorPartitionService decorator
- Add ConnectorAuthorizationUtil shared utility class
- Add CatalogUnauthorizedException for authorization failures
- Update ConnectorFactoryDecorator to chain authorization decorators

Configuration:
- connector.authorization-required=true - enables authorization
- connector.authorized-callers=caller1,caller2 - comma-separated allowed callers

Authorization checks the userName from MetacatRequestContext against the
allowed callers list. Requests without a userName or with an unauthorized
userName receive a CatalogUnauthorizedException.

Author: ursetta-netflix

metacat-common-server/src/main/java/com/netflix/metacat/common/server/connectors/AuthorizingConnectorCatalogService.java

@@ -0,0 +1,135 @@
+/*
+ *
+ *  Copyright 2024 Netflix, Inc.
+ *
+ *     Licensed under the Apache License, Version 2.0 (the "License");
+ *     you may not use this file except in compliance with the License.
+ *     You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *     Unless required by applicable law or agreed to in writing, software
+ *     distributed under the License is distributed on an "AS IS" BASIS,
+ *     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *     See the License for the specific language governing permissions and
+ *     limitations under the License.
+ *
+ */
+package com.netflix.metacat.common.server.connectors;
+
+import com.netflix.metacat.common.QualifiedName;
+import com.netflix.metacat.common.dto.Pageable;
+import com.netflix.metacat.common.dto.Sort;
+import com.netflix.metacat.common.server.connectors.model.CatalogInfo;
+import com.netflix.metacat.common.server.util.ConnectorAuthorizationUtil;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import lombok.Getter;
+import lombok.NonNull;
+import lombok.RequiredArgsConstructor;
+
+import javax.annotation.Nullable;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * Connector decorator that authorizes catalog service calls based on SSO caller context.
+ * Only callers in the allowed list can access this connector's operations.
+ *
+ * @author jursetta
+ */
+@RequiredArgsConstructor
+public class AuthorizingConnectorCatalogService implements ConnectorCatalogService {
+
+    @Getter
+    @NonNull
+    private final ConnectorCatalogService delegate;
+
+    @NonNull
+    private final Set<String> allowedCallers;
+
+    @NonNull
+    private final String catalogName;
+
+    @Override
+    public void create(final ConnectorRequestContext context, final CatalogInfo resource) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "create", resource.getName());
+        delegate.create(context, resource);
+    }
+
+    @Override
+    public void update(final ConnectorRequestContext context, final CatalogInfo resource) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "update", resource.getName());
+        delegate.update(context, resource);
+    }
+
+    @Override
+    public void delete(final ConnectorRequestContext context, final QualifiedName name) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "delete", name);
+        delegate.delete(context, name);
+    }
+
+    @Override
+    public CatalogInfo get(final ConnectorRequestContext context, final QualifiedName name) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "get", name);
+        return delegate.get(context, name);
+    }
+
+    @Override
+    @SuppressFBWarnings
+    public boolean exists(final ConnectorRequestContext context, final QualifiedName name) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "exists", name);
+        return delegate.exists(context, name);
+    }
+
+    @Override
+    public List<CatalogInfo> list(
+        final ConnectorRequestContext context,
+        final QualifiedName name,
+        @Nullable final QualifiedName prefix,
+        @Nullable final Sort sort,
+        @Nullable final Pageable pageable
+    ) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "list", name);
+        return delegate.list(context, name, prefix, sort, pageable);
+    }
+
+    @Override
+    public List<QualifiedName> listNames(
+        final ConnectorRequestContext context,
+        final QualifiedName name,
+        @Nullable final QualifiedName prefix,
+        @Nullable final Sort sort,
+        @Nullable final Pageable pageable
+    ) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "listNames", name);
+        return delegate.listNames(context, name, prefix, sort, pageable);
+    }
+
+    @Override
+    public void rename(
+        final ConnectorRequestContext context,
+        final QualifiedName oldName,
+        final QualifiedName newName
+    ) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "rename", oldName);
+        delegate.rename(context, oldName, newName);
+    }
+
+    /**
+     * Delegates equals to the underlying service so that decorated services
+     * representing the same catalog are considered equal. This allows
+     * ConnectorManager to deduplicate services in its sets.
+     */
+    @Override
+    public boolean equals(final Object o) {
+        return delegate.equals(o);
+    }
+
+    /**
+     * Delegates hashCode to the underlying service for consistency with equals.
+     */
+    @Override
+    public int hashCode() {
+        return delegate.hashCode();
+    }
+}

metacat-common-server/src/main/java/com/netflix/metacat/common/server/connectors/AuthorizingConnectorDatabaseService.java

@@ -0,0 +1,144 @@
+/*
+ *
+ *  Copyright 2024 Netflix, Inc.
+ *
+ *     Licensed under the Apache License, Version 2.0 (the "License");
+ *     you may not use this file except in compliance with the License.
+ *     You may obtain a copy of the License at
+ *
+ *         http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *     Unless required by applicable law or agreed to in writing, software
+ *     distributed under the License is distributed on an "AS IS" BASIS,
+ *     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *     See the License for the specific language governing permissions and
+ *     limitations under the License.
+ *
+ */
+package com.netflix.metacat.common.server.connectors;
+
+import com.netflix.metacat.common.QualifiedName;
+import com.netflix.metacat.common.dto.Pageable;
+import com.netflix.metacat.common.dto.Sort;
+import com.netflix.metacat.common.server.connectors.model.DatabaseInfo;
+import com.netflix.metacat.common.server.util.ConnectorAuthorizationUtil;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import lombok.Getter;
+import lombok.NonNull;
+import lombok.RequiredArgsConstructor;
+
+import javax.annotation.Nullable;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * Connector decorator that authorizes database service calls based on SSO caller context.
+ * Only callers in the allowed list can access this connector's operations.
+ *
+ * @author jursetta
+ */
+@RequiredArgsConstructor
+public class AuthorizingConnectorDatabaseService implements ConnectorDatabaseService {
+
+    @Getter
+    @NonNull
+    private final ConnectorDatabaseService delegate;
+
+    @NonNull
+    private final Set<String> allowedCallers;
+
+    @NonNull
+    private final String catalogName;
+
+    @Override
+    public void create(final ConnectorRequestContext context, final DatabaseInfo resource) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "create", resource.getName());
+        delegate.create(context, resource);
+    }
+
+    @Override
+    public void update(final ConnectorRequestContext context, final DatabaseInfo resource) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "update", resource.getName());
+        delegate.update(context, resource);
+    }
+
+    @Override
+    public void delete(final ConnectorRequestContext context, final QualifiedName name) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "delete", name);
+        delegate.delete(context, name);
+    }
+
+    @Override
+    public DatabaseInfo get(final ConnectorRequestContext context, final QualifiedName name) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "get", name);
+        return delegate.get(context, name);
+    }
+
+    @Override
+    @SuppressFBWarnings
+    public boolean exists(final ConnectorRequestContext context, final QualifiedName name) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "exists", name);
+        return delegate.exists(context, name);
+    }
+
+    @Override
+    public List<DatabaseInfo> list(
+        final ConnectorRequestContext context,
+        final QualifiedName name,
+        @Nullable final QualifiedName prefix,
+        @Nullable final Sort sort,
+        @Nullable final Pageable pageable
+    ) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "list", name);
+        return delegate.list(context, name, prefix, sort, pageable);
+    }
+
+    @Override
+    public List<QualifiedName> listNames(
+        final ConnectorRequestContext context,
+        final QualifiedName name,
+        @Nullable final QualifiedName prefix,
+        @Nullable final Sort sort,
+        @Nullable final Pageable pageable
+    ) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "listNames", name);
+        return delegate.listNames(context, name, prefix, sort, pageable);
+    }
+
+    @Override
+    public void rename(
+        final ConnectorRequestContext context,
+        final QualifiedName oldName,
+        final QualifiedName newName
+    ) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "rename", oldName);
+        delegate.rename(context, oldName, newName);
+    }
+
+    @Override
+    public List<QualifiedName> listViewNames(
+        final ConnectorRequestContext context,
+        final QualifiedName databaseName
+    ) {
+        ConnectorAuthorizationUtil.checkAuthorization(catalogName, allowedCallers, "listViewNames", databaseName);
+        return delegate.listViewNames(context, databaseName);
+    }
+
+    /**
+     * Delegates equals to the underlying service so that decorated services
+     * representing the same catalog are considered equal. This allows
+     * ConnectorManager to deduplicate services in its sets.
+     */
+    @Override
+    public boolean equals(final Object o) {
+        return delegate.equals(o);
+    }
+
+    /**
+     * Delegates hashCode to the underlying service for consistency with equals.
+     */
+    @Override
+    public int hashCode() {
+        return delegate.hashCode();
+    }
+}