[server] authorize InitWriter RPC with table path parameters

Author: gyang94

fluss-client/src/main/java/com/alibaba/fluss/client/write/IdempotenceManager.java

@@ -20,7 +20,9 @@
 import com.alibaba.fluss.annotation.VisibleForTesting;
 import com.alibaba.fluss.exception.OutOfOrderSequenceException;
 import com.alibaba.fluss.exception.UnknownWriterIdException;
+import com.alibaba.fluss.metadata.PhysicalTablePath;
 import com.alibaba.fluss.metadata.TableBucket;
+import com.alibaba.fluss.metadata.TablePath;
 import com.alibaba.fluss.record.LogRecordBatch;
 import com.alibaba.fluss.rpc.gateway.TabletServerGateway;
 import com.alibaba.fluss.rpc.messages.InitWriterRequest;
@@ -32,6 +34,8 @@
 import javax.annotation.concurrent.ThreadSafe;
 
 import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 import static com.alibaba.fluss.record.LogRecordBatch.NO_WRITER_ID;
 
@@ -277,11 +281,11 @@ synchronized boolean canRetry(WriteBatch batch, Errors error) {
         return false;
     }
 
-    void maybeWaitForWriterId() {
+    void maybeWaitForWriterId(Set<PhysicalTablePath> tablePaths) {
         if (!isWriterIdValid()) {
             try {
                 tabletServerGateway
-                        .initWriter(new InitWriterRequest())
+                        .initWriter(prepareInitWriterRequest(tablePaths))
                         .thenAccept(response -> setWriterId(response.getWriterId()))
                         .exceptionally(
                                 e -> {
@@ -297,6 +301,21 @@ void maybeWaitForWriterId() {
         }
     }
 
+    InitWriterRequest prepareInitWriterRequest(Set<PhysicalTablePath> physicalTables) {
+        InitWriterRequest initWriterRequest = new InitWriterRequest();
+        Set<TablePath> tables =
+                physicalTables.stream()
+                        .map(PhysicalTablePath::getTablePath)
+                        .collect(Collectors.toSet());
+        for (TablePath tablePath : tables) {
+            initWriterRequest
+                    .addTablePath()
+                    .setDatabaseName(tablePath.getDatabaseName())
+                    .setTableName(tablePath.getTableName());
+        }
+        return initWriterRequest;
+    }
+
     private int maybeUpdateLastAckedSequence(TableBucket tableBucket, int sequence) {
         return idempotenceBucketMap.maybeUpdateLastAckedSequence(tableBucket, sequence);
     }

fluss-client/src/main/java/com/alibaba/fluss/client/write/RecordAccumulator.java

@@ -360,6 +360,10 @@ public Deque<WriteBatch> getDeque(PhysicalTablePath path, TableBucket tableBucke
         return bucketAndWriteBatches.batches.get(tableBucket.getBucket());
     }
 
+    public Set<PhysicalTablePath> getPhysicalTablePathsInBatches() {
+        return writeBatches.keySet();
+    }
+
     private List<MemorySegment> allocateMemorySegments(WriteRecord writeRecord) throws IOException {
         if (writeRecord.getWriteFormat() == WriteFormat.ARROW_LOG) {
             // pre-allocate a batch memory size for Arrow, if it is not sufficient during batching,

fluss-client/src/main/java/com/alibaba/fluss/client/write/Sender.java

@@ -172,7 +172,9 @@ public void run() {
     public void runOnce() throws Exception {
         if (idempotenceManager.idempotenceEnabled()) {
             // may be wait for writer id.
-            idempotenceManager.maybeWaitForWriterId();
+            Set<PhysicalTablePath> targetTables = accumulator.getPhysicalTablePathsInBatches();
+            // TODO: only request to init writer_id when we have valid target tables
+            idempotenceManager.maybeWaitForWriterId(targetTables);
         }
 
         // do send.

fluss-client/src/test/java/com/alibaba/fluss/client/security/acl/FlussAuthorizationITCase.java

@@ -18,6 +18,7 @@
 
 import com.alibaba.fluss.client.Connection;
 import com.alibaba.fluss.client.ConnectionFactory;
+import com.alibaba.fluss.client.FlussConnection;
 import com.alibaba.fluss.client.admin.Admin;
 import com.alibaba.fluss.client.table.Table;
 import com.alibaba.fluss.client.table.scanner.batch.BatchScanner;
@@ -26,14 +27,19 @@
 import com.alibaba.fluss.config.ConfigOptions;
 import com.alibaba.fluss.config.Configuration;
 import com.alibaba.fluss.config.MemorySize;
+import com.alibaba.fluss.exception.AuthorizationException;
 import com.alibaba.fluss.metadata.DataLakeFormat;
 import com.alibaba.fluss.metadata.DatabaseDescriptor;
 import com.alibaba.fluss.metadata.TableBucket;
 import com.alibaba.fluss.metadata.TableDescriptor;
+import com.alibaba.fluss.metadata.TablePath;
 import com.alibaba.fluss.row.InternalRow;
 import com.alibaba.fluss.rpc.GatewayClientProxy;
 import com.alibaba.fluss.rpc.RpcClient;
 import com.alibaba.fluss.rpc.gateway.AdminGateway;
+import com.alibaba.fluss.rpc.gateway.TabletServerGateway;
+import com.alibaba.fluss.rpc.messages.InitWriterRequest;
+import com.alibaba.fluss.rpc.messages.InitWriterResponse;
 import com.alibaba.fluss.rpc.messages.MetadataRequest;
 import com.alibaba.fluss.rpc.metrics.TestingClientMetricGroup;
 import com.alibaba.fluss.security.acl.AccessControlEntry;
@@ -190,6 +196,14 @@ void testNoAuthorizer() throws Exception {
                                             .get();
                                 })
                         .hasMessageContaining("No Authorizer is configured.");
+
+                // test initWriter without authorizer and empty table paths
+                FlussConnection flussConnection = (FlussConnection) connection;
+                TabletServerGateway tabletServerGateway =
+                        flussConnection.getMetadataUpdater().newTabletServerClientForNode(0);
+                InitWriterResponse response =
+                        tabletServerGateway.initWriter(new InitWriterRequest()).get();
+                assertThat(response.getWriterId()).isGreaterThanOrEqualTo(0);
             }
 
         } finally {
@@ -430,6 +444,70 @@ void testGetMetaInfo() throws Exception {
         }
     }
 
+    @Test
+    void testInitWriter() throws Exception {
+        TablePath writeAclTable = TablePath.of("test_db_1", "write_acl_table");
+        TablePath noWriteAclTable = TablePath.of("test_db_1", "no_write_acl_table");
+
+        TableDescriptor descriptor =
+                TableDescriptor.builder().schema(DATA1_SCHEMA).distributedBy(1).build();
+        rootAdmin.createTable(writeAclTable, descriptor, false).get();
+        // create acl to allow guest write.
+        rootAdmin
+                .createAcls(
+                        Collections.singletonList(
+                                new AclBinding(
+                                        Resource.table(writeAclTable),
+                                        new AccessControlEntry(
+                                                guestPrincipal,
+                                                "*",
+                                                OperationType.WRITE,
+                                                PermissionType.ALLOW))))
+                .all()
+                .get();
+
+        FLUSS_CLUSTER_EXTENSION.waitUtilTableReady(
+                rootAdmin.getTableInfo(writeAclTable).get().getTableId());
+
+        FlussConnection flussConnection = (FlussConnection) guestConn;
+        TabletServerGateway tabletServerGateway =
+                flussConnection.getMetadataUpdater().newTabletServerClientForNode(0);
+
+        // test 1: empty table paths
+        assertThatThrownBy(() -> tabletServerGateway.initWriter(new InitWriterRequest()).get())
+                .cause()
+                .isInstanceOf(AuthorizationException.class)
+                .hasMessageContaining(
+                        "The request of InitWriter requires non empty table paths for authorization.");
+
+        // request contains a table path without permission
+        InitWriterRequest noAclRequest = new InitWriterRequest();
+        noAclRequest
+                .addTablePath()
+                .setDatabaseName(noWriteAclTable.getDatabaseName())
+                .setTableName(noWriteAclTable.getTableName());
+
+        // test 2: no table has write permission
+        assertThatThrownBy(() -> tabletServerGateway.initWriter(noAclRequest).get())
+                .cause()
+                .isInstanceOf(AuthorizationException.class)
+                .hasMessageContaining(
+                        "No WRITE permission among all the tables: [test_db_1.no_write_acl_table]");
+
+        // request contains both a table path with/without permission
+        InitWriterRequest request = new InitWriterRequest();
+        request.addTablePath()
+                .setTableName(writeAclTable.getTableName())
+                .setDatabaseName(writeAclTable.getDatabaseName());
+        request.addTablePath()
+                .setTableName(noWriteAclTable.getTableName())
+                .setDatabaseName(noWriteAclTable.getDatabaseName());
+
+        // test 3: one table has write permission, the other doesn't have permission
+        InitWriterResponse response = tabletServerGateway.initWriter(request).get();
+        assertThat(response.getWriterId()).isGreaterThanOrEqualTo(0);
+    }
+
     @Test
     void testProduceAndConsumer() throws Exception {
         TableDescriptor descriptor =

fluss-rpc/src/main/proto/FlussApi.proto

@@ -367,6 +367,7 @@ message GetFileSystemSecurityTokenResponse {
 
 // init writer request and response
 message InitWriterRequest {
+  repeated PbTablePath table_path = 1;
 }
 
 message InitWriterResponse {

fluss-server/src/main/java/com/alibaba/fluss/server/tablet/TabletService.java

@@ -22,6 +22,7 @@
 import com.alibaba.fluss.fs.FileSystem;
 import com.alibaba.fluss.metadata.PhysicalTablePath;
 import com.alibaba.fluss.metadata.TableBucket;
+import com.alibaba.fluss.metadata.TablePath;
 import com.alibaba.fluss.record.KvRecordBatch;
 import com.alibaba.fluss.record.MemoryLogRecords;
 import com.alibaba.fluss.rpc.entity.FetchLogResultForBucket;
@@ -68,6 +69,7 @@
 import com.alibaba.fluss.server.log.ListOffsetsParam;
 import com.alibaba.fluss.server.metadata.ServerMetadataCache;
 import com.alibaba.fluss.server.replica.ReplicaManager;
+import com.alibaba.fluss.server.utils.ServerRpcMessageUtils;
 import com.alibaba.fluss.server.zk.ZooKeeperClient;
 
 import javax.annotation.Nullable;
@@ -312,7 +314,11 @@ public CompletableFuture<ListOffsetsResponse> listOffsets(ListOffsetsRequest req
 
     @Override
     public CompletableFuture<InitWriterResponse> initWriter(InitWriterRequest request) {
-        // todo: add authorization for table acl until https://github.com/alibaba/fluss/issues/756.
+        List<TablePath> tablePathsList =
+                request.getTablePathsList().stream()
+                        .map(ServerRpcMessageUtils::toTablePath)
+                        .collect(Collectors.toList());
+        authorizeAnyTable(WRITE, tablePathsList);
         CompletableFuture<InitWriterResponse> response = new CompletableFuture<>();
         response.complete(makeInitWriterResponse(metadataManager.initWriterId()));
         return response;
@@ -364,6 +370,27 @@ private void authorizeTable(OperationType operationType, long tableId) {
         }
     }
 
+    private void authorizeAnyTable(OperationType operationType, List<TablePath> tablePaths) {
+        if (authorizer != null) {
+            if (tablePaths.isEmpty()) {
+                throw new AuthorizationException(
+                        "The request of InitWriter requires non empty table paths for authorization.");
+            }
+
+            for (TablePath tablePath : tablePaths) {
+                Resource tableResource = Resource.table(tablePath);
+                if (authorizer.isAuthorized(currentSession(), operationType, tableResource)) {
+                    // authorized success if one of the tables has the permission
+                    return;
+                }
+            }
+            throw new AuthorizationException(
+                    String.format(
+                            "No %s permission among all the tables: %s",
+                            operationType, tablePaths));
+        }
+    }
+
     /**
      * Authorize the given request data for each table bucket, and return the successfully
      * authorized request data. The failed authorization will be put into the errorResponseMap.