[EPIC] Metadata Authorization

[xunliu]

Background

The Gravitino implementation permission pushdown underlying data source to authorization (Just like Apache Ranger, IAM, etc.,), Because every data source has a different permissions system, This way lets us difficulty unified authentication, So we consider the implementation a unified metadata authentication in the Gravitino API services.

• Metadata Authentication Design doc: https://docs.google.com/document/d/1KL7Ffbh7dIwPaGrinjq3TcCA2vlcsFvyrUUO-tRnEpI/edit?tab=t.0#heading=h.k0lgyx370gfp
• DEMO PR: Draft：A demo on how Gravitino implements metadata authorization. #6676

Advantages

Provider unified metadata authentication in the Gravitino RESTful interface, support curl command and Gravitino Java/Python client to connect Gravitino check authentication based on the user identity.
The Gravitino RESTful interface supports GET/POST/PUT/DELETE operations. These operations map metadata Get a metadata/Create a metadata/Update a metadata/Delete a metadata.

Disadvantages

We are through the RESTful interface only checking authentication metadata permission, Not checking data permission.

Task list

• Authentication framework
  • [Subtask] Support initialize GravitinoAuthorizer #6774
  • [Subtask] Introduce authorization annotations #6775
  • [Subtask] Introduce the AuthorizeResourceConverter for converting between Resource names and ResourceIds. #6783
  • [Subtask] Introduce RequestContext and RequestContextHolder to store user information in REST requests. #6785
  • [Subtask] Introduce JcasbinAuthorizer and GravitinoAdapter for metadata authorization. #6786
  • [Subtask] Introduce AuthorizeFilter to implement metadata authorization in REST requests through an interceptor. #6787
  • [Subtask] Introduce MetadataFilterHelper to filter the result data obtained from list requests. #6788
• Jcasbin
  • [Subtask] Dynamic loading Jcasbin authentication policies #6826
  • [Subtask] Jcasbin model file for Gravitino #6827
• User
  • [Subtask] Support login into Gravitino #6784
  • [Subtask] Add authorization annotations to all REST APIs. #6789
• Connector
  • [Subtask] Enable the Flink Connector to carry a token when requesting the Gravitino Server for metadata authorization. #6790
  • [Subtask] Enable the Spark Connector to carry a token when requesting the Gravitino Server for metadata authorization. #6791
  • [Subtask] Enable the Trino Connector to carry a token when requesting the Gravitino Server for metadata authorization. #6792
• Client
  • [Subtask] Enable the Gravitino Cli to carry a token when requesting the Gravitino Server for metadata authorization. #6793
  • Python client
• Storage
  • [Subtask] GravitinoAuthorizer supports periodic updates of permission policies. #6794
• Performance
  • TODO

[hdygxsj]

Good!