Group revokeRolesFromGroup()

in core/src/main/java/org/apache/gravitino/authorization/PermissionManager.java [246:333]

• 80 lines of code
• 10 McCabe index (conditional complexity)

  Group revokeRolesFromGroup(String metalake, List<String> roles, String group) {
    try {
      List<RoleEntity> roleEntitiesToRevoke = Lists.newArrayList();
      for (String role : roles) {
        TreeLockUtils.doWithTreeLock(
            AuthorizationUtils.ofRole(metalake, role),
            LockType.READ,
            () -> roleEntitiesToRevoke.add(roleManager.getRole(metalake, role)));
      }

      Group updatedGroup =
          store.update(
              AuthorizationUtils.ofGroup(metalake, group),
              GroupEntity.class,
              Entity.EntityType.GROUP,
              groupEntity -> {
                List<RoleEntity> roleEntities = Lists.newArrayList();
                if (groupEntity.roleNames() != null) {
                  for (String role : groupEntity.roleNames()) {
                    roleEntities.add(roleManager.getRole(metalake, role));
                  }
                }
                List<String> roleNames = Lists.newArrayList(toRoleNames(roleEntities));
                List<Long> roleIds = Lists.newArrayList(toRoleIds(roleEntities));

                for (RoleEntity roleEntityToRevoke : roleEntitiesToRevoke) {
                  roleNames.remove(roleEntityToRevoke.name());
                  boolean removed = roleIds.remove(roleEntityToRevoke.id());
                  if (!removed) {
                    LOG.warn(
                        "Failed to revoke, role {} does not exist in the group {} of metalake {}",
                        roleEntityToRevoke.name(),
                        group,
                        metalake);
                  }
                }

                AuditInfo auditInfo =
                    AuditInfo.builder()
                        .withCreator(groupEntity.auditInfo().creator())
                        .withCreateTime(groupEntity.auditInfo().createTime())
                        .withLastModifier(PrincipalUtils.getCurrentPrincipal().getName())
                        .withLastModifiedTime(Instant.now())
                        .build();

                return GroupEntity.builder()
                    .withNamespace(groupEntity.namespace())
                    .withId(groupEntity.id())
                    .withName(groupEntity.name())
                    .withRoleNames(roleNames)
                    .withRoleIds(roleIds)
                    .withAuditInfo(auditInfo)
                    .build();
              });

      List<SecurableObject> securableObjects = Lists.newArrayList();
      for (Role grantedRole : roleEntitiesToRevoke) {
        securableObjects.addAll(grantedRole.securableObjects());
      }

      AuthorizationUtils.callAuthorizationPluginForSecurableObjects(
          metalake,
          securableObjects,
          (authorizationPlugin, catalogName) ->
              authorizationPlugin.onRevokedRolesFromGroup(
                  roleEntitiesToRevoke.stream()
                      .map(roleEntity -> filterSecurableObjects(roleEntity, metalake, catalogName))
                      .collect(Collectors.toList()),
                  updatedGroup));

      return updatedGroup;

    } catch (NoSuchEntityException nse) {
      LOG.warn(
          "Failed to revoke, group {} does not exist in the metalake {}", group, metalake, nse);
      throw new NoSuchGroupException(GROUP_DOES_NOT_EXIST_MSG, group, metalake);
    } catch (NoSuchRoleException nsr) {
      throw new IllegalRoleException(nsr);
    } catch (IOException ioe) {
      LOG.error(
          "Failed to revoke role {} from  group {} in the metalake {} due to storage issues",
          StringUtils.join(roles, ","),
          group,
          metalake,
          ioe);
      throw new RuntimeException(ioe);
    }
  }