in core/src/main/java/org/apache/gravitino/authorization/PermissionManager.java [335:420]
User revokeRolesFromUser(String metalake, List<String> roles, String user) {
try {
List<RoleEntity> roleEntitiesToRevoke = Lists.newArrayList();
for (String role : roles) {
TreeLockUtils.doWithTreeLock(
AuthorizationUtils.ofRole(metalake, role),
LockType.READ,
() -> roleEntitiesToRevoke.add(roleManager.getRole(metalake, role)));
}
User updatedUser =
store.update(
AuthorizationUtils.ofUser(metalake, user),
UserEntity.class,
Entity.EntityType.USER,
userEntity -> {
List<RoleEntity> roleEntities = Lists.newArrayList();
if (userEntity.roleNames() != null) {
for (String role : userEntity.roleNames()) {
roleEntities.add(roleManager.getRole(metalake, role));
}
}
List<String> roleNames = Lists.newArrayList(toRoleNames(roleEntities));
List<Long> roleIds = Lists.newArrayList(toRoleIds(roleEntities));
for (RoleEntity roleEntityToRevoke : roleEntitiesToRevoke) {
roleNames.remove(roleEntityToRevoke.name());
boolean removed = roleIds.remove(roleEntityToRevoke.id());
if (!removed) {
LOG.warn(
"Failed to revoke, role {} doesn't exist in the user {} of metalake {}",
roleEntityToRevoke.name(),
user,
metalake);
}
}
AuditInfo auditInfo =
AuditInfo.builder()
.withCreator(userEntity.auditInfo().creator())
.withCreateTime(userEntity.auditInfo().createTime())
.withLastModifier(PrincipalUtils.getCurrentPrincipal().getName())
.withLastModifiedTime(Instant.now())
.build();
return UserEntity.builder()
.withId(userEntity.id())
.withNamespace(userEntity.namespace())
.withName(userEntity.name())
.withRoleNames(roleNames)
.withRoleIds(roleIds)
.withAuditInfo(auditInfo)
.build();
});
List<SecurableObject> securableObjects = Lists.newArrayList();
for (Role grantedRole : roleEntitiesToRevoke) {
securableObjects.addAll(grantedRole.securableObjects());
}
AuthorizationUtils.callAuthorizationPluginForSecurableObjects(
metalake,
securableObjects,
(authorizationPlugin, catalogName) ->
authorizationPlugin.onRevokedRolesFromUser(
roleEntitiesToRevoke.stream()
.map(roleEntity -> filterSecurableObjects(roleEntity, metalake, catalogName))
.collect(Collectors.toList()),
updatedUser));
return updatedUser;
} catch (NoSuchEntityException nse) {
LOG.warn("Failed to revoke, user {} does not exist in the metalake {}", user, metalake, nse);
throw new NoSuchUserException(USER_DOES_NOT_EXIST_MSG, user, metalake);
} catch (NoSuchRoleException nsr) {
throw new IllegalRoleException(nsr);
} catch (IOException ioe) {
LOG.error(
"Failed to revoke role {} from user {} in the metalake {} due to storage issues",
StringUtils.join(roles, ","),
user,
metalake,
ioe);
throw new RuntimeException(ioe);
}
}