[#9269] feat(authz): Supports to override privileges

common/src/main/java/org/apache/gravitino/dto/requests/PrivilegeOverrideRequest.java

@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.gravitino.dto.requests;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.google.common.base.Preconditions;
+import lombok.Builder;
+import lombok.EqualsAndHashCode;
+import lombok.Getter;
+import lombok.ToString;
+import lombok.extern.jackson.Jacksonized;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.gravitino.dto.authorization.SecurableObjectDTO;
+import org.apache.gravitino.rest.RESTRequest;
+
+/** Represents a request to update a role by overriding its securable objects. */
+@Getter
+@EqualsAndHashCode
+@ToString
+@Builder
+@Jacksonized
+public class PrivilegeOverrideRequest implements RESTRequest {
+
+  @JsonProperty("overrides")
+  private SecurableObjectDTO[] overrides;
+
+  /** Default constructor for PrivilegeOverrideRequest. (Used for Jackson deserialization.) */
+  public PrivilegeOverrideRequest() {
+    this(null);
+  }
+
+  /**
+   * Creates a new PrivilegeOverrideRequest.
+   *
+   * @param overrides The securable objects to override for the role.
+   */
+  public PrivilegeOverrideRequest(SecurableObjectDTO[] overrides) {
+    this.overrides = overrides;
+  }
+
+  /**
+   * Validates the {@link PrivilegeOverrideRequest} request.
+   *
+   * @throws IllegalArgumentException If the request is invalid, this exception is thrown.
+   */
+  @Override
+  public void validate() throws IllegalArgumentException {
+    for (SecurableObjectDTO objectDTO : overrides) {
+      Preconditions.checkArgument(
+          StringUtils.isNotBlank(objectDTO.name()), "\"securable object name\" cannot be blank");
+      Preconditions.checkArgument(
+          objectDTO.type() != null, "\"securable object type\" cannot be null");
+      Preconditions.checkArgument(
+          objectDTO.privileges() != null && !objectDTO.privileges().isEmpty(),
+          "\"securable object privileges\" cannot be null or empty");
+    }
+  }
+}

core/src/main/java/org/apache/gravitino/authorization/AccessControlDispatcher.java

@@ -260,6 +260,10 @@ Role createRole(
    */
   boolean deleteRole(String metalake, String role) throws NoSuchMetalakeException;
 
+  Role overridePrivilegesInRole(
+      String metalake, String role, List<SecurableObject> securableObjectsToOverride)
+      throws NoSuchRoleException, NoSuchMetalakeException;
+
   /**
    * Lists the role names.
    *

core/src/main/java/org/apache/gravitino/authorization/AccessControlManager.java

@@ -247,4 +247,15 @@ public Role revokePrivilegesFromRole(
         LockType.WRITE,
         () -> permissionManager.revokePrivilegesFromRole(metalake, role, object, privileges));
   }
+
+  @Override
+  public Role overridePrivilegesInRole(
+      String metalake, String role, List<SecurableObject> securableObjectsToOverride)
+      throws NoSuchRoleException, NoSuchMetalakeException {
+    return TreeLockUtils.doWithTreeLock(
+        AuthorizationUtils.ofRole(metalake, role),
+        LockType.WRITE,
+        () ->
+            permissionManager.overridePrivilegesInRole(metalake, role, securableObjectsToOverride));
+  }
 }

core/src/main/java/org/apache/gravitino/authorization/PermissionManager.java

@@ -24,17 +24,20 @@
 import static org.apache.gravitino.authorization.AuthorizationUtils.filterSecurableObjects;
 
 import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
 import java.io.IOException;
 import java.time.Instant;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.gravitino.Entity;
 import org.apache.gravitino.EntityStore;
 import org.apache.gravitino.MetadataObject;
+import org.apache.gravitino.MetadataObjects;
 import org.apache.gravitino.exceptions.IllegalRoleException;
 import org.apache.gravitino.exceptions.NoSuchEntityException;
 import org.apache.gravitino.exceptions.NoSuchGroupException;
@@ -597,6 +600,134 @@ Role revokePrivilegesFromRole(
     }
   }
 
+  Role overridePrivilegesInRole(
+      String metalake, String role, List<SecurableObject> securableObjectsToOverride) {
+    try {
+      AuthorizationPluginCallbackWrapper authorizationCallbackWrapper =
+          new AuthorizationPluginCallbackWrapper();
+      Role updatedRole =
+          store.update(
+              AuthorizationUtils.ofRole(metalake, role),
+              RoleEntity.class,
+              Entity.EntityType.ROLE,
+              roleEntity -> {
+                List<SecurableObject> currentSecurableObjects =
+                    Lists.newArrayList(roleEntity.securableObjects());
+
+                // This is used for recording the original state of the role before update.
+                // We use this to find which objects existed before update
+                Map<MetadataObject, SecurableObject> originObjectMap = Maps.newHashMap();
+                for (SecurableObject securableObject : currentSecurableObjects) {
+                  originObjectMap.put(
+                      MetadataObjects.parse(securableObject.fullName(), securableObject.type()),
+                      securableObject);
+                }
+
+                // This is used for recording the updated state of the role after update.
+                Map<MetadataObject, SecurableObject> updatedObjectMap = Maps.newHashMap();
+                for (SecurableObject securableObject : securableObjectsToOverride) {
+                  updatedObjectMap.put(
+                      MetadataObjects.parse(securableObject.fullName(), securableObject.type()),
+                      securableObject);
+                }
+
+                // These sets will be used for tracking which objects are created, updated or
+                // deleted.
+                Set<MetadataObject> authzPluginCreatedObjects =
+                    Sets.newHashSet(updatedObjectMap.keySet());
+                authzPluginCreatedObjects.removeAll(originObjectMap.keySet());
+
+                Set<MetadataObject> authzPluginUpdateObjects =
+                    Sets.newHashSet(updatedObjectMap.keySet());
+                authzPluginUpdateObjects.retainAll(originObjectMap.keySet());
+
+                Set<MetadataObject> authzPluginDeletedObjects =
+                    Sets.newHashSet(originObjectMap.keySet());
+                authzPluginDeletedObjects.removeAll(updatedObjectMap.keySet());
+
+                // We set authorization callback here, we won't execute this callback in this
+                // place. We will execute the callback after we execute the SQL transaction.
+                authorizationCallbackWrapper.setCallback(
+                    () -> {
+                      authzPluginCreatedObjects.forEach(
+                          object -> {
+                            AuthorizationUtils.callAuthorizationPluginForMetadataObject(
+                                metalake,
+                                object,
+                                authorizationPlugin -> {
+                                  authorizationPlugin.onRoleUpdated(
+                                      roleEntity,
+                                      RoleChange.addSecurableObject(
+                                          role, updatedObjectMap.get(object)));
+                                });
+                          });
+                      authzPluginUpdateObjects.forEach(
+                          object -> {
+                            SecurableObject existingObject = originObjectMap.get(object);
+                            SecurableObject newSecurableObject = updatedObjectMap.get(object);
+                            // If the updated role is the same as the existing one, we don't
+                            // need to call the authorization plugin.
+                            if (existingObject != null
+                                && newSecurableObject != null
+                                && !existingObject
+                                    .privileges()
+                                    .equals(newSecurableObject.privileges())) {
+                              AuthorizationUtils.callAuthorizationPluginForMetadataObject(
+                                  metalake,
+                                  object,
+                                  authorizationPlugin -> {
+                                    authorizationPlugin.onRoleUpdated(
+                                        roleEntity,
+                                        RoleChange.updateSecurableObject(
+                                            role, existingObject, newSecurableObject));
+                                  });
+                            }
+                          });
+                      authzPluginDeletedObjects.forEach(
+                          object -> {
+                            AuthorizationUtils.callAuthorizationPluginForMetadataObject(
+                                metalake,
+                                object,
+                                authorizationPlugin -> {
+                                  authorizationPlugin.onRoleUpdated(
+                                      roleEntity,
+                                      RoleChange.removeSecurableObject(
+                                          role, originObjectMap.get(object)));
+                                });
+                          });
+                    });
+
+                AuditInfo auditInfo =
+                    AuditInfo.builder()
+                        .withCreator(roleEntity.auditInfo().creator())
+                        .withCreateTime(roleEntity.auditInfo().createTime())
+                        .withLastModifier(PrincipalUtils.getCurrentPrincipal().getName())
+                        .withLastModifiedTime(Instant.now())
+                        .build();
+
+                return RoleEntity.builder()
+                    .withId(roleEntity.id())
+                    .withName(roleEntity.name())
+                    .withNamespace(roleEntity.namespace())
+                    .withProperties(roleEntity.properties())
+                    .withAuditInfo(auditInfo)
+                    .withSecurableObjects(Lists.newArrayList(updatedObjectMap.values()))
+                    .build();
+              });
+      authorizationCallbackWrapper.execute();
+
+      return updatedRole;
+    } catch (IOException ioe) {
+      LOG.error(
+          "Updating role {} in the metalake {} failed due to storage issues", role, metalake, ioe);
+      throw new RuntimeException(ioe);
+    } catch (NoSuchEntityException nse) {
+      LOG.error(
+          "Failed to override, role {} does not exist in the metalake {}", role, metalake, nse);
+      throw new NoSuchRoleException(ROLE_DOES_NOT_EXIST_MSG, role, metalake);
+    }
+  }
+
   private static SecurableObject createNewSecurableObject(
       String metalake,
       String role,

core/src/main/java/org/apache/gravitino/hook/AccessControlHookDispatcher.java

@@ -224,6 +224,16 @@ public Role revokePrivilegesFromRole(
     return revokedRole;
   }
 
+  @Override
+  public Role overridePrivilegesInRole(
+      String metalake, String role, List<SecurableObject> securableObjectsToOverride)
+      throws NoSuchRoleException, NoSuchMetalakeException {
+    Role overriddenRole =
+        dispatcher.overridePrivilegesInRole(metalake, role, securableObjectsToOverride);
+    notifyRoleUserRelChange(metalake, role);
+    return overriddenRole;
+  }
+
   private static void notifyRoleUserRelChange(String metalake, List<String> roles) {
     GravitinoAuthorizer gravitinoAuthorizer = GravitinoEnv.getInstance().gravitinoAuthorizer();
     if (gravitinoAuthorizer != null) {

core/src/main/java/org/apache/gravitino/listener/AccessControlEventDispatcher.java

@@ -83,6 +83,9 @@
 import org.apache.gravitino.listener.api.event.ListUsersEvent;
 import org.apache.gravitino.listener.api.event.ListUsersFailureEvent;
 import org.apache.gravitino.listener.api.event.ListUsersPreEvent;
+import org.apache.gravitino.listener.api.event.OverridePrivilegesEvent;
+import org.apache.gravitino.listener.api.event.OverridePrivilegesFailureEvent;
+import org.apache.gravitino.listener.api.event.OverridePrivilegesPreEvent;
 import org.apache.gravitino.listener.api.event.RemoveGroupEvent;
 import org.apache.gravitino.listener.api.event.RemoveGroupFailureEvent;
 import org.apache.gravitino.listener.api.event.RemoveGroupPreEvent;
@@ -521,4 +524,28 @@ public Role revokePrivilegesFromRole(
       throw e;
     }
   }
+
+  @Override
+  public Role overridePrivilegesInRole(
+      String metalake, String role, List<SecurableObject> securableObjectsToOverride)
+      throws NoSuchRoleException, NoSuchMetalakeException {
+    String initiator = PrincipalUtils.getCurrentUserName();
+
+    eventBus.dispatchEvent(
+        new OverridePrivilegesPreEvent(initiator, metalake, role, securableObjectsToOverride));
+    try {
+      Role roleObject =
+          dispatcher.overridePrivilegesInRole(metalake, role, securableObjectsToOverride);
+      eventBus.dispatchEvent(
+          new OverridePrivilegesEvent(
+              initiator, metalake, new RoleInfo(roleObject), securableObjectsToOverride));
+
+      return roleObject;
+    } catch (Exception e) {
+      eventBus.dispatchEvent(
+          new OverridePrivilegesFailureEvent(
+              initiator, metalake, e, role, securableObjectsToOverride));
+      throw e;
+    }
+  }
 }

core/src/main/java/org/apache/gravitino/listener/api/event/OperationType.java

@@ -143,6 +143,7 @@ public enum OperationType {
   LIST_ROLE_NAMES,
   GRANT_PRIVILEGES,
   REVOKE_PRIVILEGES,
+  OVERRIDE_PRIVILEGES,
 
   // Owner operations
   GET_OWNER,