[hotfix] Add authentication to the admin APIs that currently lack it (#2350)

Author: swuferhong

fluss-client/src/main/java/org/apache/fluss/client/admin/FlussAdmin.java

@@ -17,6 +17,7 @@
 
 package org.apache.fluss.client.admin;
 
+import org.apache.fluss.annotation.VisibleForTesting;
 import org.apache.fluss.client.metadata.KvSnapshotMetadata;
 import org.apache.fluss.client.metadata.KvSnapshots;
 import org.apache.fluss.client.metadata.LakeSnapshot;
@@ -649,4 +650,14 @@ private static void sendListOffsetsRequest(
                     }
                 });
     }
+
+    @VisibleForTesting
+    public AdminGateway getAdminGateway() {
+        return gateway;
+    }
+
+    @VisibleForTesting
+    public AdminReadOnlyGateway getAdminReadOnlyGateway() {
+        return readOnlyGateway;
+    }
 }

fluss-client/src/test/java/org/apache/fluss/client/security/acl/FlussAuthorizationITCase.java

@@ -21,6 +21,7 @@
 import org.apache.fluss.client.ConnectionFactory;
 import org.apache.fluss.client.FlussConnection;
 import org.apache.fluss.client.admin.Admin;
+import org.apache.fluss.client.admin.FlussAdmin;
 import org.apache.fluss.client.table.Table;
 import org.apache.fluss.client.table.scanner.batch.BatchScanner;
 import org.apache.fluss.client.table.writer.AppendWriter;
@@ -33,6 +34,9 @@
 import org.apache.fluss.config.cluster.AlterConfigOpType;
 import org.apache.fluss.config.cluster.ConfigEntry;
 import org.apache.fluss.exception.AuthorizationException;
+import org.apache.fluss.exception.KvSnapshotNotExistException;
+import org.apache.fluss.exception.LakeTableSnapshotNotExistException;
+import org.apache.fluss.exception.TableNotPartitionedException;
 import org.apache.fluss.metadata.DataLakeFormat;
 import org.apache.fluss.metadata.DatabaseDescriptor;
 import org.apache.fluss.metadata.TableBucket;
@@ -43,9 +47,11 @@
 import org.apache.fluss.rpc.GatewayClientProxy;
 import org.apache.fluss.rpc.RpcClient;
 import org.apache.fluss.rpc.gateway.AdminGateway;
+import org.apache.fluss.rpc.gateway.AdminReadOnlyGateway;
 import org.apache.fluss.rpc.gateway.CoordinatorGateway;
 import org.apache.fluss.rpc.gateway.TabletServerGateway;
 import org.apache.fluss.rpc.messages.ControlledShutdownRequest;
+import org.apache.fluss.rpc.messages.GetKvSnapshotMetadataRequest;
 import org.apache.fluss.rpc.messages.InitWriterRequest;
 import org.apache.fluss.rpc.messages.InitWriterResponse;
 import org.apache.fluss.rpc.messages.MetadataRequest;
@@ -60,13 +66,18 @@
 import org.apache.fluss.security.acl.Resource;
 import org.apache.fluss.security.acl.ResourceFilter;
 import org.apache.fluss.server.testutils.FlussClusterExtension;
+import org.apache.fluss.server.zk.ZooKeeperClient;
+import org.apache.fluss.server.zk.data.TableRegistration;
 import org.apache.fluss.shaded.guava32.com.google.common.collect.Lists;
 import org.apache.fluss.utils.CloseableIterator;
 
+import org.assertj.core.api.ThrowableAssert;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.RegisterExtension;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 
 import java.time.Duration;
 import java.util.Arrays;
@@ -77,8 +88,10 @@
 
 import static org.apache.fluss.config.ConfigOptions.DATALAKE_FORMAT;
 import static org.apache.fluss.record.TestData.DATA1_SCHEMA;
+import static org.apache.fluss.record.TestData.DATA1_SCHEMA_PK;
 import static org.apache.fluss.record.TestData.DATA1_TABLE_DESCRIPTOR;
 import static org.apache.fluss.record.TestData.DATA1_TABLE_DESCRIPTOR_PK;
+import static org.apache.fluss.record.TestData.DATA1_TABLE_INFO_PK;
 import static org.apache.fluss.record.TestData.DATA1_TABLE_PATH;
 import static org.apache.fluss.record.TestData.DATA1_TABLE_PATH_PK;
 import static org.apache.fluss.security.acl.AccessControlEntry.WILD_CARD_HOST;
@@ -390,10 +403,26 @@ void testAlterTable() throws Exception {
     }
 
     @Test
-    void testListTables() throws Exception {
+    void testDescribeTableOperation() throws Exception {
+        // test describe table operations like:
+        // 1. listTables
+        // 2. getTableInfo
+        // 3. getTableSchema
+        // 4. getLatestKvSnapshots
+        // 5. listPartitionInfos
+        // 6. getLatestLakeSnapshot
+
+        // first check call these methods without authorization.
         assertThat(guestAdmin.listTables(DATA1_TABLE_PATH_PK.getDatabaseName()).get())
                 .isEqualTo(Collections.emptyList());
-
+        assertNoTableDescribeAuth(() -> guestAdmin.getTableInfo(DATA1_TABLE_PATH_PK).get());
+        assertNoTableDescribeAuth(() -> guestAdmin.getTableSchema(DATA1_TABLE_PATH_PK).get());
+        assertNoTableDescribeAuth(() -> guestAdmin.getLatestKvSnapshots(DATA1_TABLE_PATH_PK).get());
+        assertNoTableDescribeAuth(() -> guestAdmin.listPartitionInfos(DATA1_TABLE_PATH_PK).get());
+        assertNoTableDescribeAuth(
+                () -> guestAdmin.getLatestLakeSnapshot(DATA1_TABLE_PATH_PK).get());
+
+        // add acl to allow guest describe table resource
         List<AclBinding> aclBindings =
                 Collections.singletonList(
                         new AclBinding(
@@ -405,8 +434,70 @@ void testListTables() throws Exception {
                                         PermissionType.ALLOW)));
         rootAdmin.createAcls(aclBindings).all().get();
         FLUSS_CLUSTER_EXTENSION.waitUntilAuthenticationSync(aclBindings, true);
+
+        // check call these methods with authorization.
         assertThat(guestAdmin.listTables(DATA1_TABLE_PATH_PK.getDatabaseName()).get())
                 .isEqualTo(Collections.singletonList(DATA1_TABLE_PATH_PK.getTableName()));
+        assertThat(guestAdmin.getTableInfo(DATA1_TABLE_PATH_PK).get().getTablePath())
+                .isEqualTo(DATA1_TABLE_INFO_PK.getTablePath());
+        assertThat(guestAdmin.getTableSchema(DATA1_TABLE_PATH_PK).get().getSchema())
+                .isEqualTo(DATA1_SCHEMA_PK);
+        assertThat(guestAdmin.tableExists(DATA1_TABLE_PATH_PK).get()).isTrue();
+        assertThat(guestAdmin.getLatestKvSnapshots(DATA1_TABLE_PATH_PK).get().getBucketIds())
+                .containsExactlyInAnyOrder(0, 1, 2);
+        assertThatThrownBy(() -> guestAdmin.listPartitionInfos(DATA1_TABLE_PATH_PK).get())
+                .rootCause()
+                .isInstanceOf(TableNotPartitionedException.class)
+                .hasMessageContaining(
+                        "Table 'test_db_1.test_pk_table_1' is not a partitioned table.");
+        assertThatThrownBy(() -> guestAdmin.getLatestLakeSnapshot(DATA1_TABLE_PATH_PK).get())
+                .rootCause()
+                .isInstanceOf(LakeTableSnapshotNotExistException.class)
+                .hasMessageContaining("Lake table snapshot not exist for table");
+    }
+
+    @ParameterizedTest
+    @ValueSource(strings = {"CoordinatorServer", "TabletServer"})
+    void testGetKvSnapshotMetadata(String serverType) throws Exception {
+        AdminReadOnlyGateway readOnlyGateway;
+        if (serverType.equals("CoordinatorServer")) {
+            readOnlyGateway = ((FlussAdmin) guestAdmin).getAdminGateway();
+        } else {
+            readOnlyGateway = ((FlussAdmin) guestAdmin).getAdminReadOnlyGateway();
+        }
+
+        ZooKeeperClient zooKeeperClient = FLUSS_CLUSTER_EXTENSION.getZooKeeperClient();
+        TableRegistration tableRegistration = zooKeeperClient.getTable(DATA1_TABLE_PATH_PK).get();
+        long tableId = tableRegistration.tableId;
+        FLUSS_CLUSTER_EXTENSION.waitUntilTableReady(tableId);
+
+        GetKvSnapshotMetadataRequest request = new GetKvSnapshotMetadataRequest();
+        request.setTableId(tableId).setBucketId(0).setSnapshotId(0);
+        // Make sure all tabletServer has ready replica and ready metadata for the table.
+        FLUSS_CLUSTER_EXTENSION.waitUntilAllReplicaReady(new TableBucket(tableId, 0));
+
+        // call getKvSnapshotMetadata without authorization.
+        assertNoTableDescribeAuth(() -> readOnlyGateway.getKvSnapshotMetadata(request).get());
+
+        // add acl to allow guest describe table resource
+        List<AclBinding> aclBindings =
+                Collections.singletonList(
+                        new AclBinding(
+                                Resource.database(DATA1_TABLE_PATH_PK.getDatabaseName()),
+                                new AccessControlEntry(
+                                        guestPrincipal,
+                                        "*",
+                                        OperationType.DESCRIBE,
+                                        PermissionType.ALLOW)));
+        rootAdmin.createAcls(aclBindings).all().get();
+        FLUSS_CLUSTER_EXTENSION.waitUntilAuthenticationSync(aclBindings, true);
+
+        // call getKvSnapshotMetadata with authorization. no authorization exception should be
+        // thrown.
+        assertThatThrownBy(() -> readOnlyGateway.getKvSnapshotMetadata(request).get())
+                .rootCause()
+                .isInstanceOf(KvSnapshotNotExistException.class)
+                .hasMessageContaining("Failed to get kv snapshot metadata for table bucket");
     }
 
     @Test
@@ -572,9 +663,9 @@ void testProduceWithNoWriteAuthorization() throws Exception {
                     .rootCause()
                     .hasMessageContaining(
                             String.format(
-                                    "No permission to WRITE table %s in database %s",
-                                    noWriteAclTable.getTableName(),
-                                    noWriteAclTable.getDatabaseName()));
+                                    "Principal FlussPrincipal{name='guest', type='User'} have no authorization to "
+                                            + "operate WRITE on resource Resource{type=TABLE, name='%s'} ",
+                                    noWriteAclTable));
         }
     }
 
@@ -609,10 +700,9 @@ void testProduceAndConsumer() throws Exception {
                 assertThatThrownBy(() -> batchScanner.pollBatch(Duration.ofMinutes(1)))
                         .hasMessageContaining(
                                 String.format(
-                                        "No permission to %s table %s in database %s",
-                                        READ,
-                                        DATA1_TABLE_PATH.getTableName(),
-                                        DATA1_TABLE_PATH.getDatabaseName()));
+                                        "Principal FlussPrincipal{name='guest', type='User'} have no authorization to "
+                                                + "operate %s on resource Resource{type=TABLE, name='%s'}",
+                                        READ, DATA1_TABLE_PATH));
             }
             rootAdmin
                     .createAcls(
@@ -955,4 +1045,13 @@ private static Configuration initConfig() {
         conf.set(ConfigOptions.AUTHORIZER_ENABLED, true);
         return conf;
     }
+
+    private void assertNoTableDescribeAuth(ThrowableAssert.ThrowingCallable callable) {
+        assertThatThrownBy(callable)
+                .cause()
+                .isInstanceOf(AuthorizationException.class)
+                .hasMessageContaining(
+                        "Principal FlussPrincipal{name='guest', type='User'} have no authorization to "
+                                + "operate DESCRIBE on resource Resource{type=TABLE, name='test_db_1.test_pk_table_1'}");
+    }
 }

fluss-flink/fluss-flink-common/src/test/java/org/apache/fluss/flink/security/acl/FlinkAuthorizationITCase.java

@@ -383,8 +383,9 @@ void testPutAndLookupKvTable() throws Exception {
                 .rootCause()
                 .hasMessageContaining(
                         String.format(
-                                "No permission to READ table %s in database %s",
-                                tablePath.getTableName(), tablePath.getDatabaseName()));
+                                "Principal FlussPrincipal{name='guest', type='User'} have no authorization to "
+                                        + "operate READ on resource Resource{type=TABLE, name='%s'} ",
+                                tablePath));
         addAcl(Resource.database(tablePath.getDatabaseName()), READ);
         assertQueryResultExactOrder(
                 tBatchEnv,

fluss-server/src/main/java/org/apache/fluss/server/RpcServiceBase.java

@@ -170,6 +170,20 @@ public ServerType providerType() {
         return provider;
     }
 
+    public abstract void authorizeTable(OperationType operationType, long tableId);
+
+    public void authorizeDatabase(OperationType operationType, String databaseName) {
+        if (authorizer != null) {
+            authorizer.authorize(currentSession(), operationType, Resource.database(databaseName));
+        }
+    }
+
+    public void authorizeTable(OperationType operationType, TablePath tablePath) {
+        if (authorizer != null) {
+            authorizer.authorize(currentSession(), operationType, Resource.table(tablePath));
+        }
+    }
+
     @Override
     public CompletableFuture<ApiVersionsResponse> apiVersions(ApiVersionsRequest request) {
         Set<ApiKeys> apiKeys = apiManager.enabledApis();
@@ -210,15 +224,11 @@ public CompletableFuture<ListDatabasesResponse> listDatabases(ListDatabasesReque
     @Override
     public CompletableFuture<GetDatabaseInfoResponse> getDatabaseInfo(
             GetDatabaseInfoRequest request) {
-        if (authorizer != null) {
-            authorizer.authorize(
-                    currentSession(),
-                    OperationType.DESCRIBE,
-                    Resource.database(request.getDatabaseName()));
-        }
+        String databaseName = request.getDatabaseName();
+        authorizeDatabase(OperationType.DESCRIBE, databaseName);
 
         GetDatabaseInfoResponse response = new GetDatabaseInfoResponse();
-        DatabaseInfo databaseInfo = metadataManager.getDatabase(request.getDatabaseName());
+        DatabaseInfo databaseInfo = metadataManager.getDatabase(databaseName);
         response.setDatabaseJson(databaseInfo.getDatabaseDescriptor().toJsonBytes())
                 .setCreatedTime(databaseInfo.getCreatedTime())
                 .setModifiedTime(databaseInfo.getModifiedTime());
@@ -227,6 +237,7 @@ public CompletableFuture<GetDatabaseInfoResponse> getDatabaseInfo(
 
     @Override
     public CompletableFuture<DatabaseExistsResponse> databaseExists(DatabaseExistsRequest request) {
+        // By design: database exists not need to check database authorization.
         DatabaseExistsResponse response = new DatabaseExistsResponse();
         boolean exists = metadataManager.databaseExists(request.getDatabaseName());
         response.setExists(exists);
@@ -258,12 +269,7 @@ public CompletableFuture<ListTablesResponse> listTables(ListTablesRequest reques
     @Override
     public CompletableFuture<GetTableInfoResponse> getTableInfo(GetTableInfoRequest request) {
         TablePath tablePath = toTablePath(request.getTablePath());
-        if (authorizer != null) {
-            authorizer.authorize(
-                    currentSession(),
-                    OperationType.DESCRIBE,
-                    Resource.table(tablePath.getDatabaseName(), tablePath.getTableName()));
-        }
+        authorizeTable(OperationType.DESCRIBE, tablePath);
 
         GetTableInfoResponse response = new GetTableInfoResponse();
         TableInfo tableInfo = metadataManager.getTable(tablePath);
@@ -278,6 +284,8 @@ public CompletableFuture<GetTableInfoResponse> getTableInfo(GetTableInfoRequest
     @Override
     public CompletableFuture<GetTableSchemaResponse> getTableSchema(GetTableSchemaRequest request) {
         TablePath tablePath = toTablePath(request.getTablePath());
+        authorizeTable(OperationType.DESCRIBE, tablePath);
+
         final SchemaInfo schemaInfo;
         if (request.hasSchemaId()) {
             schemaInfo = metadataManager.getSchemaById(tablePath, request.getSchemaId());
@@ -292,6 +300,7 @@ public CompletableFuture<GetTableSchemaResponse> getTableSchema(GetTableSchemaRe
 
     @Override
     public CompletableFuture<TableExistsResponse> tableExists(TableExistsRequest request) {
+        // By design: table exists not need to check table authorization.
         TableExistsResponse response = new TableExistsResponse();
         boolean exists = metadataManager.tableExists(toTablePath(request.getTablePath()));
         response.setExists(exists);
@@ -302,6 +311,8 @@ public CompletableFuture<TableExistsResponse> tableExists(TableExistsRequest req
     public CompletableFuture<GetLatestKvSnapshotsResponse> getLatestKvSnapshots(
             GetLatestKvSnapshotsRequest request) {
         TablePath tablePath = toTablePath(request.getTablePath());
+        authorizeTable(OperationType.DESCRIBE, tablePath);
+
         // get table info
         TableInfo tableInfo = metadataManager.getTable(tablePath);
 
@@ -363,9 +374,12 @@ private long getPartitionId(TablePath tablePath, String partitionName) {
     @Override
     public CompletableFuture<GetKvSnapshotMetadataResponse> getKvSnapshotMetadata(
             GetKvSnapshotMetadataRequest request) {
+        long tableId = request.getTableId();
+        authorizeTable(OperationType.DESCRIBE, tableId);
+
         TableBucket tableBucket =
                 new TableBucket(
-                        request.getTableId(),
+                        tableId,
                         request.hasPartitionId() ? request.getPartitionId() : null,
                         request.getBucketId());
         long snapshotId = request.getSnapshotId();
@@ -412,6 +426,8 @@ public CompletableFuture<GetFileSystemSecurityTokenResponse> getFileSystemSecuri
     public CompletableFuture<ListPartitionInfosResponse> listPartitionInfos(
             ListPartitionInfosRequest request) {
         TablePath tablePath = toTablePath(request.getTablePath());
+        authorizeTable(OperationType.DESCRIBE, tablePath);
+
         Map<String, Long> partitionNameAndIds;
         if (request.hasPartialPartitionSpec()) {
             ResolvedPartitionSpec partitionSpecFromRequest =
@@ -430,8 +446,10 @@ public CompletableFuture<ListPartitionInfosResponse> listPartitionInfos(
     @Override
     public CompletableFuture<GetLatestLakeSnapshotResponse> getLatestLakeSnapshot(
             GetLatestLakeSnapshotRequest request) {
-        // get table info
         TablePath tablePath = toTablePath(request.getTablePath());
+        authorizeTable(OperationType.DESCRIBE, tablePath);
+
+        // get table info
         TableInfo tableInfo = metadataManager.getTable(tablePath);
         // get table id
         long tableId = tableInfo.getTableId();