[#5966] improvment(authorization): Add path based securable object and user group mapping interface

core/src/main/java/org/apache/gravitino/authorization/AuthorizationUserGroupMappingProvider.java

@@ -0,0 +1,55 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+
+package org.apache.gravitino.authorization;
+
+import java.util.Map;
+
+/**
+ * The AuthorizationUserGroupMappingProvider interface defines the public API for mapping Gravitino
+ * users and groups to the underlying data source.
+ *
+ * <p>Typically, the users and group names in Gravitino are the same as the underlying data source.
+ * However, in some cases, the user and group names in Gravitino may be different from the
+ * underlying data source. For instance, in GCP IAM, the username is the email address or the
+ * service account. So the user group mapping provider can be used to map the Gravitino username to
+ * the email address or service account.
+ */
+public interface AuthorizationUserGroupMappingProvider {
+
+  /**
+   * Initialize the user group mapping provider with the configuration.
+   *
+   * @param config The configuration map for the user group mapping provider.
+   */
+  default void initialize(Map<String, String> config) {}
+
+  /**
+   * Get the username or group name from the underlying data source based on the Gravitino username
+   * or group name. For instance, in GCP IAM, the username is the email address or the service
+   * account.
+   *
+   * @param gravitinoUserGroup The Gravitino username.
+   * @return The username from the underlying data source.
+   */
+  default String getUserGroupMapping(String gravitinoUserGroup) {
+    return gravitinoUserGroup;
+  }
+}

core/src/main/java/org/apache/gravitino/authorization/PathBasedMetadataObject.java

@@ -0,0 +1,116 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.gravitino.authorization;
+
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableList;
+import java.util.List;
+import javax.annotation.Nullable;
+import org.apache.gravitino.MetadataObject;
+
+public class PathBasedMetadataObject implements AuthorizationMetadataObject {
+  /**
+   * The type of object in the Ranger system. Every type will map one kind of the entity of the
+   * Gravitino type system.
+   */
+  public enum Type implements AuthorizationMetadataObject.Type {
+    /** A path is mapped the path of storages like HDFS, S3 etc. */
+    FILESET(MetadataObject.Type.FILESET),
+    TABLE(MetadataObject.Type.TABLE),
+    SCHEMA(MetadataObject.Type.SCHEMA),
+    CATALOG(MetadataObject.Type.CATALOG);
+
+    private final MetadataObject.Type metadataType;
+
+    Type(MetadataObject.Type type) {
+      this.metadataType = type;
+    }
+
+    public MetadataObject.Type metadataObjectType() {
+      return metadataType;
+    }
+
+    public static PathBasedMetadataObject.Type fromMetadataType(MetadataObject.Type metadataType) {
+      for (PathBasedMetadataObject.Type type : PathBasedMetadataObject.Type.values()) {
+        if (type.metadataObjectType() == metadataType) {
+          return type;
+        }
+      }
+      throw new IllegalArgumentException(
+          "No matching RangerMetadataObject.Type for " + metadataType);
+    }
+  }
+
+  /**
+   * The path of the object. It can be a file path, table path, like 'hdfs://ip:/path',
+   * 's3://bucket/path', 'hive://database/table', 'gs://path...' etc.
+   */
+  private final String path;
+
+  private final AuthorizationMetadataObject.Type type;
+
+  public PathBasedMetadataObject(String path, AuthorizationMetadataObject.Type type) {
+    this.path = path;
+    this.type = type;
+  }
+
+  public String getPath() {
+    return path;
+  }
+
+  @Nullable
+  @Override
+  public String parent() {
+    return null;
+  }
+
+  @Override
+  public String name() {
+    return this.path;
+  }
+
+  @Override
+  public List<String> names() {
+    return ImmutableList.of(this.path);
+  }
+
+  @Override
+  public AuthorizationMetadataObject.Type type() {
+    return this.type;
+  }
+
+  @Override
+  public void validateAuthorizationMetadataObject() throws IllegalArgumentException {
+    List<String> names = names();
+    Preconditions.checkArgument(
+        names != null && !names.isEmpty(), "Cannot create a Ranger metadata object with no names");
+    Preconditions.checkArgument(
+        names.size() == 1,
+        "Cannot create a Ranger metadata object with the name length which is 1");
+    Preconditions.checkArgument(
+        type != null, "Cannot create a Ranger metadata object with no type");
+
+    Preconditions.checkArgument(
+        type == Type.FILESET || type == Type.TABLE, "it must be the PATH type");
+
+    for (String name : names) {
+      Preconditions.checkArgument(name != null, "Cannot create a metadata object with null name");
+    }
+  }
+}

core/src/main/java/org/apache/gravitino/authorization/PathBasedSecurableObject.java

@@ -0,0 +1,39 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.gravitino.authorization;
+
+import java.util.List;
+
+public class PathBasedSecurableObject extends PathBasedMetadataObject
+    implements AuthorizationSecurableObject {
+
+  private final List<AuthorizationPrivilege> privileges;
+
+  public PathBasedSecurableObject(
+      String path, AuthorizationMetadataObject.Type type, List<AuthorizationPrivilege> privileges) {
+    super(path, type);
+    this.privileges = privileges;
+  }
+
+  @Override
+  public List<AuthorizationPrivilege> privileges() {
+    return privileges;
+  }
+}