gravitino.api.authorization.securable_objects.SecurableObject

class gravitino.api.authorization.securable_objects.SecurableObject

Bases: MetadataObject, ABC

A securable object is an entity on which access control can be granted. Unless explicitly granted, access is denied.

Apache Gravitino organizes securable objects in a tree structure. Each securable object contains three attributes: parent, name, and type.

Supported types:

  • CATALOG

  • SCHEMA

  • TABLE

  • FILESET

  • TOPIC

  • METALAKE

Use the helper class SecurableObjects to construct the securable object you need.

In RESTful APIs, you can reference a securable object using its full name and type.

Examples

Catalog:
  • Python code:

    SecurableObjects.catalog(“catalog1”)

  • REST API:

    full_name=”catalog1”, type=”CATALOG”

Schema:
  • Python code:

    SecurableObjects.schema(“catalog1”, “schema1”)

  • REST API:

    full_name=”catalog1.schema1”, type=”SCHEMA”

Table:
  • Python code:

    SecurableObjects.table(“catalog1”, “schema1”, “table1”)

  • REST API:

    full_name=”catalog1.schema1.table1”, type=”TABLE”

Topic:
  • Python code:

    SecurableObjects.topic(“catalog1”, “schema1”, “topic1”)

  • REST API:

    full_name=”catalog1.schema1.topic1”, type=”TOPIC”

Fileset:
  • Python code:

    SecurableObjects.fileset(“catalog1”, “schema1”, “fileset1”)

  • REST API:

    full_name=”catalog1.schema1.fileset1”, type=”FILESET”

Metalake:
  • Python code:

    SecurableObjects.metalake(“metalake1”)

  • REST API:

    full_name=”metalake1”, type=”METALAKE”

Notes

  • To represent “all catalogs”, you can use the metalake as the root object.

  • To grant a privilege on all children, you can assign it to their common parent. For example, to grant READ TABLE on all tables under catalog1.schema1, simply grant READ TABLE on the schema object itself.

__init__()

Methods

__init__()

full_name()

The full name of the object.

name()

The name of the object.

parent()

The parent full name of the object.

privileges()

The privileges of the securable object.

type()

The type of the object.
class Type(value, names=<not given>, *values, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

The type of object in the Gravitino system. Every type will map one kind of the entity of the underlying system.

CATALOG = 'catalog'

A catalog is a collection of metadata from a specific metadata source, like Apache Hive catalog, Apache Iceberg catalog, JDBC catalog, etc.

COLUMN = 'column'

A column is a sub-collection of the table that represents a group of same type data.

FILESET = 'fileset'

A fileset is mapped to a directory on a file system like HDFS, S3, ADLS, GCS, etc.

JOB = 'job'

A job represents a data processing task in Gravitino.

JOB_TEMPLATE = 'job_template'

A job template represents a reusable template for creating jobs in Gravitino.

METALAKE = 'metalake'

A metalake is a concept of tenant. It means an organization. A metalake contains many data sources.

MODEL = 'model'

A model is mapped to the model artifact in ML.

POLICY = 'policy'

A policy can be associated with a metadata object for data governance and similar purposes.

ROLE = 'role'

A role is an object contains specific securable objects with privileges.

SCHEMA = 'schema'

“A schema is a sub collection of the catalog. The schema can contain filesets, tables, topics, etc.

TABLE = 'table'

A table is mapped the table of relational data sources like Apache Hive, MySQL, etc.

TAG = 'tag'

A tag is used to help manage other metadata object.

TOPIC = 'topic'

A topic is mapped the topic of messaging data sources like Apache Kafka, Apache Pulsar, etc.

full_name() str

The full name of the object.

Full name will be separated by “.” to represent a string identifier of the object, like catalog, catalog.table, etc.

Returns:

str: The name of the object.

abstract name() str

The name of the object.

Returns:

str: The name of the object.

abstract parent() str | None

The parent full name of the object.

If the object doesn’t have parent, this method will return None.

Returns:

Optional[str]: The parent full name of the object.

abstract privileges() list[gravitino.api.authorization.privileges.Privilege]

The privileges of the securable object. For example: If the securable object is a table, the privileges could be READ TABLE, WRITE TABLE, etc. If a schema has the privilege of LOAD TABLE. It means the role can load all tables of the schema.

returns:

The privileges of the securable object.

abstract type() Type

The type of the object.

Returns:

Type: The type of the object.