docs(auth): Add StarRocks Authorization Pushdown Design

[zhaohehuhu]

What changes were proposed in this pull request?

The design proposes adding StarRocks authorization pushdown support by introducing a new authorization-starrocks provider. The proposed plugin would extend the existing JDBC authorization framework, translate Gravitino users, roles, securable objects, and privileges into StarRocks native authorization SQL, and define object/privilege mappings for catalog, schema, and table-level permissions.

Why are the changes needed?

Gravitino currently supports StarRocks metadata management through jdbc-starrocks, but authorization changes in Gravitino are not pushed into StarRocks.

The design is needed to align Gravitino’s unified authorization model with StarRocks’ native RBAC system.

Does this PR introduce any user-facing change?

No. It's a design doc.

How was this patch tested?

no needed.

[roryqi]

Gravitino has the concept owner. How to handle it?

[zhaohehuhu]

StarRocks does't have the concept of owner. @roryqi

[zhaohehuhu]

Could we grant all privileges (read and write) to the owner in StarRocks ?

[roryqi]

You would better clarify these in the documents.

[zhaohehuhu]

Got it. Thanks!

[github-actions]

Code Coverage Report

Overall Project	67.09%	🟢
Files changed	No Java source files changed	-

Module	Coverage
aliyun	1.72%	🔴
api	46.82%	🟢
authorization-common	85.96%	🟢
aws	3.66%	🔴
azure	2.47%	🔴
catalog-common	10.4%	🔴
catalog-fileset	80.23%	🟢
catalog-glue	66.91%	🟢
catalog-hive	79.44%	🟢
catalog-jdbc-clickhouse	80.02%	🟢
catalog-jdbc-common	44.22%	🟢
catalog-jdbc-doris	80.28%	🟢
catalog-jdbc-hologres	54.03%	🟢
catalog-jdbc-mysql	79.23%	🟢
catalog-jdbc-oceanbase	78.38%	🟢
catalog-jdbc-postgresql	82.29%	🟢
catalog-jdbc-starrocks	78.51%	🟢
catalog-kafka	77.01%	🟢
catalog-lakehouse-generic	58.53%	🟢
catalog-lakehouse-hudi	79.1%	🟢
catalog-lakehouse-iceberg	85.86%	🟢
catalog-lakehouse-paimon	82.14%	🟢
catalog-model	77.72%	🟢
cli	44.51%	🟢
client-java	78.01%	🟢
common	50.17%	🟢
core	82.45%	🟢
filesystem-hadoop3	77.27%	🟢
flink	0.0%	🔴
flink-common	46.84%	🟢
flink-runtime	0.0%	🔴
gcp	14.12%	🔴
hadoop-common	10.88%	🔴
hive-metastore-common	53.77%	🟢
iceberg-common	58.15%	🟢
iceberg-rest-server	73.9%	🟢
idp-basic	86.18%	🟢
integration-test-common	0.0%	🔴
jobs	66.17%	🟢
lance-common	20.83%	🔴
lance-rest-server	60.13%	🟢
lineage	53.02%	🟢
optimizer	82.95%	🟢
optimizer-api	21.95%	🔴
server	85.96%	🟢
server-common	74.21%	🟢
spark	28.57%	🔴
spark-common	41.66%	🟢
trino-connector	40.13%	🟢

[roryqi]

Why does use_schema map to USAGE?

[zhaohehuhu]

The mapping should be removed or marked as unsupported, because StarRocks does not have corresponding schema-level USAGE privilege.

[roryqi]

Gravitino supports Group now.

[yuqi1129]

I think we can explicitly throw an exception that StarRocks does not support the group concept.

[zhaohehuhu]

OK. We can throw an exception since StarRocks does not support the group concept.

[yuqi1129]

We may need to consider that users may change privileges without using Gravitino since they can query data from StarRocks directly, so how do we synchronize the privileges data?

[zhaohehuhu]

StarRocks is the single source of truth for authorization, while Gravitino periodically synchronizes privilege information from StarRocks. As a result, the two systems are eventually consistent.

[zhaohehuhu]

Since Gravitino leverages Ranger for authorization pushdown, we could consider adopting a similar design to address this scenario, if feasible.

[roryqi]

Which privilege can drop the table?

[roryqi]

Which privilege can drop the schema?

[zhaohehuhu]

I don't see any DROP privilege mentioned in the Gravitino documentation. It appears that Gravitino uses ownership to control administrative operations such as dropping objects, rather than defining a dedicated DROP privilege.

[zhaohehuhu]

Added an Ownership section(4.2) to the document to support DROP permissions. @roryqi