This is an automated email from the ASF dual-hosted git repository.
jshao pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new f3abe9d6f [#4140] improvement(core): Optimize the privileges of
securable objects (#4141)
f3abe9d6f is described below
commit f3abe9d6ff1b418515f6d68758003fa0af38b5e0
Author: roryqi <[email protected]>
AuthorDate: Fri Jul 19 18:20:38 2024 +0800
[#4140] improvement(core): Optimize the privileges of securable objects
(#4141)
### What changes were proposed in this pull request?
Optimize the privileges of securable objects
### Why are the changes needed?
Fix: #4140
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
Existing tests.
---
.../apache/gravitino/authorization/Privilege.java | 68 ++---
.../apache/gravitino/authorization/Privileges.java | 278 ++++-----------------
.../authorization/TestSecurableObjects.java | 14 +-
.../gravitino/proto/TestEntityProtoSerDe.java | 2 +-
.../relational/service/TestRoleMetaService.java | 2 +-
.../relational/service/TestSecurableObjects.java | 6 +-
.../server/web/rest/TestRoleOperations.java | 14 +-
7 files changed, 100 insertions(+), 284 deletions(-)
diff --git
a/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
b/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
index 5cb7b3214..3527ead1b 100644
--- a/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
+++ b/api/src/main/java/org/apache/gravitino/authorization/Privilege.java
@@ -43,66 +43,52 @@ public interface Privilege {
enum Name {
/** The privilege to create a catalog. */
CREATE_CATALOG(0L, 1L),
- /** The privilege to drop a catalog. */
- DROP_CATALOG(0L, 1L << 1),
- /** The privilege to alter a catalog. */
- ALTER_CATALOG(0L, 1L << 2),
/** The privilege to use a catalog. */
- USE_CATALOG(0L, 1L << 3),
+ USE_CATALOG(0L, 1L << 2),
/** The privilege to create a schema. */
- CREATE_SCHEMA(0L, 1L << 4),
- /** The privilege to drop a schema. */
- DROP_SCHEMA(0L, 1L << 5),
- /** The privilege to alter a schema. */
- ALTER_SCHEMA(0L, 1L << 6),
+ CREATE_SCHEMA(0L, 1L << 3),
/** the privilege to use a schema. */
- USE_SCHEMA(0L, 1L << 7),
+ USE_SCHEMA(0L, 1L << 4),
/** The privilege to create a table. */
- CREATE_TABLE(0L, 1L << 8),
- /** The privilege to drop a table. */
- DROP_TABLE(0L, 1L << 9),
- /** The privilege to write a table. */
- WRITE_TABLE(0L, 1L << 10),
- /** The privilege to read a table. */
- READ_TABLE(0L, 1L << 11),
+ CREATE_TABLE(0L, 1L << 5),
+ /** The privilege to execute SQL `ALTER`, `INSERT`, `UPDATE`, or `DELETE`
for a table. */
+ MODIFY_TABLE(0L, 1L << 6),
+ /** The privilege to select data from a table. */
+ SELECT_TABLE(0L, 1L << 7),
/** The privilege to create a fileset. */
- CREATE_FILESET(0L, 1L << 12),
- /** The privilege to drop a fileset. */
- DROP_FILESET(0L, 1L << 13),
+ CREATE_FILESET(0L, 1L << 8),
/** The privilege to write a fileset. */
- WRITE_FILESET(0L, 1L << 14),
+ WRITE_FILESET(0L, 1L << 9),
/** The privilege to read a fileset. */
- READ_FILESET(0L, 1L << 15),
+ READ_FILESET(0L, 1L << 10),
/** The privilege to create a topic. */
- CREATE_TOPIC(0L, 1L << 16),
- /** The privilege to drop a topic. */
- DROP_TOPIC(0L, 1L << 17),
- /** The privilege to write a topic. */
- WRITE_TOPIC(0L, 1L << 18),
- /** The privilege to read a topic. */
- READ_TOPIC(0L, 1L << 19),
+ CREATE_TOPIC(0L, 1L << 11),
+ /** The privilege to produce to a topic. */
+ PRODUCE_TOPIC(0L, 1L << 12),
+ /** The privilege to consume from a topic. */
+ CONSUME_TOPIC(0L, 1L << 13),
/** The privilege to add a user */
- ADD_USER(0L, 1L << 20),
+ ADD_USER(0L, 1L << 14),
/** The privilege to remove a user */
- REMOVE_USER(0L, 1L << 21),
+ REMOVE_USER(0L, 1L << 15),
/** The privilege to get a user */
- GET_USER(0L, 1L << 22),
+ GET_USER(0L, 1L << 16),
/** The privilege to add a group */
- ADD_GROUP(0L, 1L << 23),
+ ADD_GROUP(0L, 1L << 17),
/** The privilege to remove a group */
- REMOVE_GROUP(0L, 1L << 24),
+ REMOVE_GROUP(0L, 1L << 18),
/** The privilege to get a group */
- GET_GROUP(0L, 1L << 25),
+ GET_GROUP(0L, 1L << 19),
/** The privilege to create a role */
- CREATE_ROLE(0L, 1L << 26),
+ CREATE_ROLE(0L, 1L << 20),
/** The privilege to delete a role */
- DELETE_ROLE(0L, 1L << 27),
+ DELETE_ROLE(0L, 1L << 21),
/** The privilege to grant a role to the user or the group. */
- GRANT_ROLE(0L, 1L << 28),
+ GRANT_ROLE(0L, 1L << 22),
/** The privilege to revoke a role from the user or the group. */
- REVOKE_ROLE(0L, 1L << 29),
+ REVOKE_ROLE(0L, 1L << 23),
/** The privilege to get a role */
- GET_ROLE(0L, 1L << 30);
+ GET_ROLE(0L, 1L << 24);
private final long highBits;
private final long lowBits;
diff --git
a/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
b/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
index cd6e5210e..07a745760 100644
--- a/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
+++ b/api/src/main/java/org/apache/gravitino/authorization/Privileges.java
@@ -45,38 +45,26 @@ public class Privileges {
// Catalog
case CREATE_CATALOG:
return CreateCatalog.allow();
- case DROP_CATALOG:
- return DropCatalog.allow();
- case ALTER_CATALOG:
- return AlterCatalog.allow();
case USE_CATALOG:
return UseCatalog.allow();
// Schema
case CREATE_SCHEMA:
return CreateSchema.allow();
- case DROP_SCHEMA:
- return DropSchema.allow();
- case ALTER_SCHEMA:
- return AlterSchema.allow();
case USE_SCHEMA:
return UseSchema.allow();
// Table
case CREATE_TABLE:
return CreateTable.allow();
- case DROP_TABLE:
- return DropTable.allow();
- case WRITE_TABLE:
- return WriteTable.allow();
- case READ_TABLE:
- return ReadTable.allow();
+ case MODIFY_TABLE:
+ return ModifyTable.allow();
+ case SELECT_TABLE:
+ return SelectTable.allow();
// Fileset
case CREATE_FILESET:
return CreateFileset.allow();
- case DROP_FILESET:
- return DropFileset.allow();
case WRITE_FILESET:
return WriteFileset.allow();
case READ_FILESET:
@@ -85,12 +73,10 @@ public class Privileges {
// Topic
case CREATE_TOPIC:
return CreateTopic.allow();
- case DROP_TOPIC:
- return DropTopic.allow();
- case WRITE_TOPIC:
- return WriteTopic.allow();
- case READ_TOPIC:
- return ReadTopic.allow();
+ case PRODUCE_TOPIC:
+ return ProduceTopic.allow();
+ case CONSUME_TOPIC:
+ return ConsumeTopic.allow();
// User
case ADD_USER:
@@ -147,38 +133,26 @@ public class Privileges {
// Catalog
case CREATE_CATALOG:
return CreateCatalog.deny();
- case DROP_CATALOG:
- return DropCatalog.deny();
- case ALTER_CATALOG:
- return AlterCatalog.deny();
case USE_CATALOG:
return UseCatalog.deny();
// Schema
case CREATE_SCHEMA:
return CreateSchema.deny();
- case DROP_SCHEMA:
- return DropSchema.deny();
- case ALTER_SCHEMA:
- return AlterSchema.deny();
case USE_SCHEMA:
return UseSchema.deny();
// Table
case CREATE_TABLE:
return CreateTable.deny();
- case DROP_TABLE:
- return DropTable.deny();
- case WRITE_TABLE:
- return WriteTable.deny();
- case READ_TABLE:
- return ReadTable.deny();
+ case MODIFY_TABLE:
+ return ModifyTable.deny();
+ case SELECT_TABLE:
+ return SelectTable.deny();
// Fileset
case CREATE_FILESET:
return CreateFileset.deny();
- case DROP_FILESET:
- return DropFileset.deny();
case WRITE_FILESET:
return WriteFileset.deny();
case READ_FILESET:
@@ -187,12 +161,10 @@ public class Privileges {
// Topic
case CREATE_TOPIC:
return CreateTopic.deny();
- case DROP_TOPIC:
- return DropTopic.deny();
- case WRITE_TOPIC:
- return WriteTopic.deny();
- case READ_TOPIC:
- return ReadTopic.deny();
+ case PRODUCE_TOPIC:
+ return ProduceTopic.deny();
+ case CONSUME_TOPIC:
+ return ConsumeTopic.deny();
// User
case ADD_USER:
@@ -299,50 +271,6 @@ public class Privileges {
}
}
- /** The privilege to alter a catalog. */
- public static class AlterCatalog extends GenericPrivilege<AlterCatalog> {
- private static final AlterCatalog ALLOW_INSTANCE =
- new AlterCatalog(Condition.ALLOW, Name.ALTER_CATALOG);
- private static final AlterCatalog DENY_INSTANCE =
- new AlterCatalog(Condition.DENY, Name.ALTER_CATALOG);
-
- private AlterCatalog(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static AlterCatalog allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static AlterCatalog deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to drop a catalog. */
- public static class DropCatalog extends GenericPrivilege<DropCatalog> {
- private static final DropCatalog ALLOW_INSTANCE =
- new DropCatalog(Condition.ALLOW, Name.DROP_CATALOG);
- private static final DropCatalog DENY_INSTANCE =
- new DropCatalog(Condition.DENY, Name.DROP_CATALOG);
-
- private DropCatalog(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static DropCatalog allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static DropCatalog deny() {
- return DENY_INSTANCE;
- }
- }
-
/** The privilege to use a catalog. */
public static class UseCatalog extends GenericPrivilege<UseCatalog> {
private static final UseCatalog ALLOW_INSTANCE =
@@ -407,50 +335,6 @@ public class Privileges {
}
}
- /** The privilege to alter a schema. */
- public static class AlterSchema extends GenericPrivilege<AlterSchema> {
- private static final AlterSchema ALLOW_INSTANCE =
- new AlterSchema(Condition.ALLOW, Name.ALTER_SCHEMA);
- private static final AlterSchema DENY_INSTANCE =
- new AlterSchema(Condition.DENY, Name.ALTER_SCHEMA);
-
- private AlterSchema(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static AlterSchema allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static AlterSchema deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to drop a schema. */
- public static class DropSchema extends GenericPrivilege<DropSchema> {
- private static final DropSchema ALLOW_INSTANCE =
- new DropSchema(Condition.ALLOW, Name.DROP_SCHEMA);
- private static final DropSchema DENY_INSTANCE =
- new DropSchema(Condition.DENY, Name.DROP_SCHEMA);
-
- private DropSchema(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static DropSchema allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static DropSchema deny() {
- return DENY_INSTANCE;
- }
- }
-
/** The privilege to create a table. */
public static class CreateTable extends GenericPrivilege<CreateTable> {
private static final CreateTable ALLOW_INSTANCE =
@@ -473,64 +357,46 @@ public class Privileges {
}
}
- /** The privilege to drop a table. */
- public static class DropTable extends GenericPrivilege<DropTable> {
- private static final DropTable ALLOW_INSTANCE = new
DropTable(Condition.ALLOW, Name.DROP_TABLE);
- private static final DropTable DENY_INSTANCE = new
DropTable(Condition.DENY, Name.DROP_TABLE);
+ /** The privilege to select data from a table. */
+ public static class SelectTable extends GenericPrivilege<SelectTable> {
+ private static final SelectTable ALLOW_INSTANCE =
+ new SelectTable(Condition.ALLOW, Name.SELECT_TABLE);
+ private static final SelectTable DENY_INSTANCE =
+ new SelectTable(Condition.DENY, Name.SELECT_TABLE);
- private DropTable(Condition condition, Name name) {
+ private SelectTable(Condition condition, Name name) {
super(condition, name);
}
/** @return The instance with allow condition of the privilege. */
- public static DropTable allow() {
+ public static SelectTable allow() {
return ALLOW_INSTANCE;
}
/** @return The instance with deny condition of the privilege. */
- public static DropTable deny() {
+ public static SelectTable deny() {
return DENY_INSTANCE;
}
}
- /** The privilege to read a table. */
- public static class ReadTable extends GenericPrivilege<ReadTable> {
- private static final ReadTable ALLOW_INSTANCE = new
ReadTable(Condition.ALLOW, Name.READ_TABLE);
- private static final ReadTable DENY_INSTANCE = new
ReadTable(Condition.DENY, Name.READ_TABLE);
+ /** The privilege to execute SQL `ALTER`, `INSERT`, `UPDATE`, or `DELETE`
for a table. */
+ public static class ModifyTable extends GenericPrivilege<ModifyTable> {
+ private static final ModifyTable ALLOW_INSTANCE =
+ new ModifyTable(Condition.ALLOW, Name.MODIFY_TABLE);
+ private static final ModifyTable DENY_INSTANCE =
+ new ModifyTable(Condition.DENY, Name.MODIFY_TABLE);
- private ReadTable(Condition condition, Name name) {
+ private ModifyTable(Condition condition, Name name) {
super(condition, name);
}
/** @return The instance with allow condition of the privilege. */
- public static ReadTable allow() {
+ public static ModifyTable allow() {
return ALLOW_INSTANCE;
}
/** @return The instance with deny condition of the privilege. */
- public static ReadTable deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to write a table. */
- public static class WriteTable extends GenericPrivilege<WriteTable> {
- private static final WriteTable ALLOW_INSTANCE =
- new WriteTable(Condition.ALLOW, Name.WRITE_TABLE);
- private static final WriteTable DENY_INSTANCE =
- new WriteTable(Condition.DENY, Name.WRITE_TABLE);
-
- private WriteTable(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static WriteTable allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static WriteTable deny() {
+ public static ModifyTable deny() {
return DENY_INSTANCE;
}
}
@@ -557,28 +423,6 @@ public class Privileges {
}
}
- /** The privilege to drop a fileset. */
- public static class DropFileset extends GenericPrivilege<DropFileset> {
- private static final DropFileset ALLOW_INSTANCE =
- new DropFileset(Condition.ALLOW, Name.DROP_FILESET);
- private static final DropFileset DENY_INSTANCE =
- new DropFileset(Condition.DENY, Name.DROP_FILESET);
-
- private DropFileset(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static DropFileset allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static DropFileset deny() {
- return DENY_INSTANCE;
- }
- }
-
/** The privilege to read a fileset. */
public static class ReadFileset extends GenericPrivilege<ReadFileset> {
private static final ReadFileset ALLOW_INSTANCE =
@@ -645,64 +489,46 @@ public class Privileges {
}
}
- /** The privilege to drop a topic. */
- public static class DropTopic extends GenericPrivilege<DropTopic> {
- private static final DropTopic ALLOW_INSTANCE = new
DropTopic(Condition.ALLOW, Name.DROP_TOPIC);
- private static final DropTopic DENY_INSTANCE = new
DropTopic(Condition.DENY, Name.DROP_TOPIC);
-
- private DropTopic(Condition condition, Name name) {
- super(condition, name);
- }
-
- /** @return The instance with allow condition of the privilege. */
- public static DropTopic allow() {
- return ALLOW_INSTANCE;
- }
-
- /** @return The instance with deny condition of the privilege. */
- public static DropTopic deny() {
- return DENY_INSTANCE;
- }
- }
-
- /** The privilege to read a topic. */
- public static class ReadTopic extends GenericPrivilege<ReadTopic> {
- private static final ReadTopic ALLOW_INSTANCE = new
ReadTopic(Condition.ALLOW, Name.READ_TOPIC);
- private static final ReadTopic DENY_INSTANCE = new
ReadTopic(Condition.DENY, Name.READ_TOPIC);
+ /** The privilege to consume from a topic. */
+ public static class ConsumeTopic extends GenericPrivilege<ConsumeTopic> {
+ private static final ConsumeTopic ALLOW_INSTANCE =
+ new ConsumeTopic(Condition.ALLOW, Name.CONSUME_TOPIC);
+ private static final ConsumeTopic DENY_INSTANCE =
+ new ConsumeTopic(Condition.DENY, Name.CONSUME_TOPIC);
- private ReadTopic(Condition condition, Name name) {
+ private ConsumeTopic(Condition condition, Name name) {
super(condition, name);
}
/** @return The instance with allow condition of the privilege. */
- public static ReadTopic allow() {
+ public static ConsumeTopic allow() {
return ALLOW_INSTANCE;
}
/** @return The instance with deny condition of the privilege. */
- public static ReadTopic deny() {
+ public static ConsumeTopic deny() {
return DENY_INSTANCE;
}
}
- /** The privilege to write a topic. */
- public static class WriteTopic extends GenericPrivilege<WriteTopic> {
- private static final WriteTopic ALLOW_INSTANCE =
- new WriteTopic(Condition.ALLOW, Name.WRITE_TOPIC);
- private static final WriteTopic DENY_INSTANCE =
- new WriteTopic(Condition.DENY, Name.WRITE_TOPIC);
+ /** The privilege to produce to a topic. */
+ public static class ProduceTopic extends GenericPrivilege<ProduceTopic> {
+ private static final ProduceTopic ALLOW_INSTANCE =
+ new ProduceTopic(Condition.ALLOW, Name.PRODUCE_TOPIC);
+ private static final ProduceTopic DENY_INSTANCE =
+ new ProduceTopic(Condition.DENY, Name.PRODUCE_TOPIC);
- private WriteTopic(Condition condition, Name name) {
+ private ProduceTopic(Condition condition, Name name) {
super(condition, name);
}
/** @return The instance with allow condition of the privilege. */
- public static WriteTopic allow() {
+ public static ProduceTopic allow() {
return ALLOW_INSTANCE;
}
/** @return The instance with deny condition of the privilege. */
- public static WriteTopic deny() {
+ public static ProduceTopic deny() {
return DENY_INSTANCE;
}
}
diff --git
a/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java
b/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java
index 230343679..256636397 100644
---
a/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java
+++
b/api/src/test/java/org/apache/gravitino/authorization/TestSecurableObjects.java
@@ -51,14 +51,15 @@ public class TestSecurableObjects {
Assertions.assertEquals(schema, anotherSchema);
SecurableObject table =
- SecurableObjects.ofTable(schema, "table",
Lists.newArrayList(Privileges.ReadTable.allow()));
+ SecurableObjects.ofTable(
+ schema, "table",
Lists.newArrayList(Privileges.SelectTable.allow()));
Assertions.assertEquals("catalog.schema.table", table.fullName());
Assertions.assertEquals(MetadataObject.Type.TABLE, table.type());
SecurableObject anotherTable =
SecurableObjects.of(
MetadataObject.Type.TABLE,
Lists.newArrayList("catalog", "schema", "table"),
- Lists.newArrayList(Privileges.ReadTable.allow()));
+ Lists.newArrayList(Privileges.SelectTable.allow()));
Assertions.assertEquals(table, anotherTable);
SecurableObject fileset =
@@ -74,7 +75,8 @@ public class TestSecurableObjects {
Assertions.assertEquals(fileset, anotherFileset);
SecurableObject topic =
- SecurableObjects.ofTopic(schema, "topic",
Lists.newArrayList(Privileges.ReadTopic.allow()));
+ SecurableObjects.ofTopic(
+ schema, "topic",
Lists.newArrayList(Privileges.ConsumeTopic.allow()));
Assertions.assertEquals("catalog.schema.topic", topic.fullName());
Assertions.assertEquals(MetadataObject.Type.TOPIC, topic.type());
@@ -82,7 +84,7 @@ public class TestSecurableObjects {
SecurableObjects.of(
MetadataObject.Type.TOPIC,
Lists.newArrayList("catalog", "schema", "topic"),
- Lists.newArrayList(Privileges.ReadTopic.allow()));
+ Lists.newArrayList(Privileges.ConsumeTopic.allow()));
Assertions.assertEquals(topic, anotherTopic);
Exception e =
@@ -111,7 +113,7 @@ public class TestSecurableObjects {
SecurableObjects.of(
MetadataObject.Type.TABLE,
Lists.newArrayList("metalake"),
- Lists.newArrayList(Privileges.ReadTable.allow())));
+ Lists.newArrayList(Privileges.SelectTable.allow())));
Assertions.assertTrue(e.getMessage().contains("the length of names is 1"));
e =
Assertions.assertThrows(
@@ -120,7 +122,7 @@ public class TestSecurableObjects {
SecurableObjects.of(
MetadataObject.Type.TOPIC,
Lists.newArrayList("metalake"),
- Lists.newArrayList(Privileges.ReadTopic.allow())));
+ Lists.newArrayList(Privileges.ConsumeTopic.allow())));
Assertions.assertTrue(e.getMessage().contains("the length of names is 1"));
e =
Assertions.assertThrows(
diff --git
a/core/src/test/java/org/apache/gravitino/proto/TestEntityProtoSerDe.java
b/core/src/test/java/org/apache/gravitino/proto/TestEntityProtoSerDe.java
index d9c749d1c..1db0a1765 100644
--- a/core/src/test/java/org/apache/gravitino/proto/TestEntityProtoSerDe.java
+++ b/core/src/test/java/org/apache/gravitino/proto/TestEntityProtoSerDe.java
@@ -398,7 +398,7 @@ public class TestEntityProtoSerDe {
SecurableObject securableObject =
SecurableObjects.ofCatalog(
catalogName,
- Lists.newArrayList(Privileges.UseCatalog.allow(),
Privileges.DropCatalog.deny()));
+ Lists.newArrayList(Privileges.UseCatalog.allow(),
Privileges.CreateSchema.deny()));
SecurableObject anotherSecurableObject =
SecurableObjects.ofCatalog(
anotherCatalogName,
Lists.newArrayList(Privileges.UseCatalog.allow()));
diff --git
a/core/src/test/java/org/apache/gravitino/storage/relational/service/TestRoleMetaService.java
b/core/src/test/java/org/apache/gravitino/storage/relational/service/TestRoleMetaService.java
index ceb32a699..65489a2c4 100644
---
a/core/src/test/java/org/apache/gravitino/storage/relational/service/TestRoleMetaService.java
+++
b/core/src/test/java/org/apache/gravitino/storage/relational/service/TestRoleMetaService.java
@@ -132,7 +132,7 @@ class TestRoleMetaService extends TestJDBCBackend {
SecurableObject catalogObject =
SecurableObjects.ofCatalog(
"catalog",
- Lists.newArrayList(Privileges.UseCatalog.allow(),
Privileges.DropCatalog.deny()));
+ Lists.newArrayList(Privileges.UseCatalog.allow(),
Privileges.CreateSchema.deny()));
// insert role
RoleEntity role1 =
diff --git
a/core/src/test/java/org/apache/gravitino/storage/relational/service/TestSecurableObjects.java
b/core/src/test/java/org/apache/gravitino/storage/relational/service/TestSecurableObjects.java
index 629910682..49a5e9cc5 100644
---
a/core/src/test/java/org/apache/gravitino/storage/relational/service/TestSecurableObjects.java
+++
b/core/src/test/java/org/apache/gravitino/storage/relational/service/TestSecurableObjects.java
@@ -90,20 +90,20 @@ public class TestSecurableObjects extends TestJDBCBackend {
SecurableObject catalogObject =
SecurableObjects.ofCatalog(
"catalog",
- Lists.newArrayList(Privileges.UseCatalog.allow(),
Privileges.DropCatalog.deny()));
+ Lists.newArrayList(Privileges.UseCatalog.allow(),
Privileges.CreateSchema.deny()));
SecurableObject schemaObject =
SecurableObjects.ofSchema(
catalogObject, "schema",
Lists.newArrayList(Privileges.UseSchema.allow()));
SecurableObject tableObject =
SecurableObjects.ofTable(
- schemaObject, "table",
Lists.newArrayList(Privileges.ReadTable.allow()));
+ schemaObject, "table",
Lists.newArrayList(Privileges.SelectTable.allow()));
SecurableObject filesetObject =
SecurableObjects.ofFileset(
schemaObject, "fileset",
Lists.newArrayList(Privileges.ReadFileset.allow()));
SecurableObject topicObject =
SecurableObjects.ofTopic(
- schemaObject, "topic",
Lists.newArrayList(Privileges.ReadTopic.deny()));
+ schemaObject, "topic",
Lists.newArrayList(Privileges.ConsumeTopic.deny()));
RoleEntity role1 =
createRoleEntity(
diff --git
a/server/src/test/java/org/apache/gravitino/server/web/rest/TestRoleOperations.java
b/server/src/test/java/org/apache/gravitino/server/web/rest/TestRoleOperations.java
index c99154eb8..ad0c5e20b 100644
---
a/server/src/test/java/org/apache/gravitino/server/web/rest/TestRoleOperations.java
+++
b/server/src/test/java/org/apache/gravitino/server/web/rest/TestRoleOperations.java
@@ -139,7 +139,7 @@ public class TestRoleOperations extends JerseyTest {
SecurableObjects.ofCatalog("catalog",
Lists.newArrayList(Privileges.UseCatalog.allow()));
SecurableObject anotherSecurableObject =
SecurableObjects.ofCatalog(
- "another_catalog",
Lists.newArrayList(Privileges.DropCatalog.deny()));
+ "another_catalog",
Lists.newArrayList(Privileges.CreateSchema.deny()));
RoleCreateRequest req =
new RoleCreateRequest(
@@ -169,12 +169,12 @@ public class TestRoleOperations extends JerseyTest {
Assertions.assertEquals("role1", roleDTO.name());
Assertions.assertEquals(
SecurableObjects.ofCatalog(
- "another_catalog",
Lists.newArrayList(Privileges.DropCatalog.deny()))
+ "another_catalog",
Lists.newArrayList(Privileges.CreateSchema.deny()))
.fullName(),
roleDTO.securableObjects().get(1).fullName());
Assertions.assertEquals(1,
roleDTO.securableObjects().get(1).privileges().size());
Assertions.assertEquals(
- Privileges.DropCatalog.deny().name(),
+ Privileges.CreateSchema.deny().name(),
roleDTO.securableObjects().get(1).privileges().get(0).name());
Assertions.assertEquals(
Privileges.UseCatalog.deny().condition(),
@@ -337,7 +337,7 @@ public class TestRoleOperations extends JerseyTest {
SecurableObjects.ofCatalog("catalog",
Lists.newArrayList(Privileges.UseCatalog.allow()));
SecurableObject anotherSecurableObject =
SecurableObjects.ofCatalog(
- "another_catalog",
Lists.newArrayList(Privileges.DropCatalog.deny()));
+ "another_catalog",
Lists.newArrayList(Privileges.CreateSchema.deny()));
return RoleEntity.builder()
.withId(1L)
@@ -419,7 +419,8 @@ public class TestRoleOperations extends JerseyTest {
// check the table
SecurableObject table =
- SecurableObjects.ofTable(schema, "table",
Lists.newArrayList(Privileges.ReadTable.allow()));
+ SecurableObjects.ofTable(
+ schema, "table",
Lists.newArrayList(Privileges.SelectTable.allow()));
when(tableDispatcher.tableExists(any())).thenReturn(true);
Assertions.assertDoesNotThrow(
() -> RoleOperations.checkSecurableObject("metalake",
DTOConverters.toDTO(table)));
@@ -430,7 +431,8 @@ public class TestRoleOperations extends JerseyTest {
// check the topic
SecurableObject topic =
- SecurableObjects.ofTopic(schema, "topic",
Lists.newArrayList(Privileges.ReadTopic.allow()));
+ SecurableObjects.ofTopic(
+ schema, "topic",
Lists.newArrayList(Privileges.ConsumeTopic.allow()));
when(topicDispatcher.topicExists(any())).thenReturn(true);
Assertions.assertDoesNotThrow(
() -> RoleOperations.checkSecurableObject("metalake",
DTOConverters.toDTO(topic)));
