Re: [PR] [#4903] feat(core,server): Support to grant or revoke privileges for a role [gravitino]

via GitHub Fri, 27 Sep 2024 04:10:21 -0700


jerryshao commented on code in PR #5021:
URL: https://github.com/apache/gravitino/pull/5021#discussion_r1778352188



##########
clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/AccessControlIT.java:
##########
@@ -314,6 +316,57 @@ void testManageGroupPermissions() {
     metalake.deleteRole(roleName);
   }
 
+  @Test
+  void testManageRolePermissions() {
+    String roleName = "role#123";
+    Map<String, String> properties = Maps.newHashMap();
+    properties.put("k1", "v1");
+    metalake.createRole(roleName, properties, Lists.newArrayList());
+    MetadataObject metadataObject =
+        MetadataObjects.of(null, metalakeName, MetadataObject.Type.METALAKE);
+
+    // grant a privilege
+    Role role =
+        metalake.grantPrivilegesToRole(
+            roleName, metadataObject, 
Lists.newArrayList(Privileges.CreateCatalog.allow()));
+    Assertions.assertEquals(1, role.securableObjects().size());
+
+    // repeat to grant a privilege
+    role =
+        metalake.grantPrivilegesToRole(
+            roleName, metadataObject, 
Lists.newArrayList(Privileges.CreateCatalog.allow()));
+    Assertions.assertEquals(1, role.securableObjects().size());
+
+    // grant a not-existing role
+    Assertions.assertThrows(
+        NoSuchRoleException.class,
+        () ->
+            metalake.grantPrivilegesToRole(
+                "not-exist", metadataObject, 
Lists.newArrayList(Privileges.CreateCatalog.allow())));
+
+    // revoke a privilege
+    role =
+        metalake.revokePrivilegesFromRole(
+            roleName, metadataObject, 
Lists.newArrayList(Privileges.CreateCatalog.allow()));
+    Assertions.assertTrue(role.securableObjects().isEmpty());
+
+    // repeat to revoke a privilege
+    role =
+        metalake.revokePrivilegesFromRole(
+            roleName, metadataObject, 
Lists.newArrayList(Privileges.CreateCatalog.allow()));
+    Assertions.assertTrue(role.securableObjects().isEmpty());
+
+    // revoke a not-existing role
+    Assertions.assertThrows(
+        NoSuchRoleException.class,
+        () ->
+            metalake.revokePrivilegesFromRole(
+                "not-exist", metadataObject, 
Lists.newArrayList(Privileges.CreateCatalog.allow())));

Review Comment:
   Should you add the tests about binding wrong privileges to the metadata 
object?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] [#4903] feat(core,server): Support to grant or revoke privileges for a role [gravitino]

Reply via email to