jerqi commented on code in PR #5190:
URL: https://github.com/apache/gravitino/pull/5190#discussion_r1818430224
##########
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##########
@@ -204,52 +229,327 @@ public void stop() {
}
@Test
- void testAllowUseSchemaPrivilege() throws InterruptedException {
- // First, create a schema use Gravitino client
- createSchema();
+ void testCreateSchema() throws InterruptedException {
+ // First, fail to create the schema
+ Assertions.assertThrows(
+ AccessControlException.class, () ->
sparkSession.sql(SQL_CREATE_SCHEMA));
- // Use Spark to show this databases(schema)
- Dataset dataset1 = sparkSession.sql(SQL_SHOW_DATABASES);
- dataset1.show();
- List<Row> rows1 = dataset1.collectAsList();
- // The schema should not be shown, because the user does not have the
permission
- Assertions.assertEquals(
- 0, rows1.stream().filter(row ->
row.getString(0).equals(schemaName)).count());
+ // Second, grant the `CREATE_SCHEMA` role
+ String userName1 = System.getenv(HADOOP_USER_NAME);
+ String roleName = "createSchemaRole";
+ SecurableObject securableObject =
+ SecurableObjects.ofMetalake(
+ metalakeName, Lists.newArrayList(Privileges.CreateSchema.allow()));
+ metalake.createRole(roleName, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+ metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+ waitForUpdatingPolicies();
+
+ // Third, succeed to create the schema
+ sparkSession.sql(SQL_CREATE_SCHEMA);
+
+ // Clean up
+ catalog.asSchemas().dropSchema(schemaName, true);
+ metalake.deleteRole(roleName);
+ }
+
+ @Test
+ void testCreateTable() throws InterruptedException {
+ // First, create a role for creating a database and grant role to the user
+ String createSchemaRole = "createSchemaRole";
+ SecurableObject securableObject =
+ SecurableObjects.ofMetalake(
+ metalakeName,
+ Lists.newArrayList(Privileges.UseSchema.allow(),
Privileges.CreateSchema.allow()));
+ String userName1 = System.getenv(HADOOP_USER_NAME);
+ metalake.createRole(
+ createSchemaRole, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+ metalake.grantRolesToUser(Lists.newArrayList(createSchemaRole), userName1);
+ waitForUpdatingPolicies();
+ // Second, create a schema
+ sparkSession.sql(SQL_CREATE_SCHEMA);
+
+ // Third, fail to create a table
+ sparkSession.sql(SQL_USE_SCHEMA);
+ Assertions.assertThrows(AccessControlException.class, () ->
sparkSession.sql(SQL_CREATE_TABLE));
+
+ // Fourth, create a role for creating a table and grant to the user
+ String createTableRole = "createTableRole";
+ securableObject =
+ SecurableObjects.ofMetalake(
+ metalakeName, Lists.newArrayList(Privileges.CreateTable.allow()));
+ metalake.createRole(
+ createTableRole, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+ metalake.grantRolesToUser(Lists.newArrayList(createTableRole), userName1);
+ waitForUpdatingPolicies();
+
+ // Fifth, succeed to create a table
+ sparkSession.sql(SQL_CREATE_TABLE);
+
+ // Clean up
+ catalog.asTableCatalog().dropTable(NameIdentifier.of(schemaName,
tableName));
+ catalog.asSchemas().dropSchema(schemaName, true);
+ metalake.deleteRole(createTableRole);
+ metalake.deleteRole(createSchemaRole);
+ }
+
+ @Test
+ void testReadWriteTable() throws InterruptedException {
+ // First, create a role for creating a database and grant role to the user
+ String readWriteRole = "readWriteRole";
+ SecurableObject securableObject =
+ SecurableObjects.ofMetalake(
+ metalakeName,
+ Lists.newArrayList(
+ Privileges.UseSchema.allow(),
+ Privileges.CreateSchema.allow(),
+ Privileges.CreateTable.allow(),
+ Privileges.SelectTable.allow(),
+ Privileges.ModifyTable.allow()));
+ String userName1 = System.getenv(HADOOP_USER_NAME);
+ metalake.createRole(readWriteRole, Collections.emptyMap(),
Lists.newArrayList(securableObject));
+ metalake.grantRolesToUser(Lists.newArrayList(readWriteRole), userName1);
Review Comment:
These cases have been tested by the method `testCreateTable`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
