Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]

via GitHub Thu, 31 Oct 2024 01:48:09 -0700


jerqi commented on code in PR #5321:
URL: https://github.com/apache/gravitino/pull/5321#discussion_r1824089677



##########
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##########
@@ -337,10 +350,80 @@ void testReadWriteTable() throws InterruptedException {
     // case 6: Fail to drop the table
     Assertions.assertThrows(AccessControlException.class, () -> 
sparkSession.sql(SQL_DROP_TABLE));
 
+    // case 7: If we don't have the role, we can't insert and select from data.
+    metalake.deleteRole(readWriteRole);
+    waitForUpdatingPolicies();
+    Assertions.assertThrows(AccessControlException.class, () -> 
sparkSession.sql(SQL_INSERT_TABLE));
+    Assertions.assertThrows(
+        AccessControlException.class, () -> 
sparkSession.sql(SQL_SELECT_TABLE).collectAsList());

Review Comment:
   OK.



##########
authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java:
##########
@@ -337,10 +350,80 @@ void testReadWriteTable() throws InterruptedException {
     // case 6: Fail to drop the table
     Assertions.assertThrows(AccessControlException.class, () -> 
sparkSession.sql(SQL_DROP_TABLE));
 
+    // case 7: If we don't have the role, we can't insert and select from data.
+    metalake.deleteRole(readWriteRole);
+    waitForUpdatingPolicies();
+    Assertions.assertThrows(AccessControlException.class, () -> 
sparkSession.sql(SQL_INSERT_TABLE));
+    Assertions.assertThrows(
+        AccessControlException.class, () -> 
sparkSession.sql(SQL_SELECT_TABLE).collectAsList());
+
+    // Clean up
+    catalog.asTableCatalog().dropTable(NameIdentifier.of(schemaName, 
tableName));
+    catalog.asSchemas().dropSchema(schemaName, true);
+  }
+
+  @Test
+  void testReadWriteTableWithTableLevelRole() throws InterruptedException {
+    // First, create a role for creating a database and grant role to the user
+    String roleName = currentFunName();
+    SecurableObject securableObject =
+        SecurableObjects.ofMetalake(
+            metalakeName,
+            Lists.newArrayList(
+                Privileges.UseSchema.allow(),
+                Privileges.CreateSchema.allow(),
+                Privileges.CreateTable.allow()));
+    String userName1 = System.getenv(HADOOP_USER_NAME);
+    metalake.createRole(roleName, Collections.emptyMap(), 
Lists.newArrayList(securableObject));
+    metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+    waitForUpdatingPolicies();
+    // Second, create a schema
+    sparkSession.sql(SQL_CREATE_SCHEMA);
+
+    // Third, create a table
+    sparkSession.sql(SQL_USE_SCHEMA);
+    sparkSession.sql(SQL_CREATE_TABLE);
+
+    // Fourth, revoke and grant a table level role
+    metalake.deleteRole(roleName);
+    securableObject =
+        SecurableObjects.parse(
+            String.format("%s.%s.%s", catalogName, schemaName, tableName),
+            MetadataObject.Type.TABLE,
+            Lists.newArrayList(Privileges.ModifyTable.allow(), 
Privileges.SelectTable.allow()));
+    metalake.createRole(roleName, Collections.emptyMap(), 
Lists.newArrayList(securableObject));
+    metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+    waitForUpdatingPolicies();
+
+    // case 1: Succeed to insert data into table
+    sparkSession.sql(SQL_INSERT_TABLE);
+
+    // case 2: Succeed to select data from the table
+    sparkSession.sql(SQL_SELECT_TABLE).collectAsList();
+
+    // case 3: Fail to update data in the table, Because Hive doesn't support.
+    Assertions.assertThrows(
+        SparkUnsupportedOperationException.class, () -> 
sparkSession.sql(SQL_UPDATE_TABLE));
+
+    // case 4: Fail to delete data from the table, Because Hive doesn't 
support.
+    Assertions.assertThrows(AnalysisException.class, () -> 
sparkSession.sql(SQL_DELETE_TABLE));
+
+    // case 5: Succeed to alter the table
+    sparkSession.sql(SQL_ALTER_TABLE);
+
+    // case 6: Fail to drop the table
+    Assertions.assertThrows(AccessControlException.class, () -> 
sparkSession.sql(SQL_DROP_TABLE));
+
+    // case 7: If we don't have the role, we can't insert and select from data.
+    metalake.deleteRole(roleName);
+    waitForUpdatingPolicies();
+    Assertions.assertThrows(AccessControlException.class, () -> 
sparkSession.sql(SQL_INSERT_TABLE));
+    Assertions.assertThrows(
+        AccessControlException.class, () -> 
sparkSession.sql(SQL_SELECT_TABLE).collectAsList());
+

Review Comment:
   OK.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] [#5146] fix(core): Support to rename and delete metadata object in the authorization plugin [gravitino]

Reply via email to