danhuawang opened a new issue, #7795:
URL: https://github.com/apache/gravitino/issues/7795
### Version
main branch
### Describe what's wrong
If a role is defined as following: select_table allow on metalake but
select_table deny in table under the metalake.
The user can select table now
```
{
"code": 0,
"role": {
"name": "tableRole1",
"audit": {
"creator": "anonymous",
"createTime": "2025-07-24T06:24:18.114148053Z",
"lastModifier": "anonymous",
"lastModifiedTime": "2025-07-24T07:41:45.938672083Z"
},
"properties": {
"k1": "v1"
},
"securableObjects": [
{
"type": "table",
"privileges": [
{
"name": "select_table",
"condition": "deny"
}
],
"fullName": "auth_pg_catalog1.auth_pg_schema1.auth_pg_table1"
},
{
"type": "metalake",
"privileges": [
{
"name": "use_catalog",
"condition": "allow"
},
{
"name": "select_table",
"condition": "allow"
},
{
"name": "use_schema",
"condition": "allow"
}
],
"fullName": "authorization_test"
}
]
}
}
```
### Error message and/or stacktrace
N/A
### How to reproduce
1. Create a role: select_table allow on metalake but select_table deny in
table under the metalake.
2. Assign the role to a user.
3. The user to get the table
`auth_pg_catalog1.auth_pg_schema1.auth_pg_table1` in metalake
authorization_test.
### Additional context
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
