bharos opened a new pull request, #9211:
URL: https://github.com/apache/gravitino/pull/9211
<!--
1. Title: [#<issue>] <type>(<scope>): <subject>
Examples:
- "[#123] feat(operator): support xxx"
- "[#233] fix: check null before access result in xxx"
- "[MINOR] refactor: fix typo in variable name"
- "[MINOR] docs: fix typo in README"
- "[#255] test: fix flaky test NameOfTheTest"
Reference: https://www.conventionalcommits.org/en/v1.0.0/
2. If the PR is unfinished, please mark this PR as draft.
-->
### What changes were proposed in this pull request?
- Added @AuthorizationExpression annotations to all namespace REST endpoints
in IcebergNamespaceOperations
- Added comprehensive tests via IcebergNamespaceAuthorizationIT
- Fixed table ownership - registerTable() now sets proper owner via unified
IcebergOwnershipUtils
### Why are the changes needed?
- Iceberg namespace operations were completely unprotected - any user could
create/modify/delete namespaces without authorization checks, creating a
security gap in production deployments.
Fix: #9210
### Does this PR introduce _any_ user-facing change?
Yes - Users now need proper privileges (USE_CATALOG, CREATE_SCHEMA, schema
ownership) to perform namespace operations if authorization is turned ON.
Unauthorized operations return 403 Forbidden.
### How was this patch tested?
- IcebergNamespaceAuthorizationIT tests all authorization scenarios
- TestIcebergOwnershipUtils validates ownership logic
- Verified proper ForbiddenException responses for unauthorized operations
- Existing authorization tests continue to pass
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
