bharos commented on code in PR #10918:
URL: https://github.com/apache/gravitino/pull/10918#discussion_r3315734919
##########
iceberg/iceberg-rest-server/src/test/java/org/apache/gravitino/iceberg/integration/test/IcebergTableAuthorizationIT.java:
##########
@@ -158,6 +158,15 @@ void testLoadTable() {
ForbiddenException.class, () -> sql("DESC TABLE %s_not_exist",
tableName));
}
+ @Test
+ void testSelectTableAsTableOwnerWithUseCatalogAndUseSchema() {
+ String tableName = "test_select_table_owner_with_use";
Review Comment:
The integration test testSelectTableAsTableOwnerWithUseCatalogAndUseSchema
tests the happy path (table owner CAN select). But the actual bug was about the
view probe returning 403 instead of 404. There's no test that verifies:
Table owner calls loadView(tableName) → gets 404 (not 403)
View owner calls loadTable(viewName) → gets 404 (not 403)
The unit tests for LoadViewAuthzHandler only test metadata-table-like names,
not the two-tier auth flow. The authorizeLoadEntity method — the core of the
fix — has no direct unit test.
Should we address this ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]