(polaris) branch main updated: PolarisAuthzTestBase: fix insufficient privilege set tests (#3691)

Mon, 16 Feb 2026 02:29:41 -0800 

This is an automated email from the ASF dual-hosted git repository.

adutra pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/polaris.git


The following commit(s) were added to refs/heads/main by this push:
     new 60d5cc6d9 PolarisAuthzTestBase: fix insufficient privilege set tests 
(#3691)
60d5cc6d9 is described below

commit 60d5cc6d93e1d4f4ad51b5063272c97b60555038
Author: Alexandre Dutra <[email protected]>
AuthorDate: Mon Feb 16 11:29:28 2026 +0100

    PolarisAuthzTestBase: fix insufficient privilege set tests (#3691)
    
    The method `doTestInsufficientPrivilegeSets()` was incorrectly testing that 
each privilege in the set was *individually* insufficient.
    
    But this is not the intent of a privilege set negative test: the test is 
expected to fail even if *all* privileges in the set are granted.
    
    See for instance 
`PolicyCatalogHandlerAuthzTest.testDetachPolicyFromNamespaceInsufficientPrivilege()`:
 the intent is to verify that it is insufficient to have *both* `POLICY_DETACH` 
and `CATALOG_DETACH_POLICY`.
---
 .../polaris/service/admin/PolarisAuthzTestBase.java      | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git 
a/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
 
b/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
index ffbd34423..21848d3b7 100644
--- 
a/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
+++ 
b/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
@@ -680,9 +680,11 @@ public abstract class PolarisAuthzTestBase {
       Function<PolarisPrivilege, PrivilegeResult> grantAction,
       Function<PolarisPrivilege, PrivilegeResult> revokeAction) {
     for (Set<PolarisPrivilege> privilegeSet : insufficientPrivilegeSets) {
-      for (PolarisPrivilege privilege : privilegeSet) {
-        // Grant the single privilege at a catalog level to cascade to all 
objects.
-        assertSuccess(grantAction.apply(privilege));
+      try {
+        // Grant the whole privilege set at a catalog level to cascade to all 
objects.
+        for (PolarisPrivilege privilege : privilegeSet) {
+          assertSuccess(grantAction.apply(privilege));
+        }
 
         // Should be insufficient
         try {
@@ -692,12 +694,16 @@ public abstract class PolarisAuthzTestBase {
               .hasMessageContaining("is not authorized");
         } catch (Throwable t) {
           Assertions.fail(
-              String.format("Expected failure with insufficientPrivilege 
'%s'", privilege), t);
+              String.format("Expected failure with insufficient privilege set 
'%s'", privilegeSet),
+              t);
         }
 
+      } finally {
         // Revoking only matters in case there are some multi-privilege 
actions being tested with
         // only granting individual privileges in isolation.
-        assertSuccess(revokeAction.apply(privilege));
+        for (PolarisPrivilege privilege : privilegeSet) {
+          assertSuccess(revokeAction.apply(privilege));
+        }
       }
     }
   }

Reply via email to