[PR] [server] Add authorization to listOffsets for TABLE/DESCRIBE operations [fluss]

Mon, 11 May 2026 02:52:41 -0700 


vaibhavk1992 opened a new pull request, #3298:
URL: https://github.com/apache/fluss/pull/3298

   ## Summary
   
   Implements authorization checks for the `listOffsets` method to complete 
issue #3247.
   
   This PR adds TABLE/DESCRIBE authorization for the three table metadata read 
operations mentioned in the issue:
   - ✅ `getTableSchema` - Already had authorization 
   - ✅ `listPartitionInfos` - Already had authorization
   - ✅ `listOffsets` - **Added in this PR**
   
   ## Changes
   
   ### Server Implementation (`TabletService.java`)
   - Added `authorizeTable(DESCRIBE, request.getTableId())` check in the 
`listOffsets` method
   - Added static import for `OperationType.DESCRIBE` to follow existing code 
patterns
   - Removed the TODO comment that indicated this authorization was needed
   
   ### Test Coverage (`FlussAuthorizationITCase.java`)
   - Added import for `OffsetSpec` class
   - Extended `testDescribeTableOperation` test to include `listOffsets` 
authorization testing
     - **Test 1**: Verifies `listOffsets` throws `AuthorizationException` when 
user lacks DESCRIBE permission
     - **Test 2**: Verifies `listOffsets` succeeds when user has DESCRIBE 
permission
   
   ## Test Plan
   
   - ✅ Code compiles successfully for both `fluss-server` and `fluss-client` 
modules
   - ✅ Implementation follows existing authorization patterns in the codebase
   - ✅ Tests follow the same structure as other DESCRIBE operation tests 
(getTableSchema, listPartitionInfos)
   - ✅ Authorization logic is consistent with other table metadata operations
   
   **Note**: Integration tests have a pre-existing SASL authentication 
environment issue (`Subject.getSubject()` not supported) that affects all tests 
in `FlussAuthorizationITCase`, not just these changes. This is confirmed by 
testing the main branch without modifications. The CI pipeline should have the 
correct Java environment configuration.
   
   ## Related Issue
   
   Closes #3247


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to