Re: [PR] Implement PolicyCatalogHandler Stage 3: GetApplicablePolicies [polaris]

via GitHub Tue, 22 Apr 2025 16:19:23 -0700


HonahX commented on code in PR #1421:
URL: https://github.com/apache/polaris/pull/1421#discussion_r2055010776



##########
quarkus/service/src/test/java/org/apache/polaris/service/quarkus/catalog/PolicyCatalogHandlerAuthzTest.java:
##########
@@ -722,4 +722,68 @@ public void testDetachFromPolicyInsufficientPrivileges() {
 
     newWrapper(Set.of(PRINCIPAL_ROLE2)).detachPolicy(POLICY_NS1_1, 
detachPolicyRequest);
   }
+
+  @Test
+  public void testGetApplicablePoliciesOnCatalogSufficientPrivileges() {
+    doTestSufficientPrivileges(
+        List.of(
+            PolarisPrivilege.CATALOG_READ_PROPERTIES,
+            PolarisPrivilege.CATALOG_WRITE_PROPERTIES,
+            PolarisPrivilege.CATALOG_MANAGE_METADATA),
+        () -> newWrapper().getApplicablePolicies(null, null, null),
+        null /* cleanupAction */);
+  }
+
+  @Test
+  public void testGetApplicablePoliciesOnCatalogInsufficientPrivileges() {
+    doTestInsufficientPrivileges(
+        List.of(
+            PolarisPrivilege.NAMESPACE_READ_PROPERTIES,
+            PolarisPrivilege.POLICY_READ,
+            PolarisPrivilege.TABLE_READ_PROPERTIES),
+        () -> newWrapper().getApplicablePolicies(null, null, null));
+  }
+
+  @Test
+  public void testGetApplicablePoliciesOnNamespaceSufficientPrivileges() {
+    doTestSufficientPrivileges(
+        List.of(
+            PolarisPrivilege.NAMESPACE_READ_PROPERTIES,
+            PolarisPrivilege.NAMESPACE_WRITE_PROPERTIES,
+            PolarisPrivilege.CATALOG_MANAGE_METADATA),
+        () -> newWrapper().getApplicablePolicies(NS1, null, null),
+        null /* cleanupAction */);
+  }
+
+  @Test
+  public void testGetApplicablePoliciesOnNamespaceInSufficientPrivileges() {
+    doTestInsufficientPrivileges(
+        List.of(
+            PolarisPrivilege.CATALOG_READ_PROPERTIES,

Review Comment:
   No, `CATALOG_READ_PROPERTIES` is not a super privilege of 
`NAMESPACE_READ_PROPERTIES`. 
https://github.com/apache/polaris/blob/5f2a37570c7ed3cf79842422a7f4f1f9ed56c6bc/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java#L209-L216
   
   Just to confirm: This should be the expected that user have right to 
getApplicablePolicies on catalog does not necessarily have the right to 
getApplicablePolicies on namespace?



##########
quarkus/service/src/test/java/org/apache/polaris/service/quarkus/catalog/PolicyCatalogHandlerAuthzTest.java:
##########
@@ -722,4 +722,68 @@ public void testDetachFromPolicyInsufficientPrivileges() {
 
     newWrapper(Set.of(PRINCIPAL_ROLE2)).detachPolicy(POLICY_NS1_1, 
detachPolicyRequest);
   }
+
+  @Test
+  public void testGetApplicablePoliciesOnCatalogSufficientPrivileges() {
+    doTestSufficientPrivileges(
+        List.of(
+            PolarisPrivilege.CATALOG_READ_PROPERTIES,
+            PolarisPrivilege.CATALOG_WRITE_PROPERTIES,
+            PolarisPrivilege.CATALOG_MANAGE_METADATA),
+        () -> newWrapper().getApplicablePolicies(null, null, null),
+        null /* cleanupAction */);
+  }
+
+  @Test
+  public void testGetApplicablePoliciesOnCatalogInsufficientPrivileges() {
+    doTestInsufficientPrivileges(
+        List.of(
+            PolarisPrivilege.NAMESPACE_READ_PROPERTIES,
+            PolarisPrivilege.POLICY_READ,
+            PolarisPrivilege.TABLE_READ_PROPERTIES),
+        () -> newWrapper().getApplicablePolicies(null, null, null));
+  }
+
+  @Test
+  public void testGetApplicablePoliciesOnNamespaceSufficientPrivileges() {
+    doTestSufficientPrivileges(
+        List.of(
+            PolarisPrivilege.NAMESPACE_READ_PROPERTIES,
+            PolarisPrivilege.NAMESPACE_WRITE_PROPERTIES,
+            PolarisPrivilege.CATALOG_MANAGE_METADATA),
+        () -> newWrapper().getApplicablePolicies(NS1, null, null),
+        null /* cleanupAction */);
+  }
+
+  @Test
+  public void testGetApplicablePoliciesOnNamespaceInSufficientPrivileges() {
+    doTestInsufficientPrivileges(
+        List.of(
+            PolarisPrivilege.CATALOG_READ_PROPERTIES,
+            PolarisPrivilege.POLICY_READ,
+            PolarisPrivilege.TABLE_READ_PROPERTIES),
+        () -> newWrapper().getApplicablePolicies(NS1, null, null));
+  }
+
+  @Test
+  public void testGetApplicablePoliciesOnTableSufficientPrivileges() {
+    doTestSufficientPrivileges(
+        List.of(
+            PolarisPrivilege.TABLE_READ_PROPERTIES,

Review Comment:
   No, only `CATALOG_MANAGE_METADATA` which is a super privilege implies 
`TABLE_READ_PROPERTIES`
   
https://github.com/apache/polaris/blob/5f2a37570c7ed3cf79842422a7f4f1f9ed56c6bc/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java#L217-L226



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Implement PolicyCatalogHandler Stage 3: GetApplicablePolicies [polaris]

Reply via email to