adutra commented on PR #3927: URL: https://github.com/apache/polaris/pull/3927#issuecomment-4016880358
> The comment there is somewhat scary in its implication, but I'm _fairly_ sure it's just an obsolete comment and that we do indeed scope vended credentials to only be readonly when privileges are only readonly. We may need to do some digging (possibly separately from this PR) to make sure our Authz tests correctly reflect the credential read/write scoping. I noticed this comment too, and I didn't want to modify it during my recent refactoring. These two tests are actually identical: `testLoadTableWithReadAccessDelegationPrivileges` and `testLoadTableWithWriteAccessDelegationPrivileges`. I think they could be merged together: in this test we are focusing on RBAC, not on the actual credential being vended. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
