From 448eadbd15da9a0827728215a668c35186f53f1f Mon Sep 17 00:00:00 2001
From: Rory <roryqi@apache.org>
Date: Wed, 30 Oct 2024 15:02:44 +0800
Subject: [PATCH] Add e2e tests

---
 .../integration/test/RangerHiveE2EIT.java     | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java
index 91d58bd187..c5858cd64f 100644
--- a/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java
+++ b/authorizations/authorization-ranger/src/test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java
@@ -528,6 +528,67 @@ void testDeleteAndRecreateRole() throws InterruptedException {
     metalake.deleteRole(roleName);
   }
 
+  @Test
+  void testDenyPrivileges() throws InterruptedException {
+    // Create a schema
+    catalog.asSchemas().createSchema(schemaName, "test", Collections.emptyMap());
+
+    // Create a role with CREATE_SCHEMA privilege
+    String roleName = currentFunName();
+    SecurableObject allowObject =
+        SecurableObjects.parse(
+            String.format("%s", catalogName),
+            MetadataObject.Type.CATALOG,
+            Lists.newArrayList(Privileges.UseSchema.allow(), Privileges.CreateTable.allow()));
+    SecurableObject denyObject =
+        SecurableObjects.parse(
+            String.format("%s.%s", catalogName, schemaName),
+            MetadataObject.Type.SCHEMA,
+            Lists.newArrayList(Privileges.CreateTable.deny()));
+    // Create a role, catalog allows to create a table, schema denies to create a table
+    metalake.createRole(
+        roleName, Collections.emptyMap(), Lists.newArrayList(allowObject, denyObject));
+
+    // Granted this role to the spark execution user `HADOOP_USER_NAME`
+    String userName1 = System.getenv(HADOOP_USER_NAME);
+    metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+    waitForUpdatingPolicies();
+
+    // Fail to create a table
+    sparkSession.sql(SQL_USE_SCHEMA);
+    Assertions.assertThrows(AccessControlException.class, () -> sparkSession.sql(SQL_CREATE_TABLE));
+
+    // Delete the role
+    metalake.deleteRole(roleName);
+
+    // Create another role, but catalog denies to create a table, schema allows to create a table
+    allowObject =
+        SecurableObjects.parse(
+            String.format("%s", catalogName),
+            MetadataObject.Type.CATALOG,
+            Lists.newArrayList(Privileges.CreateTable.deny()));
+    denyObject =
+        SecurableObjects.parse(
+            String.format("%s.%s", catalogName, schemaName),
+            MetadataObject.Type.SCHEMA,
+            Lists.newArrayList(Privileges.CreateTable.allow()));
+    metalake.createRole(
+        roleName, Collections.emptyMap(), Lists.newArrayList(allowObject, denyObject));
+
+    // Granted this role to the spark execution user `HADOOP_USER_NAME`
+    userName1 = System.getenv(HADOOP_USER_NAME);
+    metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
+
+    waitForUpdatingPolicies();
+
+    // Fail to create a table
+    Assertions.assertThrows(AccessControlException.class, () -> sparkSession.sql(SQL_CREATE_TABLE));
+
+    // Clean up
+    catalog.asSchemas().dropSchema(schemaName, true);
+    metalake.deleteRole(roleName);
+  }
+
   @Test
   void testAllowUseSchemaPrivilege() throws InterruptedException {
     // Create a role with CREATE_SCHEMA privilege