Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#5180][part-2] improvement(tests): Add e2e tests about denied privileges #5373

Closed
wants to merge 1 commit into from
Closed

[#5180][part-2] improvement(tests): Add e2e tests about denied privileges #5373

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions ...test/java/org/apache/gravitino/authorization/ranger/integration/test/RangerHiveE2EIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -528,6 +528,67 @@ void testDeleteAndRecreateRole() throws InterruptedException {
metalake.deleteRole(roleName);
}

@Test
void testDenyPrivileges() throws InterruptedException {
// Create a schema
catalog.asSchemas().createSchema(schemaName, "test", Collections.emptyMap());

// Create a role with CREATE_SCHEMA privilege
String roleName = currentFunName();
SecurableObject allowObject =
SecurableObjects.parse(
String.format("%s", catalogName),
MetadataObject.Type.CATALOG,
Lists.newArrayList(Privileges.UseSchema.allow(), Privileges.CreateTable.allow()));
SecurableObject denyObject =
SecurableObjects.parse(
String.format("%s.%s", catalogName, schemaName),
MetadataObject.Type.SCHEMA,
Lists.newArrayList(Privileges.CreateTable.deny()));
// Create a role, catalog allows to create a table, schema denies to create a table
metalake.createRole(
roleName, Collections.emptyMap(), Lists.newArrayList(allowObject, denyObject));

// Granted this role to the spark execution user `HADOOP_USER_NAME`
String userName1 = System.getenv(HADOOP_USER_NAME);
metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);
waitForUpdatingPolicies();

// Fail to create a table
sparkSession.sql(SQL_USE_SCHEMA);
Assertions.assertThrows(AccessControlException.class, () -> sparkSession.sql(SQL_CREATE_TABLE));

// Delete the role
metalake.deleteRole(roleName);

// Create another role, but catalog denies to create a table, schema allows to create a table
allowObject =
SecurableObjects.parse(
String.format("%s", catalogName),
MetadataObject.Type.CATALOG,
Lists.newArrayList(Privileges.CreateTable.deny()));
denyObject =
SecurableObjects.parse(
String.format("%s.%s", catalogName, schemaName),
MetadataObject.Type.SCHEMA,
Lists.newArrayList(Privileges.CreateTable.allow()));
metalake.createRole(
roleName, Collections.emptyMap(), Lists.newArrayList(allowObject, denyObject));

// Granted this role to the spark execution user `HADOOP_USER_NAME`
userName1 = System.getenv(HADOOP_USER_NAME);
metalake.grantRolesToUser(Lists.newArrayList(roleName), userName1);

waitForUpdatingPolicies();

// Fail to create a table
Assertions.assertThrows(AccessControlException.class, () -> sparkSession.sql(SQL_CREATE_TABLE));

// Clean up
catalog.asSchemas().dropSchema(schemaName, true);
metalake.deleteRole(roleName);
}

@Test
void testAllowUseSchemaPrivilege() throws InterruptedException {
// Create a role with CREATE_SCHEMA privilege
Expand Down
Loading