[PR] [#10782] feat(client-python): add authorization management support (User/Group/Role/Privilege CRUD) [gravitino]

Tue, 14 Apr 2026 02:49:36 -0700 


sunyuhan1998 opened a new pull request, #10783:
URL: https://github.com/apache/gravitino/pull/10783

   ### What changes were proposed in this pull request?
   
   Add complete authorization management support to the Python client SDK, 
covering User, Group, Role, and Privilege CRUD operations. The implementation 
follows the existing Java SDK patterns and integrates with `GravitinoMetalake` 
as the entry point.
   
   **Changes by layer:**
   
   1. **API interfaces** (`gravitino/api/authorization/`):
      - `User`, `Group`, `Role` — base interfaces with builder pattern
      - `Privilege` / `Privileges` — privilege abstraction with `Name` enum (28 
privilege types) and `Condition` enum (`ALLOW`/`DENY`)
      - `SecurableObject` — securable object with metadata type, full name, and 
privilege list
   
   2. **DTO layer** (`gravitino/dto/authorization/`):
      - `UserDTO`, `GroupDTO`, `RoleDTO`, `PrivilegeDTO`, `SecurableObjectDTO` 
— immutable data transfer objects with builder, serialization, equality, and 
`can_bind_to` support
   
   3. **Client layer** (`gravitino/client/`):
      - `GravitinoMetalake` — 20 new public methods covering the full 
authorization lifecycle:
        - User: `add_user`, `get_user`, `remove_user`, `list_users`, 
`list_user_names`
        - Group: `add_group`, `get_group`, `remove_group`, `list_groups`, 
`list_group_names`
        - Role: `create_role`, `get_role`, `delete_role`, `list_role_names`
        - Grant/Revoke: `grant_roles_to_user`, `revoke_roles_from_user`, 
`grant_roles_to_group`, `revoke_roles_from_group`, `grant_privileges_to_role`, 
`revoke_privileges_from_role`
   
   4. **Request/Response DTOs** (`gravitino/dto/responses/`):
      - `UserResponse`, `UserListResponse`, `GroupResponse`, 
`GroupListResponse`, `RoleResponse`, `RoleListResponse`, `RemoveResponse`
      - `AuthorizationAddRequest`, `AuthorizationRemoveRequest`, 
`RoleCreateRequest`, `GrantRequest`, `RevokeRequest`, `PrivilegeGrantRequest`, 
`PrivilegeRevokeRequest`
   
   ### Why are the changes needed?
   
   The Python SDK lacked authorization management capabilities. Users could not 
manage users, groups, roles, or privileges through the Python client, which is 
a core feature available in the Java SDK. This PR brings the Python SDK to 
feature parity with the Java SDK for authorization operations.
   
   ### Does this PR introduce any user-facing change?
   
   Yes. This PR adds 20 new public methods to `GravitinoMetalake` and several 
new public API/DTO classes. No existing methods or behaviors are changed.
   
   ### How was this patch tested?
   
   - **Unit tests** (31 test cases in `tests/unittests/`):
     - DTO serialization/deserialization roundtrip tests
     - Builder validation tests
     - Equality and hash code tests
     - Mock-based API integration tests covering all CRUD, grant, and revoke 
operations
     - Bidirectional equality test between `PrivilegeDTO` and 
`_GenericPrivilege`
   
   - **Integration tests** (14 test cases in 
`tests/integration/test_authorization.py`):
     - Full lifecycle tests against a real Gravitino server
     - User/Group/Role CRUD + Grant/Revoke
     - Privilege grant/revoke on roles with securable objects
     - Error handling for duplicate creation and missing entities
   
   - All code formatted with `ruff`
   
   Fix: #10782
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to