roryqi commented on code in PR #10908:
URL: https://github.com/apache/gravitino/pull/10908#discussion_r3192563278
##########
server-common/src/test/java/org/apache/gravitino/server/authorization/jcasbin/TestJcasbinAuthorizer.java:
##########
@@ -1033,6 +1034,145 @@ public void
testAuthorizeAndDenyShareSameResolveAcrossPrivileges() throws Except
assertTrue(jcasbinAuthorizer.deny(currentPrincipal, METALAKE, catalog,
USE_SCHEMA, ctx));
}
+ @Test
+ public void testAuthorizeReturnsFalseForDirectPrivilegeDenyOnly() throws
Exception {
+ // Reproduces the case roryqi flagged: an OGNL expression like
`METALAKE::RUN_JOB` is rewritten
+ // by AuthorizationExpressionConverter to a *single*
`authorizer.authorize(...)` call — there is
+ // no companion `authorizer.deny(...)` call (which only ANY_xxx aliases
generate). So the
+ // authorize endpoint must independently respect explicit DENY policies; a
role that grants
+ // only DENY RUN_JOB on the metalake must cause authorize() to return
false.
+ makeCompletableFutureUseCurrentThread(jcasbinAuthorizer);
+ Principal currentPrincipal = PrincipalUtils.getCurrentPrincipal();
+ NameIdentifier userIdent = NameIdentifierUtil.ofUser(METALAKE, USERNAME);
+ Long roleId = 3001L;
+ RoleEntity denyRole =
+ getRoleEntity(
+ roleId,
+ "denyRunJobRole" + roleId,
+ ImmutableList.of(
+ makeSecurableObject(
+ "testMetalake", MetadataObject.Type.METALAKE, roleId,
RUN_JOB, "DENY")));
Review Comment:
You should add an another role with an object allow run job, too.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
