Skip to content

[#10782] feat(client-python): add User authorization management#11058

Merged
jerryshao merged 4 commits into
apache:mainfrom
sunyuhan1998:feature/python-sdk-auth-user
May 14, 2026
Merged

[#10782] feat(client-python): add User authorization management#11058
jerryshao merged 4 commits into
apache:mainfrom
sunyuhan1998:feature/python-sdk-auth-user

Conversation

@sunyuhan1998

@sunyuhan1998 sunyuhan1998 commented May 12, 2026

Copy link
Copy Markdown
Contributor

What changes were proposed in this pull request?

This PR is split from #10783 to make review easier. It focuses on the User part of the authorization model; Group, Role, Privilege, SecurableObject and grant/revoke operations will follow in subsequent PRs.

Changes in this PR:

  1. API layer (gravitino/api/authorization/)

    • User — user interface with name() / roles() accessors
  2. DTO layer (gravitino/dto/authorization/)

    • UserDTO — immutable DTO with builder pattern, serialization
      and audit info
  3. Request / Response DTOs (gravitino/dto/)

    • UserAddRequest
    • UserResponse / UserListResponse / UserNamesListResponse
    • RemoveResponse (shared boolean-remove response used across
      authorization operations)
  4. Client layer (gravitino/client/gravitino_metalake.py)

    • Five new public methods on GravitinoMetalake:
      add_user / get_user / remove_user / list_users /
      list_user_names
  5. Exception handling (gravitino/exceptions/)

    • NoSuchUserException, UserAlreadyExistsException
    • UserErrorHandler mapping REST error codes to the above

Why are the changes needed?

The Python SDK currently has no authorization management capabilities, while the Java SDK and REST API have full support. This PR starts bringing the Python SDK to feature parity with the Java SDK, beginning with User management as the most foundational entity.

Fix: #11098

Does this PR introduce any user-facing change?

Yes. New public API:

  • GravitinoMetalake.add_user(name) / get_user(name) /
    remove_user(name) / list_users() / list_user_names()
  • New exceptions: NoSuchUserException, UserAlreadyExistsException

No existing APIs or behaviors are changed.

How was this patch tested?

28 new unit tests (all passing, ruff + pylint):

  • DTO tests
    (tests/unittests/dto/test_user_dto.py, tests/unittests/dto/responses/test_user_response.py) — cover builder, serialization / deserialization roundtrip, equality
  • Client-level mock tests
    (tests/unittests/client/test_metalake_user_operations.py) — cover URL, HTTP method, request body, response parsing, and error propagation for all five GravitinoMetalake methods
  • Error-handler tests
    (added to tests/unittests/test_error_handler.py) — verify the full error code mapping table for UserErrorHandler

Integration tests will be added in the final PR of the split together with grant/revoke operations, where end-to-end multi-entity behavior needs to be validated against a real server.

cc @jerryshao — could you help review this when you have time? Thanks!

Add User management capabilities to the Python client, supporting the
same set of User operations already exposed by the Java client and REST
API layer.

This is part of a larger split of apache#10783, which introduced the full
authorization model in a single PR. To make review easier, the change
is being broken down by entity; subsequent PRs will add Group, Role,
Privilege, SecurableObject and grant/revoke operations.

Changes
- Add User interface and UserDTO (Builder-based, immutable)
- Add UserAddRequest / UserResponse / UserListResponse /
  UserNamesListResponse DTOs, plus a shared RemoveResponse
- Add add_user / get_user / remove_user / list_users /
  list_user_names methods to GravitinoMetalake
- Add UserErrorHandler to map User-related REST errors to
  NoSuchUserException, UserAlreadyExistsException, etc.
- Add 28 unit tests covering DTO serialization, response parsing,
  GravitinoMetalake HTTP interactions (URL, method, body, error
  propagation) and the error-handler mapping table
@sunyuhan1998
sunyuhan1998 force-pushed the feature/python-sdk-auth-user branch from c7e515e to 687f945 Compare May 12, 2026 13:12
@github-actions

github-actions Bot commented May 13, 2026

Copy link
Copy Markdown

Code Coverage Report

Overall Project 66.04% 🟢
Files changed 66.0% 🟢

Module Coverage
aliyun 1.72% 🔴
api 47.13% 🟢
authorization-common 85.96% 🟢
aws 1.08% 🔴
azure 2.47% 🔴
catalog-common 10.2% 🔴
catalog-fileset 80.02% 🟢
catalog-glue 83.41% 🟢
catalog-hive 81.83% 🟢
catalog-jdbc-clickhouse 79.18% 🟢
catalog-jdbc-common 43.93% 🟢
catalog-jdbc-doris 80.28% 🟢
catalog-jdbc-hologres 54.03% 🟢
catalog-jdbc-mysql 79.23% 🟢
catalog-jdbc-oceanbase 78.38% 🟢
catalog-jdbc-postgresql 82.05% 🟢
catalog-jdbc-starrocks 78.27% 🟢
catalog-kafka 77.01% 🟢
catalog-lakehouse-generic 45.14% 🟢
catalog-lakehouse-hudi 79.1% 🟢
catalog-lakehouse-iceberg 86.98% 🟢
catalog-lakehouse-paimon 76.85% 🟢
catalog-model 77.72% 🟢
cli 44.51% 🟢
client-java 77.96% 🟢
common 50.0% 🟢
core 82.18% -0.34% 🟢
filesystem-hadoop3 76.97% 🟢
flink 0.0% 🔴
flink-common 43.17% 🟢
flink-runtime 0.0% 🔴
gcp 14.12% 🔴
hadoop-common 10.39% 🔴
hive-metastore-common 46.83% 🟢
iceberg-common 55.46% 🟢
iceberg-rest-server 69.7% 🟢
idp-basic 94.68% 🟢
integration-test-common 0.0% 🔴
jobs 66.17% 🟢
lance-common 19.95% 🔴
lance-rest-server 62.78% 🟢
lineage 53.02% 🟢
optimizer 82.87% 🟢
optimizer-api 21.95% 🔴
server 85.93% -3.08% 🟢
server-common 71.21% +2.87% 🟢
spark 32.79% 🔴
spark-common 39.09% 🔴
trino-connector 35.14% 🔴
Files
Module File Coverage
core EntityChangeLogBaseSQLProvider.java 100.0% 🟢
OwnerMetaBaseSQLProvider.java 100.0% 🟢
OwnerMetaSQLProviderFactory.java 96.55% 🟢
EntityChangeLogSQLProviderFactory.java 92.86% 🟢
ChangedOwnerInfo.java 83.33% 🟢
AuthorizationUtils.java 60.15% 🟢
AuthorizationRequestContext.java 32.65% 🔴
GravitinoAuthorizer.java 0.0% 🔴
EntityChangeLogMapper.java 0.0% 🔴
OwnerMetaMapper.java 0.0% 🔴
server CommonAuthorizerExecutor.java 100.0% 🟢
GravitinoInterceptionService.java 57.89% 🔴
AssociatePolicyAuthorizationExecutor.java 0.0% 🔴
AssociateTagAuthorizationExecutor.java 0.0% 🔴
AuthorizationExecutor.java 0.0% 🔴
RunJobAuthorizationExecutor.java 0.0% 🔴
server-common AuthorizationExpressionConverter.java 98.1% 🟢
JcasbinAuthorizer.java 76.66% 🟢
PassThroughAuthorizer.java 65.0% 🟢
AuthorizationExpressionConstants.java 0.0% 🔴

@jerryshao
jerryshao requested a review from Copilot May 13, 2026 11:25

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds Python client support for authorization User management, including DTOs, REST request/response types, client methods, and error handling to begin parity with the Java SDK / REST API.

Changes:

  • Introduces User API interface and UserDTO (+ request/response DTOs) for serialization/deserialization.
  • Adds GravitinoMetalake user-management methods: add/get/remove/list users and list user names.
  • Adds user-specific REST error handler and expands unit tests for DTOs, client calls, and error mapping.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
clients/client-python/gravitino/api/authorization/init.py Exposes User in authorization API exports.
clients/client-python/gravitino/api/authorization/user.py Defines User interface with name() and roles().
clients/client-python/gravitino/client/gravitino_metalake.py Adds public metalake user-management methods and REST paths.
clients/client-python/gravitino/dto/authorization/user_dto.py Adds UserDTO with builder, JSON mapping, and equality/hash.
clients/client-python/gravitino/dto/requests/user_add_request.py Adds request DTO for creating a user.
clients/client-python/gravitino/dto/responses/remove_response.py Adds shared boolean “removed” response type.
clients/client-python/gravitino/dto/responses/user_response.py Adds user response types (single, list, names list).
clients/client-python/gravitino/exceptions/base.py Adds NoSuchUserException and UserAlreadyExistsException.
clients/client-python/gravitino/exceptions/handlers/user_error_handler.py Adds error-code-to-exception mapping for user operations.
clients/client-python/tests/unittests/client/test_metalake_user_operations.py Adds mock-based unit tests for new metalake methods.
clients/client-python/tests/unittests/dto/responses/test_user_response.py Adds unit tests for new user response DTOs.
clients/client-python/tests/unittests/dto/test_user_dto.py Adds unit tests for UserDTO builder/serde/equality/hash.
clients/client-python/tests/unittests/test_error_handler.py Extends error-handler tests to cover UserErrorHandler.

Comment thread clients/client-python/gravitino/dto/authorization/user_dto.py
Comment thread clients/client-python/gravitino/dto/authorization/user_dto.py Outdated
Comment thread clients/client-python/gravitino/dto/responses/user_response.py Outdated
Comment thread clients/client-python/gravitino/client/gravitino_metalake.py
Comment thread clients/client-python/gravitino/client/gravitino_metalake.py
…edback

- Add User delegate methods to GravitinoClient (add_user, get_user,
  remove_user, list_users, list_user_names) — matching the Java SDK
  pattern and addressing jerryshao's review comment
- Make UserDTO._roles immutable (tuple internally, list externally)
  to preserve hash/equality semantics (Copilot feedback)
- Add Optional[UserDTO] type hint to UserResponse._user field
  (Copilot feedback)
- Expand docstrings on GravitinoMetalake User methods with
  Args/Returns/Raises, keeping `user` parameter name to match Java SDK
- Add 7 new tests: UserDTO immutability, GravitinoClient delegation
jerryshao
jerryshao previously approved these changes May 14, 2026
@jerryshao

Copy link
Copy Markdown
Contributor

Can you fix some style issues here?

Fix CI pylint failure in TestGravitinoClientUserDelegates:
- Use patch.object(GravitinoClient, "get_metalake") instead of
  accessing _metalake directly (protected-access W0212)
- Remove unused variable and import warnings (W0612, W0611)
@sunyuhan1998

Copy link
Copy Markdown
Contributor Author

Can you fix some style issues here?

No problem. I just noticed the CI failure too, and I’ve already pushed a commit to fix it.

@jerryshao

Copy link
Copy Markdown
Contributor

Don't forget to add integration tests for this PR and the previous one.

@sunyuhan1998

Copy link
Copy Markdown
Contributor Author

Don't forget to add integration tests for this PR and the previous one.

No problem. I'll submit the relevant PR for integration testing shortly.

@Abyss-lord

Copy link
Copy Markdown
Contributor
image

@sunyuhan1998, On the Java side, audit cannot be null; this check has not been added on the Python side.

@sunyuhan1998

Copy link
Copy Markdown
Contributor Author

@sunyuhan1998, On the Java side, audit cannot be null; this check has not been added on the Python side.

You're right. Actually, I realized what you mentioned when I worked on PR #11109. I'll submit another PR later to add integration tests for user, where I'll fix the issue we're currently discussing. Thanks for your review.

jerryshao added a commit that referenced this pull request May 20, 2026
…fix UserDTO audit validation (#11115)

### What changes were proposed in this pull request?

- Add audit null validation in `UserDTO.Builder.build()` to align with
the Java side
- Add integration tests for User API (`add_user`, `get_user`,
`remove_user`, `list_users`, `list_user_names`)
- Update existing unit tests to provide audit in Builder calls

### Why are the changes needed?

The Java `UserDTO.Builder.build()` validates `audit != null`, but the
Python counterpart does not. Also, PR #11058 only added mocked unit
tests for the User API. Integration tests are needed to validate against
a real Gravitino server.

Fix: #11114

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

- 8 new integration tests passed against a real Gravitino server with
authorization enabled
- 36 existing unit tests passed

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
Co-authored-by: Jerry Shao <jerryshao@datastrato.com>
jerryshao pushed a commit that referenced this pull request May 22, 2026
)

## Summary
This PR adds Group authorization management support to the Gravitino
Python client SDK, following the pattern established in #11058 (User
management). It is split from the original monolithic PR #10783.

### Changes
- **API**: `Group` interface with `name()` and `roles()` methods
- **DTO**: `GroupDTO` with immutable roles (`tuple[str, ...]`
internally, defensive `list` copy via `roles()`); audit null validation
in Builder
- **Request/Response**: `GroupAddRequest`, `GroupResponse`,
`GroupListResponse`, `GroupNamesListResponse`
- **Error Handler**: `GroupErrorHandler` mapping REST error codes to
`NoSuchGroupException`, `GroupAlreadyExistsException`, etc.
- **Client**: 5 CRUD methods on both `GravitinoMetalake` and
`GravitinoClient` (`add_group`, `remove_group`, `get_group`,
`list_groups`, `list_group_names`)
- **Tests**: Unit tests (33 cases) and integration tests (6 cases)

### Sub-task of
- #10782 (Authorization management for Python SDK)

## Related issues
- Closes #11094

## Reviewers
@jerryshao

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
jerryshao pushed a commit that referenced this pull request May 27, 2026
…ructures (#11210)

### What changes were proposed in this pull request?

Add Role CRUD operations and authorization data structures to the Python
client SDK:

- **DTOs**: `PrivilegeDTO`, `SecurableObjectDTO`, `RoleDTO` with JSON
serialization support
- **Role CRUD**: `create_role`, `get_role`, `delete_role`,
`list_role_names` on `GravitinoMetalake` and `GravitinoClient`
- **DTOConverters**: `to/from_privilege_dto` and
`to/from_securable_object_dto` conversion methods
- **Fix**: `GenericPrivilege.__eq__` now checks `isinstance(value,
Privilege)` for `PrivilegeDTO` compatibility
- **Tests**: Unit tests (DTO, response, client delegate, error handler)
and integration tests against a live server

### Why are the changes needed?

This is the Role authorization piece of issue #10782. User (#11058) and
Group (#11094) management are already merged. Role CRUD is a
prerequisite for Grant/Revoke operations, which will follow in a
separate PR.

Fix: #11095

### Does this PR introduce _any_ user-facing change?

Yes — new public APIs on `GravitinoClient` and `GravitinoMetalake`:
- `create_role(role_name, properties=None, securable_objects=None)`
- `get_role(role_name)`
- `delete_role(role_name) -> bool`
- `list_role_names() -> list[str]`

### How was this patch tested?

- Unit tests: all passed
- Integration tests: 4 passed against a live Gravitino server with
authorization enabled
- Linting: `ruff check` clean, `pylint` 10/10

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
danhuawang pushed a commit to danhuawang/gravitino that referenced this pull request Jun 8, 2026
…apache#11058)

### What changes were proposed in this pull request?

This PR is split from apache#10783 to make review easier. It focuses on the
**User** part of the authorization model; Group, Role, Privilege,
SecurableObject and grant/revoke operations will follow in subsequent
PRs.

Changes in this PR:

1. **API layer** (`gravitino/api/authorization/`)
   - `User` — user interface with `name()` / `roles()` accessors

2. **DTO layer** (`gravitino/dto/authorization/`)
   - `UserDTO` — immutable DTO with builder pattern, serialization
     and audit info

3. **Request / Response DTOs** (`gravitino/dto/`)
   - `UserAddRequest`
   - `UserResponse` / `UserListResponse` / `UserNamesListResponse`
   - `RemoveResponse` (shared boolean-remove response used across
     authorization operations)

4. **Client layer** (`gravitino/client/gravitino_metalake.py`)
   - Five new public methods on `GravitinoMetalake`:
     `add_user` / `get_user` / `remove_user` / `list_users` /
     `list_user_names`

5. **Exception handling** (`gravitino/exceptions/`)
   - `NoSuchUserException`, `UserAlreadyExistsException`
   - `UserErrorHandler` mapping REST error codes to the above

### Why are the changes needed?

The Python SDK currently has no authorization management capabilities,
while the Java SDK and REST API have full support. This PR starts
bringing the Python SDK to feature parity with the Java SDK, beginning
with User management as the most foundational entity.

Fix: apache#11098

### Does this PR introduce _any_ user-facing change?

Yes. New public API:
- `GravitinoMetalake.add_user(name)` / `get_user(name)` /
  `remove_user(name)` / `list_users()` / `list_user_names()`
- New exceptions: `NoSuchUserException`, `UserAlreadyExistsException`

No existing APIs or behaviors are changed.

### How was this patch tested?

28 new unit tests (all passing, `ruff` + `pylint`):

- **DTO tests** 
(`tests/unittests/dto/test_user_dto.py`,
`tests/unittests/dto/responses/test_user_response.py`) — cover builder,
serialization / deserialization roundtrip, equality
- **Client-level mock tests**
(`tests/unittests/client/test_metalake_user_operations.py`) — cover URL,
HTTP method, request body, response parsing, and error propagation for
all five `GravitinoMetalake` methods
- **Error-handler tests** 
(added to `tests/unittests/test_error_handler.py`) — verify the full
error code mapping table for `UserErrorHandler`

Integration tests will be added in the final PR of the split together
with grant/revoke operations, where end-to-end multi-entity behavior
needs to be validated against a real server.

cc @jerryshao — could you help review this when you have time? Thanks!

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
Co-authored-by: Jerry Shao <jerryshao@datastrato.com>
danhuawang pushed a commit to danhuawang/gravitino that referenced this pull request Jun 8, 2026
…I and fix UserDTO audit validation (apache#11115)

### What changes were proposed in this pull request?

- Add audit null validation in `UserDTO.Builder.build()` to align with
the Java side
- Add integration tests for User API (`add_user`, `get_user`,
`remove_user`, `list_users`, `list_user_names`)
- Update existing unit tests to provide audit in Builder calls

### Why are the changes needed?

The Java `UserDTO.Builder.build()` validates `audit != null`, but the
Python counterpart does not. Also, PR apache#11058 only added mocked unit
tests for the User API. Integration tests are needed to validate against
a real Gravitino server.

Fix: apache#11114

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

- 8 new integration tests passed against a real Gravitino server with
authorization enabled
- 36 existing unit tests passed

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
Co-authored-by: Jerry Shao <jerryshao@datastrato.com>
danhuawang pushed a commit to danhuawang/gravitino that referenced this pull request Jun 8, 2026
apache#11109)

## Summary
This PR adds Group authorization management support to the Gravitino
Python client SDK, following the pattern established in apache#11058 (User
management). It is split from the original monolithic PR apache#10783.

### Changes
- **API**: `Group` interface with `name()` and `roles()` methods
- **DTO**: `GroupDTO` with immutable roles (`tuple[str, ...]`
internally, defensive `list` copy via `roles()`); audit null validation
in Builder
- **Request/Response**: `GroupAddRequest`, `GroupResponse`,
`GroupListResponse`, `GroupNamesListResponse`
- **Error Handler**: `GroupErrorHandler` mapping REST error codes to
`NoSuchGroupException`, `GroupAlreadyExistsException`, etc.
- **Client**: 5 CRUD methods on both `GravitinoMetalake` and
`GravitinoClient` (`add_group`, `remove_group`, `get_group`,
`list_groups`, `list_group_names`)
- **Tests**: Unit tests (33 cases) and integration tests (6 cases)

### Sub-task of
- apache#10782 (Authorization management for Python SDK)

## Related issues
- Closes apache#11094

## Reviewers
@jerryshao

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
danhuawang pushed a commit to danhuawang/gravitino that referenced this pull request Jun 8, 2026
…ata structures (apache#11210)

### What changes were proposed in this pull request?

Add Role CRUD operations and authorization data structures to the Python
client SDK:

- **DTOs**: `PrivilegeDTO`, `SecurableObjectDTO`, `RoleDTO` with JSON
serialization support
- **Role CRUD**: `create_role`, `get_role`, `delete_role`,
`list_role_names` on `GravitinoMetalake` and `GravitinoClient`
- **DTOConverters**: `to/from_privilege_dto` and
`to/from_securable_object_dto` conversion methods
- **Fix**: `GenericPrivilege.__eq__` now checks `isinstance(value,
Privilege)` for `PrivilegeDTO` compatibility
- **Tests**: Unit tests (DTO, response, client delegate, error handler)
and integration tests against a live server

### Why are the changes needed?

This is the Role authorization piece of issue apache#10782. User (apache#11058) and
Group (apache#11094) management are already merged. Role CRUD is a
prerequisite for Grant/Revoke operations, which will follow in a
separate PR.

Fix: apache#11095

### Does this PR introduce _any_ user-facing change?

Yes — new public APIs on `GravitinoClient` and `GravitinoMetalake`:
- `create_role(role_name, properties=None, securable_objects=None)`
- `get_role(role_name)`
- `delete_role(role_name) -> bool`
- `list_role_names() -> list[str]`

### How was this patch tested?

- Unit tests: all passed
- Integration tests: 4 passed against a live Gravitino server with
authorization enabled
- Linting: `ruff check` clean, `pylint` 10/10

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
danhuawang pushed a commit to danhuawang/gravitino that referenced this pull request Jun 9, 2026
…apache#11058)

### What changes were proposed in this pull request?

This PR is split from apache#10783 to make review easier. It focuses on the
**User** part of the authorization model; Group, Role, Privilege,
SecurableObject and grant/revoke operations will follow in subsequent
PRs.

Changes in this PR:

1. **API layer** (`gravitino/api/authorization/`)
   - `User` — user interface with `name()` / `roles()` accessors

2. **DTO layer** (`gravitino/dto/authorization/`)
   - `UserDTO` — immutable DTO with builder pattern, serialization
     and audit info

3. **Request / Response DTOs** (`gravitino/dto/`)
   - `UserAddRequest`
   - `UserResponse` / `UserListResponse` / `UserNamesListResponse`
   - `RemoveResponse` (shared boolean-remove response used across
     authorization operations)

4. **Client layer** (`gravitino/client/gravitino_metalake.py`)
   - Five new public methods on `GravitinoMetalake`:
     `add_user` / `get_user` / `remove_user` / `list_users` /
     `list_user_names`

5. **Exception handling** (`gravitino/exceptions/`)
   - `NoSuchUserException`, `UserAlreadyExistsException`
   - `UserErrorHandler` mapping REST error codes to the above

### Why are the changes needed?

The Python SDK currently has no authorization management capabilities,
while the Java SDK and REST API have full support. This PR starts
bringing the Python SDK to feature parity with the Java SDK, beginning
with User management as the most foundational entity.

Fix: apache#11098

### Does this PR introduce _any_ user-facing change?

Yes. New public API:
- `GravitinoMetalake.add_user(name)` / `get_user(name)` /
  `remove_user(name)` / `list_users()` / `list_user_names()`
- New exceptions: `NoSuchUserException`, `UserAlreadyExistsException`

No existing APIs or behaviors are changed.

### How was this patch tested?

28 new unit tests (all passing, `ruff` + `pylint`):

- **DTO tests** 
(`tests/unittests/dto/test_user_dto.py`,
`tests/unittests/dto/responses/test_user_response.py`) — cover builder,
serialization / deserialization roundtrip, equality
- **Client-level mock tests**
(`tests/unittests/client/test_metalake_user_operations.py`) — cover URL,
HTTP method, request body, response parsing, and error propagation for
all five `GravitinoMetalake` methods
- **Error-handler tests** 
(added to `tests/unittests/test_error_handler.py`) — verify the full
error code mapping table for `UserErrorHandler`

Integration tests will be added in the final PR of the split together
with grant/revoke operations, where end-to-end multi-entity behavior
needs to be validated against a real server.

cc @jerryshao — could you help review this when you have time? Thanks!

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
Co-authored-by: Jerry Shao <jerryshao@datastrato.com>
danhuawang pushed a commit to danhuawang/gravitino that referenced this pull request Jun 9, 2026
…I and fix UserDTO audit validation (apache#11115)

### What changes were proposed in this pull request?

- Add audit null validation in `UserDTO.Builder.build()` to align with
the Java side
- Add integration tests for User API (`add_user`, `get_user`,
`remove_user`, `list_users`, `list_user_names`)
- Update existing unit tests to provide audit in Builder calls

### Why are the changes needed?

The Java `UserDTO.Builder.build()` validates `audit != null`, but the
Python counterpart does not. Also, PR apache#11058 only added mocked unit
tests for the User API. Integration tests are needed to validate against
a real Gravitino server.

Fix: apache#11114

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

- 8 new integration tests passed against a real Gravitino server with
authorization enabled
- 36 existing unit tests passed

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
Co-authored-by: Jerry Shao <jerryshao@datastrato.com>
danhuawang pushed a commit to danhuawang/gravitino that referenced this pull request Jun 9, 2026
apache#11109)

## Summary
This PR adds Group authorization management support to the Gravitino
Python client SDK, following the pattern established in apache#11058 (User
management). It is split from the original monolithic PR apache#10783.

### Changes
- **API**: `Group` interface with `name()` and `roles()` methods
- **DTO**: `GroupDTO` with immutable roles (`tuple[str, ...]`
internally, defensive `list` copy via `roles()`); audit null validation
in Builder
- **Request/Response**: `GroupAddRequest`, `GroupResponse`,
`GroupListResponse`, `GroupNamesListResponse`
- **Error Handler**: `GroupErrorHandler` mapping REST error codes to
`NoSuchGroupException`, `GroupAlreadyExistsException`, etc.
- **Client**: 5 CRUD methods on both `GravitinoMetalake` and
`GravitinoClient` (`add_group`, `remove_group`, `get_group`,
`list_groups`, `list_group_names`)
- **Tests**: Unit tests (33 cases) and integration tests (6 cases)

### Sub-task of
- apache#10782 (Authorization management for Python SDK)

## Related issues
- Closes apache#11094

## Reviewers
@jerryshao

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
danhuawang pushed a commit to danhuawang/gravitino that referenced this pull request Jun 9, 2026
…ata structures (apache#11210)

### What changes were proposed in this pull request?

Add Role CRUD operations and authorization data structures to the Python
client SDK:

- **DTOs**: `PrivilegeDTO`, `SecurableObjectDTO`, `RoleDTO` with JSON
serialization support
- **Role CRUD**: `create_role`, `get_role`, `delete_role`,
`list_role_names` on `GravitinoMetalake` and `GravitinoClient`
- **DTOConverters**: `to/from_privilege_dto` and
`to/from_securable_object_dto` conversion methods
- **Fix**: `GenericPrivilege.__eq__` now checks `isinstance(value,
Privilege)` for `PrivilegeDTO` compatibility
- **Tests**: Unit tests (DTO, response, client delegate, error handler)
and integration tests against a live server

### Why are the changes needed?

This is the Role authorization piece of issue apache#10782. User (apache#11058) and
Group (apache#11094) management are already merged. Role CRUD is a
prerequisite for Grant/Revoke operations, which will follow in a
separate PR.

Fix: apache#11095

### Does this PR introduce _any_ user-facing change?

Yes — new public APIs on `GravitinoClient` and `GravitinoMetalake`:
- `create_role(role_name, properties=None, securable_objects=None)`
- `get_role(role_name)`
- `delete_role(role_name) -> bool`
- `list_role_names() -> list[str]`

### How was this patch tested?

- Unit tests: all passed
- Integration tests: 4 passed against a live Gravitino server with
authorization enabled
- Linting: `ruff check` clean, `pylint` 10/10

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Subtask] Add User authorization management to Python client

4 participants