Skip to content

[#11095] [#11096] feat(client-python): add Role authorization management#11202

Closed
sunyuhan1998 wants to merge 2 commits into
apache:mainfrom
sunyuhan1998:feature/python-sdk-auth-role
Closed

[#11095] [#11096] feat(client-python): add Role authorization management#11202
sunyuhan1998 wants to merge 2 commits into
apache:mainfrom
sunyuhan1998:feature/python-sdk-auth-role

Conversation

@sunyuhan1998

@sunyuhan1998 sunyuhan1998 commented May 22, 2026

Copy link
Copy Markdown
Contributor

What changes were proposed in this pull request?

Add Role management and permission operations (grant/revoke) to the Gravitino Python SDK, including:

New DTOs:

  • PrivilegeDTO — JSON serialization with lowercase enum encoding matching Java server
  • SecurableObjectDTO — with fullName parsing and MetadataObject.Type codec
  • RoleDTO — with Builder pattern and audit validation

New Request/Response DTOs:

  • RoleCreateRequest, RoleGrantRequest, RoleRevokeRequest
  • PrivilegeGrantRequest, PrivilegeRevokeRequest
  • RoleResponse, RoleNamesListResponse

New Error Handler:

  • PermissionErrorHandler — handles grant/revoke error codes (IllegalPrivilege, NoSuchUser/Group/Role/MetadataObject, etc.)

Client Methods (10 new methods on GravitinoMetalake + GravitinoClient delegates):

  • Role CRUD: create_role, get_role, delete_role, list_role_names
  • Grant/Revoke roles: grant_roles_to_user, revoke_roles_from_user, grant_roles_to_group, revoke_roles_from_group
  • Grant/Revoke privileges: grant_privileges_to_role, revoke_privileges_from_role

Bug fix:

  • GenericPrivilege.__eq__ changed from isinstance(value, GenericPrivilege) to isinstance(value, Privilege) for symmetric equality with PrivilegeDTO

Why are the changes needed?

The Java SDK already supports full authorization management via GravitinoMetalake. The Python SDK should provide equivalent functionality so users can manage roles and permissions without falling back to raw REST API calls.

This is part of the authorization management split for issue #10782

Fix: #11095
Fix: #11096

Does this PR introduce any user-facing change?

Yes, adds new public APIs to GravitinoClient and GravitinoMetalake:

  • create_role, get_role, delete_role, list_role_names
  • grant_roles_to_user, revoke_roles_from_user
  • grant_roles_to_group, revoke_roles_from_group
  • grant_privileges_to_role, revoke_privileges_from_role

How was this patch tested?

  • Unit tests: 906 passed (64 new tests covering DTOs, requests, responses, error handlers, and client operations with mocks)
  • Integration tests: 7 passed (end-to-end tests against Gravitino server with authorization enabled)

Add Role CRUD, grant/revoke roles to users/groups, and grant/revoke
privileges to roles in the Python SDK.

- Add PrivilegeDTO, SecurableObjectDTO, RoleDTO with JSON serialization
- Add RoleCreate/Grant/Revoke and PrivilegeGrant/Revoke request DTOs
- Add RoleResponse and RoleNamesListResponse
- Add PermissionErrorHandler for grant/revoke operations
- Add 10 methods to GravitinoMetalake and delegate to GravitinoClient
- Fix GenericPrivilege.__eq__ for PrivilegeDTO compatibility
- Add DTOConverters for privilege and securable object conversion
@sunyuhan1998

Copy link
Copy Markdown
Contributor Author

cc @jerryshao

@jerryshao

Copy link
Copy Markdown
Contributor

This PR is too big, I would suggest you split it into small PRs.

@sunyuhan1998 sunyuhan1998 marked this pull request as draft May 25, 2026 03:37
@sunyuhan1998

Copy link
Copy Markdown
Contributor Author

This PR is too big, I would suggest you split it into small PRs.

No problem. However, the changes in this PR are highly coupled. I am considering splitting Role management and Grant/Revoke into two PRs. Do you think this is appropriate? Here is the PR for Role CRUD: #11210. The Grant/Revoke part will be submitted after it is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Subtask] Add Privilege, SecurableObject and Grant/Revoke support to Python client [Subtask] Add Role authorization management to Python client

2 participants