Skip to content

[#11096] feat(client-python): add Grant/Revoke authorization operations#11274

Merged
jerryshao merged 3 commits into
apache:mainfrom
sunyuhan1998:feature/python-sdk-auth-grant-revoke
Jun 2, 2026
Merged

[#11096] feat(client-python): add Grant/Revoke authorization operations#11274
jerryshao merged 3 commits into
apache:mainfrom
sunyuhan1998:feature/python-sdk-auth-grant-revoke

Conversation

@sunyuhan1998

@sunyuhan1998 sunyuhan1998 commented May 28, 2026

Copy link
Copy Markdown
Contributor

What changes were proposed in this pull request?

Add Grant/Revoke authorization operations to the Python client SDK:

  • PermissionErrorHandler: Error handler for grant/revoke REST API calls
  • Grant/Revoke roles: grant_roles_to_user, revoke_roles_from_user, grant_roles_to_group, revoke_roles_from_group
  • Grant/Revoke privileges: grant_privileges_to_role, revoke_privileges_from_role
  • Input validation: All grant/revoke methods validate parameters with Precondition.check_string_not_empty

Why are the changes needed?

This completes the Role authorization piece of issue #10782, building on top of PR #11210 (Role CRUD) which is already merged.

Fix: #11096

Does this PR introduce any user-facing change?

Yes — new public APIs on GravitinoClient and GravitinoMetalake:

  • grant_roles_to_user(role_names, user_name)
  • revoke_roles_from_user(role_names, user_name)
  • grant_roles_to_group(role_names, group_name)
  • revoke_roles_from_group(role_names, group_name)
  • grant_privileges_to_role(role_name, securable_object, privileges)
  • revoke_privileges_from_role(role_name, securable_object, privileges)

How was this patch tested?

  • Unit tests: 6 grant/revoke mock tests, 6 client delegate tests, 13 permission error handler assertions
  • Integration tests: 3 tests against a live Gravitino server (grant/revoke roles to user, grant/revoke roles to group, grant/revoke privileges to role)
  • Linting: ruff check clean, pylint 10/10

…erations

- Add PermissionErrorHandler for grant/revoke error handling
- Add grant/revoke roles to/from users and groups
- Add grant/revoke privileges to/from roles
- Add input validation for grant/revoke method parameters
- Add unit tests and integration tests against live server
@sunyuhan1998

Copy link
Copy Markdown
Contributor Author

cc @jerryshao

@github-actions

github-actions Bot commented May 28, 2026

Copy link
Copy Markdown

Code Coverage Report

Overall Project 66.73% +0.02% 🟢
Files changed 76.16% 🟢

Module Coverage
aliyun 1.72% 🔴
api 46.82% 🟢
authorization-common 85.96% 🟢
aws 3.66% 🔴
azure 2.47% 🔴
catalog-common 10.04% -0.02% 🔴
catalog-fileset 80.33% 🟢
catalog-glue 66.08% 🟢
catalog-hive 79.55% 🟢
catalog-jdbc-clickhouse 80.02% 🟢
catalog-jdbc-common 45.31% 🟢
catalog-jdbc-doris 80.28% 🟢
catalog-jdbc-hologres 54.03% 🟢
catalog-jdbc-mysql 79.23% 🟢
catalog-jdbc-oceanbase 78.38% 🟢
catalog-jdbc-postgresql 82.29% 🟢
catalog-jdbc-starrocks 78.51% 🟢
catalog-kafka 77.01% 🟢
catalog-lakehouse-generic 44.89% 🟢
catalog-lakehouse-hudi 79.1% 🟢
catalog-lakehouse-iceberg 85.73% -0.11% 🟢
catalog-lakehouse-paimon 79.29% 🟢
catalog-model 77.72% 🟢
cli 44.51% 🟢
client-java 77.91% 🟢
common 49.99% 🟢
core 82.42% +0.03% 🟢
filesystem-hadoop3 76.97% 🟢
flink 0.0% 🔴
flink-common 41.2% 🟢
flink-runtime 0.0% 🔴
gcp 14.12% 🔴
hadoop-common 10.39% 🔴
hive-metastore-common 53.26% 🟢
iceberg-common 56.71% +0.58% 🟢
iceberg-rest-server 72.1% 🟢
idp-basic 85.99% 🟢
integration-test-common 0.0% 🔴
jobs 66.17% 🟢
lance-common 20.83% 🔴
lance-rest-server 60.27% 🟢
lineage 53.02% 🟢
optimizer 82.95% 🟢
optimizer-api 21.95% 🔴
server 85.73% 🟢
server-common 73.66% 🟢
spark 32.79% 🔴
spark-common 39.75% 🔴
trino-connector 39.44% 🔴
Files
Module File Coverage
catalog-common IcebergConstants.java 0.0% 🔴
catalog-lakehouse-iceberg IcebergCatalogCapability.java 77.78% 🟢
core Capability.java 96.97% 🟢
SchemaNormalizeDispatcher.java 94.74% 🟢
iceberg-common IcebergCatalogUtil.java 63.75% 🟢

Comment thread clients/client-python/gravitino/dto/requests/role_revoke_request.py

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Python SDK support for authorization grant/revoke operations, extending the existing role/user/group management APIs with permission updates through the REST client.

Changes:

  • Adds grant/revoke request DTOs and a permission-specific REST error handler.
  • Adds six grant/revoke APIs on GravitinoMetalake and pass-through methods on GravitinoClient.
  • Adds unit and integration coverage for the new authorization operations.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
clients/client-python/gravitino/exceptions/handlers/permission_error_handler.py Adds permission operation error mapping.
clients/client-python/gravitino/dto/requests/role_grant_request.py Adds role grant request DTO.
clients/client-python/gravitino/dto/requests/role_revoke_request.py Adds role revoke request DTO.
clients/client-python/gravitino/dto/requests/privilege_grant_request.py Adds privilege grant request DTO.
clients/client-python/gravitino/dto/requests/privilege_revoke_request.py Adds privilege revoke request DTO.
clients/client-python/gravitino/client/gravitino_metalake.py Implements REST calls for grant/revoke operations.
clients/client-python/gravitino/client/gravitino_client.py Adds client-level delegation for grant/revoke operations.
clients/client-python/tests/unittests/test_error_handler.py Covers the new permission error handler.
clients/client-python/tests/unittests/client/test_metalake_role_operations.py Adds unit tests for metalake/client grant/revoke behavior.
clients/client-python/tests/integration/test_role_management.py Adds live-server grant/revoke integration tests.

@mchades
mchades requested a review from roryqi May 28, 2026 12:58
…st DTO tests

- Add IllegalRoleException and map it in PermissionErrorHandler
- Add unit tests for RoleGrantRequest, RoleRevokeRequest,
  PrivilegeGrantRequest, PrivilegeRevokeRequest
@sunyuhan1998

Copy link
Copy Markdown
Contributor Author

@jerryshao Thank you for your review. All currently raised issues have been addressed. Please help take another look. Thanks.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.

Comment thread clients/client-python/tests/integration/test_role_management.py
Comment thread clients/client-python/gravitino/client/gravitino_metalake.py
Comment thread clients/client-python/gravitino/client/gravitino_metalake.py
Comment thread clients/client-python/gravitino/client/gravitino_client.py
Comment thread clients/client-python/gravitino/client/gravitino_client.py
@jerryshao

Copy link
Copy Markdown
Contributor

Please fix the Python style issue @sunyuhan1998 .

… tests

- Fix pylint W0212 protected-access in request DTO tests
- Add IllegalRoleException mapping and tests
- Strengthen integration test assertions for grant/revoke privileges
- Complete docstrings with missing exception documentation
@sunyuhan1998

Copy link
Copy Markdown
Contributor Author

Please fix the Python style issue @sunyuhan1998 .

Done

@jerryshao
jerryshao merged commit 1305ae1 into apache:main Jun 2, 2026
28 checks passed
@jerryshao

Copy link
Copy Markdown
Contributor

Hi @sunyuhan1998 can you create a PR to cherry-pick this commit to branch-1.3? Sorry, I forgot to add a label.

@sunyuhan1998

Copy link
Copy Markdown
Contributor Author

Hi @sunyuhan1998 can you create a PR to cherry-pick this commit to branch-1.3? Sorry, I forgot to add a label.

No problem, I will submit a PR this week.

roryqi pushed a commit that referenced this pull request Jun 3, 2026
…ns (cherry-pick #11274 to branch-1.3) (#11394)

### What changes were proposed in this pull request?

Cherry-pick of #11274 to `branch-1.3`.

Add Grant/Revoke authorization operations to the Python client,
including:
- `grant_roles_to_user` / `revoke_roles_from_user`
- `grant_roles_to_group` / `revoke_roles_from_group`
- `grant_privileges_to_role` / `revoke_privileges_from_role`
- Related request DTOs, error handlers, unit and integration tests

### Why are the changes needed?

This feature was merged into `main` but also needs to be available in
the 1.3 release branch.

### Does this PR introduce _any_ user-facing change?

Yes, adds new public API methods to the Python client for authorization
operations.

### How was this patch tested?

Unit tests and integration tests included.
danhuawang pushed a commit to danhuawang/gravitino that referenced this pull request Jun 8, 2026
…erations (apache#11274)

### What changes were proposed in this pull request?

Add Grant/Revoke authorization operations to the Python client SDK:

- **PermissionErrorHandler**: Error handler for grant/revoke REST API
calls
- **Grant/Revoke roles**: `grant_roles_to_user`,
`revoke_roles_from_user`, `grant_roles_to_group`,
`revoke_roles_from_group`
- **Grant/Revoke privileges**: `grant_privileges_to_role`,
`revoke_privileges_from_role`
- **Input validation**: All grant/revoke methods validate parameters
with `Precondition.check_string_not_empty`

### Why are the changes needed?

This completes the Role authorization piece of issue apache#10782, building on
top of PR apache#11210 (Role CRUD) which is already merged.

Fix: apache#11096

### Does this PR introduce _any_ user-facing change?

Yes — new public APIs on `GravitinoClient` and `GravitinoMetalake`:
- `grant_roles_to_user(role_names, user_name)`
- `revoke_roles_from_user(role_names, user_name)`
- `grant_roles_to_group(role_names, group_name)`
- `revoke_roles_from_group(role_names, group_name)`
- `grant_privileges_to_role(role_name, securable_object, privileges)`
- `revoke_privileges_from_role(role_name, securable_object, privileges)`

### How was this patch tested?

- Unit tests: 6 grant/revoke mock tests, 6 client delegate tests, 13
permission error handler assertions
- Integration tests: 3 tests against a live Gravitino server
(grant/revoke roles to user, grant/revoke roles to group, grant/revoke
privileges to role)
- Linting: `ruff check` clean, `pylint` 10/10

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
danhuawang pushed a commit to danhuawang/gravitino that referenced this pull request Jun 9, 2026
…erations (apache#11274)

### What changes were proposed in this pull request?

Add Grant/Revoke authorization operations to the Python client SDK:

- **PermissionErrorHandler**: Error handler for grant/revoke REST API
calls
- **Grant/Revoke roles**: `grant_roles_to_user`,
`revoke_roles_from_user`, `grant_roles_to_group`,
`revoke_roles_from_group`
- **Grant/Revoke privileges**: `grant_privileges_to_role`,
`revoke_privileges_from_role`
- **Input validation**: All grant/revoke methods validate parameters
with `Precondition.check_string_not_empty`

### Why are the changes needed?

This completes the Role authorization piece of issue apache#10782, building on
top of PR apache#11210 (Role CRUD) which is already merged.

Fix: apache#11096

### Does this PR introduce _any_ user-facing change?

Yes — new public APIs on `GravitinoClient` and `GravitinoMetalake`:
- `grant_roles_to_user(role_names, user_name)`
- `revoke_roles_from_user(role_names, user_name)`
- `grant_roles_to_group(role_names, group_name)`
- `revoke_roles_from_group(role_names, group_name)`
- `grant_privileges_to_role(role_name, securable_object, privileges)`
- `revoke_privileges_from_role(role_name, securable_object, privileges)`

### How was this patch tested?

- Unit tests: 6 grant/revoke mock tests, 6 client delegate tests, 13
permission error handler assertions
- Integration tests: 3 tests against a live Gravitino server
(grant/revoke roles to user, grant/revoke roles to group, grant/revoke
privileges to role)
- Linting: `ruff check` clean, `pylint` 10/10

---------

Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Subtask] Add Privilege, SecurableObject and Grant/Revoke support to Python client

3 participants