[#11096] feat(client-python): add Grant/Revoke authorization operations#11274
Conversation
…erations - Add PermissionErrorHandler for grant/revoke error handling - Add grant/revoke roles to/from users and groups - Add grant/revoke privileges to/from roles - Add input validation for grant/revoke method parameters - Add unit tests and integration tests against live server
|
cc @jerryshao |
Code Coverage Report
Files
|
There was a problem hiding this comment.
Pull request overview
Adds Python SDK support for authorization grant/revoke operations, extending the existing role/user/group management APIs with permission updates through the REST client.
Changes:
- Adds grant/revoke request DTOs and a permission-specific REST error handler.
- Adds six grant/revoke APIs on
GravitinoMetalakeand pass-through methods onGravitinoClient. - Adds unit and integration coverage for the new authorization operations.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
clients/client-python/gravitino/exceptions/handlers/permission_error_handler.py |
Adds permission operation error mapping. |
clients/client-python/gravitino/dto/requests/role_grant_request.py |
Adds role grant request DTO. |
clients/client-python/gravitino/dto/requests/role_revoke_request.py |
Adds role revoke request DTO. |
clients/client-python/gravitino/dto/requests/privilege_grant_request.py |
Adds privilege grant request DTO. |
clients/client-python/gravitino/dto/requests/privilege_revoke_request.py |
Adds privilege revoke request DTO. |
clients/client-python/gravitino/client/gravitino_metalake.py |
Implements REST calls for grant/revoke operations. |
clients/client-python/gravitino/client/gravitino_client.py |
Adds client-level delegation for grant/revoke operations. |
clients/client-python/tests/unittests/test_error_handler.py |
Covers the new permission error handler. |
clients/client-python/tests/unittests/client/test_metalake_role_operations.py |
Adds unit tests for metalake/client grant/revoke behavior. |
clients/client-python/tests/integration/test_role_management.py |
Adds live-server grant/revoke integration tests. |
…st DTO tests - Add IllegalRoleException and map it in PermissionErrorHandler - Add unit tests for RoleGrantRequest, RoleRevokeRequest, PrivilegeGrantRequest, PrivilegeRevokeRequest
|
@jerryshao Thank you for your review. All currently raised issues have been addressed. Please help take another look. Thanks. |
|
Please fix the Python style issue @sunyuhan1998 . |
… tests - Fix pylint W0212 protected-access in request DTO tests - Add IllegalRoleException mapping and tests - Strengthen integration test assertions for grant/revoke privileges - Complete docstrings with missing exception documentation
Done |
|
Hi @sunyuhan1998 can you create a PR to cherry-pick this commit to branch-1.3? Sorry, I forgot to add a label. |
No problem, I will submit a PR this week. |
…ns (cherry-pick #11274 to branch-1.3) (#11394) ### What changes were proposed in this pull request? Cherry-pick of #11274 to `branch-1.3`. Add Grant/Revoke authorization operations to the Python client, including: - `grant_roles_to_user` / `revoke_roles_from_user` - `grant_roles_to_group` / `revoke_roles_from_group` - `grant_privileges_to_role` / `revoke_privileges_from_role` - Related request DTOs, error handlers, unit and integration tests ### Why are the changes needed? This feature was merged into `main` but also needs to be available in the 1.3 release branch. ### Does this PR introduce _any_ user-facing change? Yes, adds new public API methods to the Python client for authorization operations. ### How was this patch tested? Unit tests and integration tests included.
…erations (apache#11274) ### What changes were proposed in this pull request? Add Grant/Revoke authorization operations to the Python client SDK: - **PermissionErrorHandler**: Error handler for grant/revoke REST API calls - **Grant/Revoke roles**: `grant_roles_to_user`, `revoke_roles_from_user`, `grant_roles_to_group`, `revoke_roles_from_group` - **Grant/Revoke privileges**: `grant_privileges_to_role`, `revoke_privileges_from_role` - **Input validation**: All grant/revoke methods validate parameters with `Precondition.check_string_not_empty` ### Why are the changes needed? This completes the Role authorization piece of issue apache#10782, building on top of PR apache#11210 (Role CRUD) which is already merged. Fix: apache#11096 ### Does this PR introduce _any_ user-facing change? Yes — new public APIs on `GravitinoClient` and `GravitinoMetalake`: - `grant_roles_to_user(role_names, user_name)` - `revoke_roles_from_user(role_names, user_name)` - `grant_roles_to_group(role_names, group_name)` - `revoke_roles_from_group(role_names, group_name)` - `grant_privileges_to_role(role_name, securable_object, privileges)` - `revoke_privileges_from_role(role_name, securable_object, privileges)` ### How was this patch tested? - Unit tests: 6 grant/revoke mock tests, 6 client delegate tests, 13 permission error handler assertions - Integration tests: 3 tests against a live Gravitino server (grant/revoke roles to user, grant/revoke roles to group, grant/revoke privileges to role) - Linting: `ruff check` clean, `pylint` 10/10 --------- Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
…erations (apache#11274) ### What changes were proposed in this pull request? Add Grant/Revoke authorization operations to the Python client SDK: - **PermissionErrorHandler**: Error handler for grant/revoke REST API calls - **Grant/Revoke roles**: `grant_roles_to_user`, `revoke_roles_from_user`, `grant_roles_to_group`, `revoke_roles_from_group` - **Grant/Revoke privileges**: `grant_privileges_to_role`, `revoke_privileges_from_role` - **Input validation**: All grant/revoke methods validate parameters with `Precondition.check_string_not_empty` ### Why are the changes needed? This completes the Role authorization piece of issue apache#10782, building on top of PR apache#11210 (Role CRUD) which is already merged. Fix: apache#11096 ### Does this PR introduce _any_ user-facing change? Yes — new public APIs on `GravitinoClient` and `GravitinoMetalake`: - `grant_roles_to_user(role_names, user_name)` - `revoke_roles_from_user(role_names, user_name)` - `grant_roles_to_group(role_names, group_name)` - `revoke_roles_from_group(role_names, group_name)` - `grant_privileges_to_role(role_name, securable_object, privileges)` - `revoke_privileges_from_role(role_name, securable_object, privileges)` ### How was this patch tested? - Unit tests: 6 grant/revoke mock tests, 6 client delegate tests, 13 permission error handler assertions - Integration tests: 3 tests against a live Gravitino server (grant/revoke roles to user, grant/revoke roles to group, grant/revoke privileges to role) - Linting: `ruff check` clean, `pylint` 10/10 --------- Co-authored-by: Sun Yuhan <sunyuhan1998@users.noreply.github.com>
What changes were proposed in this pull request?
Add Grant/Revoke authorization operations to the Python client SDK:
grant_roles_to_user,revoke_roles_from_user,grant_roles_to_group,revoke_roles_from_groupgrant_privileges_to_role,revoke_privileges_from_rolePrecondition.check_string_not_emptyWhy are the changes needed?
This completes the Role authorization piece of issue #10782, building on top of PR #11210 (Role CRUD) which is already merged.
Fix: #11096
Does this PR introduce any user-facing change?
Yes — new public APIs on
GravitinoClientandGravitinoMetalake:grant_roles_to_user(role_names, user_name)revoke_roles_from_user(role_names, user_name)grant_roles_to_group(role_names, group_name)revoke_roles_from_group(role_names, group_name)grant_privileges_to_role(role_name, securable_object, privileges)revoke_privileges_from_role(role_name, securable_object, privileges)How was this patch tested?
ruff checkclean,pylint10/10