chore(test): Increase Authorization Test Coverage#3332
Merged
dimas-b merged 7 commits intoapache:mainfrom Jan 13, 2026
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR enhances authorization test coverage for the Polaris authorization system by adding comprehensive unit tests for PolarisAuthorizerImpl and integration tests for the OPA-based authorizer across multiple catalog handlers.
Key changes:
- Added unit tests for
listAssigneePrincipalRolesForCatalogRoleandlistGrantsForCatalogRoleauthorization paths - Created OPA integration tests covering Admin Service, Iceberg Catalog Handler, Generic Table Handler, and Policy Catalog Handler endpoints
- Enhanced test infrastructure with shared helper methods for catalog/namespace creation and JSON serialization
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAdminServiceAuthzTest.java | Adds authorization unit tests for catalog role grant listing operations with sufficient and insufficient privilege validation |
| extensions/auth/opa/tests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaPolicyCatalogHandlerIT.java | New integration test file covering OPA authorization for policy catalog endpoints (create, list, attach/detach, delete) |
| extensions/auth/opa/tests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaIntegrationTestBase.java | Enhances base test infrastructure with JSON serialization helper, catalog creation utilities, and automatic cleanup mechanism |
| extensions/auth/opa/tests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaIntegrationTest.java | Adds authorization integration tests for namespace, principal, principal role, catalog role, and catalog creation operations |
| extensions/auth/opa/tests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaIcebergCatalogHandlerIT.java | New integration test file covering OPA authorization for Iceberg catalog operations (namespace listing, table registration/deletion) |
| extensions/auth/opa/tests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaGenericTableHandlerIT.java | New integration test file covering OPA authorization for generic table operations (list, create, drop) |
| extensions/auth/opa/tests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaAdminServiceIT.java | New integration test file covering OPA authorization for admin service operations (catalog roles, grants, principal role bindings) |
| extensions/auth/opa/tests/build.gradle.kts | Adds Iceberg API and core dependencies required for table metadata operations in integration tests |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.../src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaIcebergCatalogHandlerIT.java
Outdated
Show resolved
Hide resolved
...pa/tests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaIntegrationTest.java
Outdated
Show resolved
Hide resolved
...ts/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaGenericTableHandlerIT.java
Outdated
Show resolved
Hide resolved
.../src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaIcebergCatalogHandlerIT.java
Outdated
Show resolved
Hide resolved
...pa/tests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaIntegrationTest.java
Outdated
Show resolved
Hide resolved
...ests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaIntegrationTestBase.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
...opa/tests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaAdminServiceIT.java
Outdated
Show resolved
Hide resolved
...opa/tests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaAdminServiceIT.java
Outdated
Show resolved
Hide resolved
dimas-b
reviewed
Dec 24, 2025
| .header("Authorization", "Bearer " + rootToken) | ||
| .body(toJson(grantRequest)) | ||
| .put( | ||
| "/api/management/v1/principal-roles/{pr}/catalog-roles/{cat}", |
Contributor
There was a problem hiding this comment.
The success of this call under the OPA authorizer makes me think whether we may actually want to forbid it 🤔 Is it meaningful to assign catalog roles to principal roles when RBAC is external?
Contributor
Author
There was a problem hiding this comment.
Yes — that’s actually one of the motivations for this PR. By explicitly encoding the current authorization outcomes in tests, we get a clear, executable snapshot of today’s behavior. Im hoping that'll help us:
- refactor the authorization flow and RBAC resolution with confidence, and precisely see what behavior changes as a result
- intentionally revisit (and potentially forbid) certain flows as RBAC resolution is removed from the Handlers - for example, whether operations like assigning catalog roles to principal roles should remain valid when authorization is fully externalized in OpaPolarisAuthorizer
| given() | ||
| .contentType(ContentType.JSON) | ||
| .header("Authorization", "Bearer " + rootToken) | ||
| .body( |
Contributor
There was a problem hiding this comment.
successful and failed requests are identical in all aspects but the auth token, right? Would you mind refactoring these tests to make it explicit (at least share the payload maybe)?
Contributor
Author
There was a problem hiding this comment.
That's a great suggestion - I'll adopt this in my next iteration
| rootToken = getRootToken(); | ||
| catalogName = "opa-iceberg-" + UUID.randomUUID().toString().replace("-", ""); | ||
| namespace = "ns_" + UUID.randomUUID().toString().replace("-", ""); | ||
| Path tempDir = Files.createTempDirectory("opa-iceberg"); |
Contributor
There was a problem hiding this comment.
nit: maybe use @TempDir params injected by JUnit5 so that the test framework would own all temporary files?
...pa/tests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaIntegrationTest.java
Outdated
Show resolved
Hide resolved
...ests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/OpaIntegrationTestBase.java
Outdated
Show resolved
Hide resolved
dimas-b
previously approved these changes
Dec 25, 2025
Contributor
dimas-b
left a comment
dimas-b
left a comment
There was a problem hiding this comment.
LGTM... left some more nit-pickish comments, but they are not critical :)
| @BeforeEach | ||
| void setupBaseCatalog(@TempDir Path tempDir) throws Exception { | ||
| rootToken = getRootToken(); | ||
| catalogName = "opa-iceberg-" + UUID.randomUUID().toString().replace("-", ""); |
Contributor
There was a problem hiding this comment.
nit: why bother replacing - in the UUID when we have those chars in the prefix? 🤔
Contributor
Author
There was a problem hiding this comment.
Great point... I just followed the prior convention from here:
Contributor
There was a problem hiding this comment.
no worries... I was just wondering :)
| rootToken = getRootToken(); | ||
| catalogName = "opa-policy-" + UUID.randomUUID().toString().replace("-", ""); | ||
| namespace = "ns_" + UUID.randomUUID().toString().replace("-", ""); | ||
| baseLocation = java.nio.file.Files.createTempDirectory("opa-policy").toUri().toString(); |
Contributor
There was a problem hiding this comment.
nit: why not use @TempDir everywhere?
Contributor
Author
There was a problem hiding this comment.
missed that one - done!
github-project-automation
bot
moved this from PRs In Progress
to Ready to merge
in Basic Kanban Board
dimas-b
approved these changes
Dec 29, 2025
Contributor
|
This PR is two weeks old 😅 (although it was over holidays) if there are no further comments, I'm going to merge tomorrow. |
adutra
approved these changes
Jan 8, 2026
Contributor
Author
github-project-automation
bot
moved this from Ready to merge
to Done
in Basic Kanban Board
evindj
pushed a commit
to evindj/polaris
that referenced
this pull request
Jan 26, 2026
* increase test coverage * update docstrings * clean up * make use of same helper method * remove duplicate tests from OpaIntegrationTest * use tempdir
snazy
added a commit
to snazy/polaris
that referenced
this pull request
Feb 11, 2026
* feat: Add AWS STS Session Tags support for credential vending (apache#3327) * feat: Add AWS STS Session Tags support for credential vending Fixes apache#3325 * Minor fixes * Review comments * Review comments. * Remove request_id from the PR * Review comment: added activated roles * Review comments * Update AwsSessionTagsBuilder.java * Spotless fixes * Update StorageCredentialCacheKey.java * fix failing tests * Review comments. * Reverting last commit based on review comments for cache collisions. --------- Co-authored-by: Anand Kumar Sankaran <anand.sankaran@workday.com> * chore(deps): update registry.access.redhat.com/ubi9/openjdk-21-runtime docker tag to v1.24-2.1767639862 (apache#3383) * Added HttpRoute and Gateway to Helm Chart (apache#3314) * Added httproute and gateway * added to readme * updated helm site docs * updated changelog * Added tests * fixed broken test * fixed test part 2 * removed odd comment * added check for httproute and gateway * shuffled the gateway documentation * better gateway instructions * removed extra case in validateRouting * Errorprone: prepare for v2.46.0 (apache#3384) This tackles the current failure in apache#3382: `-XDaddTypeAnnotationsToSymbol=true is required by Error Prone on JDK 21` * NoSQL: Metastore maintenance (apache#3268) Implementation of the NoSQL meta-store maintenance implementation. It adds the meta-store specific handling to the existing NoSQL maintenance service to purge unreferenced and unneeded data from the database. * Update release workflows to use the new GPG private key (apache#3399) * [tech debt] Cleanup `gradle/libs.versions.toml` (apache#3394) This change removes unreferenced dependency references, inlines single usages of a version-reference and adds a dependency for checkstyle to get that version managed by renovate. * fix(deps): update dependency org.keycloak:keycloak-admin-client to v26.0.8 (apache#3405) * fix(deps): update dependency com.google.errorprone:error_prone_core to v2.46.0 (apache#3382) * [doc]: Add Minio OSS disclaimer (apache#3390) * [Releasy] Let Maven artifact publication propagate failures (apache#3407) The Gradle build to publish the Maven artifacts is invoked like `./gradlew ... | tee <log>`. The (overall) exit code of pipes is the exit code of the _last_ command. The exit codes of all pipe "parts" is available in bash's `PIPESTATUS` array and needs to be checked. * Fix Gradle up-to-date of jars (apache#3401) The change apache#1036 added the Maven pom.xml to all built jars. However, the `GenerateMavenPom` Gradle task type is never up-to-date, in consequence no jar can ever be up-to-date, leading to unnecessarily longer build times. This change ensures that the pom.xml is included in release builds, but not in developer/snapshot builds. * fix(deps): update dependency net.ltgt.gradle:gradle-errorprone-plugin to v4.4.0 (apache#3406) * fix(deps): update dependency com.puppycrawl.tools:checkstyle to v13 (apache#3403) * fix(deps): update dependency io.opentelemetry:opentelemetry-bom to v1.58.0 (apache#3408) * fix(deps): update dependency software.amazon.awssdk:bom to v2.41.5 (apache#3416) * chore(deps): update dependency jupyterlab to v4.5.2 (apache#3419) * Release workflows should retry svn checkout in case of failure (apache#3393) * Change parser option to be required (apache#3413) * Support hierarchical namespace in Azure (apache#3347) * Support hierarchical namespace in Azure * Add `hierarchical` to `AzureStorageConfigInfo` (the default is unset translating to current behaviour). * Use `DataLakeDirectoryClient` instead of `DataLakeFileSystemClient` for generating SAS tokens when `hierarchical` is set to `true`. * Add `cloudTest` classes for testing with credential vending in ADLS. * chore(test): Increase Authorization Test Coverage (apache#3332) * increase test coverage * update docstrings * clean up * make use of same helper method * remove duplicate tests from OpaIntegrationTest * use tempdir * fix(deps): update dependency io.micrometer:micrometer-bom to v1.16.2 (apache#3422) * chore(deps): update registry.access.redhat.com/ubi9/openjdk-21-runtime docker tag to v1.24-2.1767878250 (apache#3421) * Last merged commit 1996156 * Add free-disk-space action * Add free-disk-space action to regtest + spark_client_regtests --------- Co-authored-by: Anand K Sankaran <lists@anands.net> Co-authored-by: Anand Kumar Sankaran <anand.sankaran@workday.com> Co-authored-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: cccs-cat001 <56204545+cccs-cat001@users.noreply.github.com> Co-authored-by: Pierre Laporte <pierre@pingtimeout.fr> Co-authored-by: Yong Zheng <yongzheng0809@gmail.com> Co-authored-by: Dmitri Bourlatchkov <dmitri.bourlatchkov@gmail.com> Co-authored-by: Sung Yun <107272191+sungwy@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR improves authorization test coverage for:
PolarisAuthorizerImplbased unit tests including missing listAssigneePrincipalRoles and listGrants for CatalogRole callsOpaPolarisAuthorizerintegration tests for endpoints that invoke authorization calls in the different handlers (PolarisAdminService,IcebergCatalogHandler,GenericTableCatalogHandler,PolicyCatalogHandler)While exploring an alternative refactor of the PolarisAuthorizer API (similar to #3228) it became clear that broader coverage of these authorization paths was needed to reason about the behavioral impact of changing RBAC resolution in the authorization flow.
Checklist
CHANGELOG.md(if needed)site/content/in-dev/unreleased(if needed)