Namespaces
Operation | Privileges Required (Proposed) | Integration test name |
|---|---|---|
| Create | ADMIN | BasicAuthorizationTestBase.testNamespcePrivileges |
| Update | ||
| Delete | ADMIN on the namespace, and all entities in the namespace | BasicAuthorizationTestBase.testNamespcePrivileges |
| View/List | Any privilege on the namespace or any of its descendants. | BasicAuthorizationTestBase.testCreatedDeletedPrivileges This needs to have a more comprehensive test to cover the list of as many entities as possible. |
| Get Namespace Meta | Any privilege on the namespace or any of its descendants. | This can be easily added to test and this is covered in unit test. |
Artifacts
Operation | Privileges Required (Proposed) | Integration test name |
|---|---|---|
| Add | ADMIN | Integration tests only tests deploy app with artifact |
| Add a property | ADMIN | |
| Remove a property | ADMIN | |
| Use to deploy an app | ADMIN | READ | AppAuthorizationTestBase.testDeployApp |
| Delete | ADMIN | |
| View/List | Any privilege on the artifact | |
| Get artifact info/summary/detail | ADMIN | READ | |
| We have tests in unit test but not in integration tests |
Applications
Operation | Privileges Required (Proposed) | Integration test name |
|---|---|---|
| Add | ADMIN *Also see artifact privileges and principal privileges | AppAuthorizationTestBase.testDeployApp |
| Delete | ADMIN | AppAuthorizationTestBase.testDeployApp |
| View/List | Any privilege on the application or any of its descendants. | can easily add |
| Get application detail | ADMIN | READ | can easily add |
Programs
Operation | Privileges Required (Proposed) | Integration test name |
|---|---|---|
| Start, Stop, or Debug | EXECUTE | AppAuthorizationTestBase.testDatasetInProgram |
| Set instances | ADMIN | |
| Set runtime arguments | ADMIN | |
| Retrieve runtime arguments | READ | EXECUTE | ADMIN | |
| Retrieve status | AppAuthorizationTestBase.testDatasetInProgram | |
| View/List | easily add | |
| Get program specification | ADMIN | READ |
Datasets
Operation | Privileges Required (Proposed) | Integration Test Name |
|---|---|---|
| Create | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
| Read | READ | AppAuthorizationTestBase.testDatasetInProgram |
| Retrieving properties | Any of READ, WRITE, ADMIN, or EXECUTE | easily add |
| Write | WRITE | AppAuthorizationTestBase.testDatasetInProgram |
| Update | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
| Upgrade | ADMIN | |
| Truncate | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
| Drop | ADMIN | BasicAuthorizationTestBase.testDatasetPrivileges |
| View/List | BasicAuthorizationTestBase.testDatasetPrivileges | |
| Get dataset meta | ADMIN | READ | WRITE | BasicAuthorizationTestBase.testDatasetPrivileges |
Dataset Modules
Operation | Privileges Required (Proposed) | Integration Test Name |
|---|---|---|
| Deploy | ADMIN | |
| Delete | ADMIN | |
| Delete-all in the namespace | ADMIN on all dataset modules in the namespace | |
| View/List | ||
| Get module meta | ADMIN | READ | |
| Unit test covers add module during app deployment |
Dataset Types
Operation | Privileges Required (Proposed) | Integration test name |
|---|---|---|
| View/List | easy to add | |
| Get dataset type meta | ADMIN | READ | BasicAuthorizationTestBase.testDatasetPrivileges |
Secure Keys
Operation | Privileges Required (Proposed) | Integration test name |
|---|---|---|
| Create | ADMIN | |
| Delete | ADMIN | |
| View/List | ||
| Read | READ (on the key) | |
| We dont have test for any of them |
Streams
Operation | Privileges Required (Proposed) | Integration test name |
|---|---|---|
| Create | ADMIN | BasicAuthorizationTestBase.testStreamPrivileges |
| Retrieving events | READ | BasicAuthorizationTestBase.testStreamPrivileges |
| Sending events to a stream (sync, async, or batch) | WRITE | BasicAuthorizationTestBase.testStreamPrivileges |
| Drop | ADMIN | BasicAuthorizationTestBase.testStreamPrivileges |
| Drop-all in the namespace | ADMIN on all the streams in the namespace | |
| Update | ADMIN | |
| Truncate | ADMIN | |
| View/List | Easy to add | |
| Get stream property | ADMIN | READ | Easy to add |
Principal
Operation | Privileges Required (Proposed) | Integration test name |
|---|---|---|
| Deploy an app to impersonate a principal | ADMIN | AppImpersonationAuthorizationTest(in pr) |
| Create a namespace with owner prinicpal | ADMIN | NamespaceImpersonationBasicAuthorizationTest |
| Create a dataset with owner prinicpal | ADMIN | AppImpersonationAuthorizationTest(in pr) |
| Create a stream with owner prinicpal | ADMIN |
More in integration tests:
- Test creating namespaces with two different clients and try to delete them to test the explore user name issue(in pr)
- test namespace creation with different owners and make sure the owner is correct(in pr)
- all basic tests with ns/app impersonation, custom mapping
- role based auth test(in pr)