Skip to content

[server] Add authorization to listOffsets for TABLE/DESCRIBE operations#3298

Open
vaibhavk1992 wants to merge 1 commit into
apache:mainfrom
vaibhavk1992:add-listoffsets-authorization
Open

[server] Add authorization to listOffsets for TABLE/DESCRIBE operations#3298
vaibhavk1992 wants to merge 1 commit into
apache:mainfrom
vaibhavk1992:add-listoffsets-authorization

Conversation

@vaibhavk1992
Copy link
Copy Markdown
Contributor

@vaibhavk1992 vaibhavk1992 commented May 11, 2026

Summary

Implements authorization checks for the listOffsets method to complete issue #3247.

This PR adds TABLE/DESCRIBE authorization for the three table metadata read operations mentioned in the issue:

  • getTableSchema - Already had authorization
  • listPartitionInfos - Already had authorization
  • listOffsets - Added in this PR

Changes

Server Implementation (TabletService.java)

  • Added authorizeTable(DESCRIBE, request.getTableId()) check in the listOffsets method
  • Added static import for OperationType.DESCRIBE to follow existing code patterns
  • Removed the TODO comment that indicated this authorization was needed

Test Coverage (FlussAuthorizationITCase.java)

  • Added import for OffsetSpec class
  • Extended testDescribeTableOperation test to include listOffsets authorization testing
    • Test 1: Verifies listOffsets throws AuthorizationException when user lacks DESCRIBE permission
    • Test 2: Verifies listOffsets succeeds when user has DESCRIBE permission

Test Plan

  • ✅ Code compiles successfully for both fluss-server and fluss-client modules
  • ✅ Implementation follows existing authorization patterns in the codebase
  • ✅ Tests follow the same structure as other DESCRIBE operation tests (getTableSchema, listPartitionInfos)
  • ✅ Authorization logic is consistent with other table metadata operations

Note: Integration tests have a pre-existing SASL authentication environment issue (Subject.getSubject() not supported) that affects all tests in FlussAuthorizationITCase, not just these changes. This is confirmed by testing the main branch without modifications. The CI pipeline should have the correct Java environment configuration.

Related Issue

Closes #3247

@claude
[server] Add authorization to listOffsets for TABLE/DESCRIBE operations
5892cdd 
Implements authorization checks for the listOffsets method as part of issue apache#3247.
This completes authorization for all three table metadata read operations:
- getTableSchema (already had authorization)
- listPartitionInfos (already had authorization)
- listOffsets (added in this commit)

Changes:
- Added authorizeTable(DESCRIBE, tableId) check in TabletService.listOffsets()
- Removed TODO comment indicating this work was needed
- Added comprehensive authorization tests in FlussAuthorizationITCase
- Tests verify both authorization denial and success scenarios

This ensures that clients must have DESCRIBE permission on a table before
they can query offset information, preventing unauthorized access to table
metadata.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[server] Add authorization to Table Metadata Read Operations (getTableSchema, listPartitionInfos, listOffsets)

1 participant

@vaibhavk1992