From e1923eafc79c52f13c7479d3b33751757a4a55ac Mon Sep 17 00:00:00 2001 From: Eric Maynard Date: Tue, 30 Jul 2024 17:21:20 -0700 Subject: [PATCH 01/10] rebase --- .../auth/PolarisAuthorizableOperation.java | 1 + .../catalog/PolarisCatalogHandlerWrapper.java | 74 ++++++++----------- 2 files changed, 31 insertions(+), 44 deletions(-) diff --git a/polaris-core/src/main/java/io/polaris/core/auth/PolarisAuthorizableOperation.java b/polaris-core/src/main/java/io/polaris/core/auth/PolarisAuthorizableOperation.java index 1b82ff2fb9..560f868bc0 100644 --- a/polaris-core/src/main/java/io/polaris/core/auth/PolarisAuthorizableOperation.java +++ b/polaris-core/src/main/java/io/polaris/core/auth/PolarisAuthorizableOperation.java @@ -187,6 +187,7 @@ public enum PolarisAuthorizableOperation { REVOKE_VIEW_GRANT_FROM_CATALOG_ROLE( VIEW_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE), LIST_GRANTS_ON_VIEW(VIEW_LIST_GRANTS), + CREATE_TABLE_DIRECT_WITH_WRITE_DELEGATION(EnumSet.of(TABLE_CREATE, TABLE_WRITE_DATA)), ; private final EnumSet privilegesOnTarget; diff --git a/polaris-service/src/main/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapper.java b/polaris-service/src/main/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapper.java index 8197e5826a..c1ce6a5069 100644 --- a/polaris-service/src/main/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapper.java +++ b/polaris-service/src/main/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapper.java @@ -551,7 +551,8 @@ public LoadTableResponse createTableDirect(Namespace namespace, CreateTableReque public LoadTableResponse createTableDirectWithWriteDelegation( Namespace namespace, CreateTableRequest request) { - PolarisAuthorizableOperation op = PolarisAuthorizableOperation.CREATE_TABLE_DIRECT; + PolarisAuthorizableOperation op = + PolarisAuthorizableOperation.CREATE_TABLE_DIRECT_WITH_WRITE_DELEGATION; authorizeCreateTableLikeUnderNamespaceOperationOrThrow( op, TableIdentifier.of(namespace, request.name())); @@ -591,20 +592,18 @@ public LoadTableResponse createTableDirectWithWriteDelegation( LoadTableResponse.Builder responseBuilder = LoadTableResponse.builder().withTableMetadata(tableMetadata); if (baseCatalog instanceof SupportsCredentialDelegation credentialDelegation) { - try { - Set actionsRequested = - getValidTableActionsOrThrow(tableIdentifier); - - LOG.atDebug() - .addKeyValue("tableIdentifier", tableIdentifier) - .addKeyValue("tableLocation", tableMetadata.location()) - .log("Fetching client credentials for table"); - responseBuilder.addAllConfig( - credentialDelegation.getCredentialConfig( - tableIdentifier, tableMetadata, actionsRequested)); - } catch (ForbiddenException | NoSuchTableException e) { - // No privileges available - } + LOG.atDebug() + .addKeyValue("tableIdentifier", tableIdentifier) + .addKeyValue("tableLocation", tableMetadata.location()) + .log("Fetching client credentials for table"); + responseBuilder.addAllConfig( + credentialDelegation.getCredentialConfig( + tableIdentifier, + tableMetadata, + Set.of( + PolarisStorageActions.READ, + PolarisStorageActions.WRITE, + PolarisStorageActions.LIST))); } return responseBuilder.build(); } else if (table instanceof BaseMetadataTable) { @@ -706,18 +705,13 @@ public LoadTableResponse createTableStagedWithWriteDelegation( LoadTableResponse.builder().withTableMetadata(metadata); if (baseCatalog instanceof SupportsCredentialDelegation credentialDelegation) { - try { - Set actionsRequested = getValidTableActionsOrThrow(ident); - - LOG.atDebug() - .addKeyValue("tableIdentifier", ident) - .addKeyValue("tableLocation", metadata.location()) - .log("Fetching client credentials for table"); - responseBuilder.addAllConfig( - credentialDelegation.getCredentialConfig(ident, metadata, actionsRequested)); - } catch (ForbiddenException | NoSuchTableException e) { - // No privileges available - } + LOG.atDebug() + .addKeyValue("tableIdentifier", ident) + .addKeyValue("tableLocation", metadata.location()) + .log("Fetching client credentials for table"); + responseBuilder.addAllConfig( + credentialDelegation.getCredentialConfig( + ident, metadata, Set.of(PolarisStorageActions.ALL))); } return responseBuilder.build(); }); @@ -779,11 +773,18 @@ public LoadTableResponse loadTable(TableIdentifier tableIdentifier, String snaps return doCatalogOperation(() -> CatalogHandlers.loadTable(baseCatalog, tableIdentifier)); } - private Set getValidTableActionsOrThrow(TableIdentifier tableIdentifier) { + public LoadTableResponse loadTableWithAccessDelegation( + TableIdentifier tableIdentifier, String xIcebergAccessDelegation, String snapshots) { + // Here we have a single method that falls through multiple candidate + // PolarisAuthorizableOperations because instead of identifying the desired operation up-front + // and + // failing the authz check if grants aren't found, we find the first most-privileged authz match + // and respond according to that. PolarisAuthorizableOperation read = PolarisAuthorizableOperation.LOAD_TABLE_WITH_READ_DELEGATION; PolarisAuthorizableOperation write = PolarisAuthorizableOperation.LOAD_TABLE_WITH_WRITE_DELEGATION; + Set actionsRequested = new HashSet<>(Set.of(PolarisStorageActions.READ, PolarisStorageActions.LIST)); try { @@ -791,27 +792,12 @@ private Set getValidTableActionsOrThrow(TableIdentifier t // easily. authorizeBasicTableLikeOperationOrThrow(write, PolarisEntitySubType.TABLE, tableIdentifier); actionsRequested.add(PolarisStorageActions.WRITE); - } catch (ForbiddenException | NoSuchTableException e) { - LOG.atDebug() - .addKeyValue("tableIdentifier", tableIdentifier) - .log("Authz failed for LOAD_TABLE_WITH_WRITE_DELEGATION so attempting READ only"); + } catch (ForbiddenException e) { authorizeBasicTableLikeOperationOrThrow(read, PolarisEntitySubType.TABLE, tableIdentifier); } - return actionsRequested; - } - - public LoadTableResponse loadTableWithAccessDelegation( - TableIdentifier tableIdentifier, String xIcebergAccessDelegation, String snapshots) { - // Here we have a single method that falls through multiple candidate - // PolarisAuthorizableOperations because instead of identifying the desired operation up-front - // and - // failing the authz check if grants aren't found, we find the first most-privileged authz match - // and respond according to that. // TODO: Find a way for the configuration or caller to better express whether to fail or omit // when data-access is specified but access delegation grants are not found. - Set actionsRequested = getValidTableActionsOrThrow(tableIdentifier); - return doCatalogOperation( () -> { Table table = baseCatalog.loadTable(tableIdentifier); From 6c87344d4898d9b487a6a5e76cd12c675acb60dc Mon Sep 17 00:00:00 2001 From: Eric Maynard Date: Tue, 30 Jul 2024 17:25:31 -0700 Subject: [PATCH 02/10] cherrypick test --- .../src/test_spark_sql_s3_with_privileges.py | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py b/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py index 313cd4334b..808ff696e4 100644 --- a/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py +++ b/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py @@ -883,6 +883,32 @@ def test_spark_credentials_s3_scoped_to_metadata_data_locations(root_client, sno spark.sql('DROP NAMESPACE db1.schema') spark.sql('DROP NAMESPACE db1') +@pytest.mark.skipif(os.environ.get('AWS_TEST_ENABLED', 'False').lower() != 'true', reason='AWS_TEST_ENABLED is not set or is false') +def test_spark_ctas(snowflake_catalog, polaris_catalog_url, snowman): + """ + Create a table using CTAS and ensure that credentials are vended + :param root_client: + :param snowflake_catalog: + :return: + """ + with IcebergSparkSession(credentials=f'{snowman.principal.client_id}:{snowman.credentials.client_secret}', + catalog_name=snowflake_catalog.name, + polaris_url=polaris_catalog_url) as spark: + table_name = f'iceberg_test_table_{str(uuid.uuid4())[-10:]}' + spark.sql(f'USE {snowflake_catalog.name}') + spark.sql('CREATE NAMESPACE db1') + spark.sql('CREATE NAMESPACE db1.schema') + spark.sql('USE db1.schema') + spark.sql(f'CREATE TABLE {table_name}_t1 (col1 int)') + spark.sql('SHOW TABLES') + + # Insert some data + spark.sql(f"INSERT INTO {table_name}_t1 VALUES (10)") + + # Run CTAS + spark.sql(f"CREATE TABLE {table_name}_t2 AS SELECT * FROM {table_name}_t1") + + def create_catalog_role(api, catalog, role_name): catalog_role = CatalogRole(name=role_name) try: From f0da1b721489969defb279e69b271e9006f6cb8d Mon Sep 17 00:00:00 2001 From: Eric Maynard Date: Wed, 31 Jul 2024 11:31:09 -0700 Subject: [PATCH 03/10] redo test change --- .../src/test_spark_sql_s3_with_privileges.py | 37 ++++++++----------- 1 file changed, 16 insertions(+), 21 deletions(-) diff --git a/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py b/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py index 808ff696e4..2e28f4d722 100644 --- a/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py +++ b/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py @@ -742,8 +742,7 @@ def test_spark_credentials_s3_direct_without_write(root_client, snowflake_catalo def test_spark_credentials_s3_direct_without_read( snowflake_catalog, snowman_catalog_client, creator_catalog_client, test_bucket): """ - Create a table using `creator`, which does not have TABLE_READ_DATA and ensure that credentials to read the table - are not vended. + Create a table using `creator`, which does not have TABLE_READ_DATA and expect a `ForbiddenException` """ snowman_catalog_client.create_namespace( prefix=snowflake_catalog.name, @@ -752,26 +751,22 @@ def test_spark_credentials_s3_direct_without_read( ) ) - response = creator_catalog_client.create_table( - prefix=snowflake_catalog.name, - namespace="some_schema", - x_iceberg_access_delegation="true", - create_table_request=CreateTableRequest( - name="some_table", - var_schema=ModelSchema( - type = 'struct', - fields = [], - ) - ) - ) - - assert not response.config + try: + creator_catalog_client.create_table( + prefix=snowflake_catalog.name, + namespace="some_schema", + x_iceberg_access_delegation="true", + create_table_request=CreateTableRequest( + name="some_table", + var_schema=ModelSchema( + type = 'struct', + fields = [], + )g + ) + ) + except ApiException as e: + assert 'ForbiddenException' in str(e) - snowman_catalog_client.drop_table( - prefix=snowflake_catalog.name, - namespace="some_schema", - table="some_table" - ) snowman_catalog_client.drop_namespace( prefix=snowflake_catalog.name, namespace="some_schema" From 17caf2960d33056c7d415c511b309f180ef5d297 Mon Sep 17 00:00:00 2001 From: Eric Maynard Date: Wed, 31 Jul 2024 11:44:35 -0700 Subject: [PATCH 04/10] stable --- .../t_pyspark/src/test_spark_sql_s3_with_privileges.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py b/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py index 2e28f4d722..5994fb0bf8 100644 --- a/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py +++ b/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py @@ -35,6 +35,7 @@ from polaris.management import PolarisDefaultApi, Principal, PrincipalRole, CatalogRole, \ CatalogGrant, CatalogPrivilege, ApiException, CreateCatalogRoleRequest, CreatePrincipalRoleRequest, \ CreatePrincipalRequest, AddGrantRequest, GrantCatalogRoleRequest, GrantPrincipalRoleRequest +from polaris.management.exceptions import ForbiddenException @pytest.fixture @@ -761,11 +762,11 @@ def test_spark_credentials_s3_direct_without_read( var_schema=ModelSchema( type = 'struct', fields = [], - )g + ) ) ) - except ApiException as e: - assert 'ForbiddenException' in str(e) + except Exception as e: + assert 'CREATE_TABLE_DIRECT_WITH_WRITE_DELEGATION' in str(e) snowman_catalog_client.drop_namespace( prefix=snowflake_catalog.name, From 6f457799f413417bf8f24a997d01f18dedea1b20 Mon Sep 17 00:00:00 2001 From: Eric Maynard Date: Wed, 31 Jul 2024 11:52:16 -0700 Subject: [PATCH 05/10] Added authz test --- .../auth/PolarisAuthorizableOperation.java | 2 +- ...PolarisCatalogHandlerWrapperAuthzTest.java | 27 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/polaris-core/src/main/java/io/polaris/core/auth/PolarisAuthorizableOperation.java b/polaris-core/src/main/java/io/polaris/core/auth/PolarisAuthorizableOperation.java index 560f868bc0..602172fefc 100644 --- a/polaris-core/src/main/java/io/polaris/core/auth/PolarisAuthorizableOperation.java +++ b/polaris-core/src/main/java/io/polaris/core/auth/PolarisAuthorizableOperation.java @@ -89,6 +89,7 @@ public enum PolarisAuthorizableOperation { UPDATE_NAMESPACE_PROPERTIES(NAMESPACE_WRITE_PROPERTIES), LIST_TABLES(TABLE_LIST), CREATE_TABLE_DIRECT(TABLE_CREATE), + CREATE_TABLE_DIRECT_WITH_WRITE_DELEGATION(EnumSet.of(TABLE_CREATE, TABLE_WRITE_DATA)), CREATE_TABLE_STAGED(TABLE_CREATE), CREATE_TABLE_STAGED_WITH_WRITE_DELEGATION(EnumSet.of(TABLE_CREATE, TABLE_WRITE_DATA)), REGISTER_TABLE(TABLE_CREATE), @@ -187,7 +188,6 @@ public enum PolarisAuthorizableOperation { REVOKE_VIEW_GRANT_FROM_CATALOG_ROLE( VIEW_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE), LIST_GRANTS_ON_VIEW(VIEW_LIST_GRANTS), - CREATE_TABLE_DIRECT_WITH_WRITE_DELEGATION(EnumSet.of(TABLE_CREATE, TABLE_WRITE_DATA)), ; private final EnumSet privilegesOnTarget; diff --git a/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java b/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java index b4a3c370ed..f2c3b28487 100644 --- a/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java +++ b/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java @@ -575,6 +575,33 @@ public void testCreateTableDirectInsufficientPermissions() { }); } + @Test + public void testCreateTableDirectWithWriteDelegationInsufficientPermissions() { + final CreateTableRequest createDirectWithWriteDelegationRequest = + CreateTableRequest.builder() + .withName("stagetable") + .withSchema(SCHEMA) + .stageCreate() + .build(); + + doTestInsufficientPrivileges( + List.of( + PolarisPrivilege.NAMESPACE_FULL_METADATA, + PolarisPrivilege.VIEW_FULL_METADATA, + PolarisPrivilege.TABLE_DROP, + PolarisPrivilege.TABLE_CREATE, // TABLE_CREATE itself is insufficient for delegation + PolarisPrivilege.TABLE_READ_PROPERTIES, + PolarisPrivilege.TABLE_WRITE_PROPERTIES, + PolarisPrivilege.TABLE_READ_DATA, + PolarisPrivilege.TABLE_WRITE_DATA, + PolarisPrivilege.TABLE_LIST), + () -> { + newWrapper(Set.of(PRINCIPAL_ROLE1)) + .createTableDirectWithWriteDelegation( + NS2, createDirectWithWriteDelegationRequest); + }); + } + @Test public void testCreateTableStagedAllSufficientPrivileges() { Assertions.assertThat( From b635bd782f0aca397988878b0110a98344dc1bbf Mon Sep 17 00:00:00 2001 From: Eric Maynard Date: Wed, 31 Jul 2024 11:53:27 -0700 Subject: [PATCH 06/10] mega nit --- .../service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java b/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java index f2c3b28487..1dff94a075 100644 --- a/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java +++ b/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java @@ -579,7 +579,7 @@ public void testCreateTableDirectInsufficientPermissions() { public void testCreateTableDirectWithWriteDelegationInsufficientPermissions() { final CreateTableRequest createDirectWithWriteDelegationRequest = CreateTableRequest.builder() - .withName("stagetable") + .withName("directtable") .withSchema(SCHEMA) .stageCreate() .build(); From de37de2f83cc6346834edbb9570aab828836a0a2 Mon Sep 17 00:00:00 2001 From: Eric Maynard Date: Wed, 31 Jul 2024 11:54:04 -0700 Subject: [PATCH 07/10] style --- .../service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java b/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java index 1dff94a075..4e5e7c2762 100644 --- a/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java +++ b/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java @@ -597,8 +597,7 @@ public void testCreateTableDirectWithWriteDelegationInsufficientPermissions() { PolarisPrivilege.TABLE_LIST), () -> { newWrapper(Set.of(PRINCIPAL_ROLE1)) - .createTableDirectWithWriteDelegation( - NS2, createDirectWithWriteDelegationRequest); + .createTableDirectWithWriteDelegation(NS2, createDirectWithWriteDelegationRequest); }); } From b0b1d9fe34bdcdcd69adf1f17c363583517f006f Mon Sep 17 00:00:00 2001 From: Eric Maynard Date: Wed, 31 Jul 2024 12:17:13 -0700 Subject: [PATCH 08/10] another test --- ...PolarisCatalogHandlerWrapperAuthzTest.java | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java b/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java index 4e5e7c2762..12983f97fe 100644 --- a/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java +++ b/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java @@ -575,6 +575,40 @@ public void testCreateTableDirectInsufficientPermissions() { }); } + @Test + public void testCreateTableDirectWithWriteDelegationAllSufficientPrivileges() { + Assertions.assertThat( + adminService.grantPrivilegeOnCatalogToRole( + CATALOG_NAME, CATALOG_ROLE2, PolarisPrivilege.TABLE_DROP)) + .isTrue(); + Assertions.assertThat( + adminService.grantPrivilegeOnCatalogToRole( + CATALOG_NAME, CATALOG_ROLE2, PolarisPrivilege.TABLE_WRITE_DATA)) + .isTrue(); + + final TableIdentifier newtable = TableIdentifier.of(NS2, "newtable"); + final CreateTableRequest createDirectWithWriteDelegationRequest = + CreateTableRequest.builder() + .withName("newtable") + .withSchema(SCHEMA) + .stageCreate() + .build(); + + doTestSufficientPrivilegeSets( + List.of( + Set.of(PolarisPrivilege.TABLE_CREATE, PolarisPrivilege.TABLE_WRITE_DATA), + Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)), + () -> { + newWrapper(Set.of(PRINCIPAL_ROLE1)) + .createTableDirectWithWriteDelegation( + NS2, createDirectWithWriteDelegationRequest); + }, + () -> { + newWrapper(Set.of(PRINCIPAL_ROLE2)).dropTableWithPurge(newtable); + }, + PRINCIPAL_NAME); + } + @Test public void testCreateTableDirectWithWriteDelegationInsufficientPermissions() { final CreateTableRequest createDirectWithWriteDelegationRequest = From 6bdd0031f88bcfe22dd902c28d824e0fcbbcdaef Mon Sep 17 00:00:00 2001 From: Eric Maynard Date: Wed, 31 Jul 2024 13:02:54 -0700 Subject: [PATCH 09/10] extend test --- regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py | 1 + 1 file changed, 1 insertion(+) diff --git a/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py b/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py index 5994fb0bf8..8457919749 100644 --- a/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py +++ b/regtests/t_pyspark/src/test_spark_sql_s3_with_privileges.py @@ -765,6 +765,7 @@ def test_spark_credentials_s3_direct_without_read( ) ) ) + pytest.fail("Expected exception when creating a table without TABLE_WRITE") except Exception as e: assert 'CREATE_TABLE_DIRECT_WITH_WRITE_DELEGATION' in str(e) From 670c2851fcb3526c1df008b5975c3030b5b58254 Mon Sep 17 00:00:00 2001 From: Eric Maynard Date: Wed, 31 Jul 2024 14:15:35 -0700 Subject: [PATCH 10/10] lint --- .../catalog/PolarisCatalogHandlerWrapperAuthzTest.java | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java b/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java index 12983f97fe..d68382dc56 100644 --- a/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java +++ b/polaris-service/src/test/java/io/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java @@ -588,11 +588,7 @@ public void testCreateTableDirectWithWriteDelegationAllSufficientPrivileges() { final TableIdentifier newtable = TableIdentifier.of(NS2, "newtable"); final CreateTableRequest createDirectWithWriteDelegationRequest = - CreateTableRequest.builder() - .withName("newtable") - .withSchema(SCHEMA) - .stageCreate() - .build(); + CreateTableRequest.builder().withName("newtable").withSchema(SCHEMA).stageCreate().build(); doTestSufficientPrivilegeSets( List.of( @@ -600,8 +596,7 @@ public void testCreateTableDirectWithWriteDelegationAllSufficientPrivileges() { Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)), () -> { newWrapper(Set.of(PRINCIPAL_ROLE1)) - .createTableDirectWithWriteDelegation( - NS2, createDirectWithWriteDelegationRequest); + .createTableDirectWithWriteDelegation(NS2, createDirectWithWriteDelegationRequest); }, () -> { newWrapper(Set.of(PRINCIPAL_ROLE2)).dropTableWithPurge(newtable);