-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suppress access denied exception when listing all tables/views in a Glue database #14998
Suppress access denied exception when listing all tables/views in a Glue database #14998
Conversation
plugin/trino-hive/src/test/java/io/trino/plugin/hive/metastore/glue/TestHiveGlueMetastore.java
Outdated
Show resolved
Hide resolved
dc02c86
to
20b01f1
Compare
* </pre> | ||
*/ | ||
@Test | ||
public void testGetAllEntitiesOnAccessDeniedDatabase() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pettyjamesm do you have any insights about how this fix can be cleanly tested without using a manually defined Glue permission policy?
While trying to programmatically change the AWS Glue permission policies we've (see #14849 ) bumped into the constraint that the changes perform on the Glue Data Catalog programmatically may overwrite either configuration AWS Glue configuration affecting builds which run on the same time or remove existing AWS Glue permission policies which were previously manually configured.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think your options are basically either:
- mock the AWS client to throw access denied in the specific test
- manually define a separate Glue permission policy / IAM role for this purpose in test
- use a "create if not exists" pattern to programatically define an IAM role / Glue table with the specific required permissions such that repeated / concurrent runs will only create it once and therefore shouldn't generally interfere with each other while also allowing new environments to create the required objects on-demand during the first run
…ue database Co-authored-by: albericgenius <[email protected]>
20b01f1
to
ed4080c
Compare
Description
Fix #14746
As per offline discussion due to difficulties which may be caused by the fact that the permission policy for the Glue database which has
glue:GetTables
permission denied we've decided to put up this PR without corresponding tests. Do note however that the PR changes have been locally tested against AWS Glue.Non-technical explanation
Release notes
( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text: