Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suppress access denied exception when listing all tables/views in a Glue database #14998

Merged

Conversation

findinpath
Copy link
Contributor

@findinpath findinpath commented Nov 11, 2022

Description

Fix #14746

As per offline discussion due to difficulties which may be caused by the fact that the permission policy for the Glue database which has glue:GetTables permission denied we've decided to put up this PR without corresponding tests. Do note however that the PR changes have been locally tested against AWS Glue.

Non-technical explanation

Release notes

( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text:

# Hive
* Suppress access denied exception when listing all tables/views in a Glue database

* </pre>
*/
@Test
public void testGetAllEntitiesOnAccessDeniedDatabase()
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pettyjamesm do you have any insights about how this fix can be cleanly tested without using a manually defined Glue permission policy?

While trying to programmatically change the AWS Glue permission policies we've (see #14849 ) bumped into the constraint that the changes perform on the Glue Data Catalog programmatically may overwrite either configuration AWS Glue configuration affecting builds which run on the same time or remove existing AWS Glue permission policies which were previously manually configured.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think your options are basically either:

  • mock the AWS client to throw access denied in the specific test
  • manually define a separate Glue permission policy / IAM role for this purpose in test
  • use a "create if not exists" pattern to programatically define an IAM role / Glue table with the specific required permissions such that repeated / concurrent runs will only create it once and therefore shouldn't generally interfere with each other while also allowing new environments to create the required objects on-demand during the first run

@findinpath findinpath force-pushed the glue-gettables-on-schema-access-denied branch from 20b01f1 to ed4080c Compare November 18, 2022 17:29
@findinpath findinpath changed the title Supress access denied exception when listing all tables/views in a Glue database Suppress access denied exception when listing all tables/views in a Glue database Nov 18, 2022
@ebyhr ebyhr merged commit 370b7d9 into trinodb:master Nov 22, 2022
@github-actions github-actions bot added this to the 404 milestone Nov 22, 2022
@ebyhr ebyhr mentioned this pull request Nov 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

Hive connector returns an error when query is looking for a schema which does not exist
3 participants