[I] [Subtask] test(mcp-server): integration tests validating per-user authorization with live Gravitino [gravitino]

Wed, 10 Jun 2026 05:50:09 -0700 


yuqi1129 opened a new issue, #11575:
URL: https://github.com/apache/gravitino/issues/11575

   ### Describe the subtask
   
   With identity propagation (Task 1/2) and write tools enabled (Task 3/7), add 
integration tests that spin up a real Gravitino instance and verify that 
different principals get correctly differentiated responses through MCP — 
covering the three demo acceptance moments:
   
   1. Two principals issue the same list call and get differently scoped results
   2. A read-only principal attempts a write and is denied by Gravitino 
authorization
   3. Both the reads and the denied write appear as audit records attributed to 
the correct principal
   
   **Test approach:**
   
   These tests require a running Gravitino server, so they should be tagged 
`@Tag("gravitino-docker-test")` (or the Python equivalent) and run in CI via 
Docker Compose. The recommended structure:
   
   ```
   tests/integration/
   ├── conftest.py          # start MCP server in HTTP mode against a live 
Gravitino instance
   ├── test_authz_scoping.py  # Moment 1: two principals, different list results
   ├── test_write_denial.py   # Moment 2: read-only principal denied on write 
tool
   └── test_audit_trail.py    # Moment 3: audit log records attributed to 
correct principal
   ```
   
   **CI integration:**
   
   Add a GitHub Actions job (or extend the existing docker-test matrix) that:
   1. Starts Gravitino via Docker Compose with authorization enabled (Ranger or 
built-in policy engine)
   2. Seeds two roles: `admin-role` (full access) and `readonly-role` 
(list-only on a specific catalog)
   3. Creates two service tokens bound to each role
   4. Starts the MCP server in HTTP transport mode with `--transport http`
   5. Runs `pytest tests/integration/ -m gravitino_docker`
   
   **Acceptance:**
   - `test_authz_scoping`: `GET /catalogs` with admin token returns N catalogs; 
same call with readonly token returns only the permitted subset
   - `test_write_denial`: `create_tag` with readonly token returns HTTP 403 
from Gravitino, propagated as a MCP tool error
   - `test_audit_trail`: `gravitino-mcp-audit.log` contains one `allow` record 
attributed to admin principal and one `deny` record attributed to readonly 
principal
   
   ### Parent issue
   
   https://github.com/apache/gravitino/issues/11573


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to