Skip to content

fix: Denial by default to all resources when no permissions set #5663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ntkathole merged 2 commits into from
Jan 13, 2026
Merged

fix: Denial by default to all resources when no permissions set #5663

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
606f98d
Denial by default to all resources when no permissions set
jyejare Oct 13, 2025
11e2026
Tests are updated to match the new behavior
jyejare Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Tests are updated to match the new behavior 
Signed-off-by: jyejare <jyejare@redhat.com>
  • Loading branch information
@jyejare @ntkathole
jyejare authored and ntkathole committed Jan 13, 2026
commit 11e202632509809215c1db5ed625ca90be182f8f
19 changes: 7 additions & 12 deletions sdk/python/feast/permissions/enforcer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,19 +72,14 @@ def enforce_policy(
if evaluator.is_decided():
grant, explanations = evaluator.grant()
if not grant:
if not filter_only:
logger.error(f"Permission denied: {','.join(explanations)}")
raise FeastPermissionError(",".join(explanations))
elif filter_only and not p.name_patterns:
logger.error(f"Permission denied: {','.join(explanations)}")
raise FeastPermissionError(",".join(explanations))
else:
if filter_only and p.name_patterns:
continue
if grant:
logger.debug(
f"Permission granted for {type(resource).__name__}:{resource.name}"
)
_permitted_resources.append(resource)
logger.error(f"Permission denied: {','.join(explanations)}")
raise FeastPermissionError(",".join(explanations))
logger.debug(
f"Permission granted for {type(resource).__name__}:{resource.name}"
)
_permitted_resources.append(resource)
break
Comment thread
jyejare marked this conversation as resolved.
else:
if not filter_only:
Expand Down
30 changes: 30 additions & 0 deletions sdk/python/tests/unit/permissions/auth/server/test_auth_registry_server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,11 @@ def _test_get_historical_features(client_fs: FeatureStore):


def _test_get_entity(client_fs: FeatureStore, permissions: list[Permission]):
if _is_auth_enabled(client_fs) and len(permissions) == 0:
with pytest.raises(FeastPermissionError):
client_fs.get_entity("driver")
return

if not _is_auth_enabled(client_fs) or _is_permission_enabled(
client_fs, permissions, read_entities_perm
):
Expand All @@ -156,6 +161,18 @@ def _test_get_entity(client_fs: FeatureStore, permissions: list[Permission]):


def _test_list_entities(client_fs: FeatureStore, permissions: list[Permission]):
if _is_auth_enabled(client_fs) and len(permissions) == 0:
with pytest.raises(FeastPermissionError):
client_fs.list_entities()
return

if _is_auth_enabled(client_fs) and _permissions_exist_in_permission_list(
[invalid_list_entities_perm], permissions
):
with pytest.raises(FeastPermissionError):
client_fs.list_entities()
return

entities = client_fs.list_entities()

if not _is_auth_enabled(client_fs) or _is_permission_enabled(
Expand Down Expand Up @@ -183,6 +200,10 @@ def _test_list_permissions(
with pytest.raises(Exception):
client_fs.list_permissions()
return []
elif _is_auth_enabled(client_fs) and len(applied_permissions) == 0:
with pytest.raises(FeastPermissionError):
client_fs.list_permissions()
return []
else:
permissions = client_fs.list_permissions()

Expand Down Expand Up @@ -229,6 +250,11 @@ def _is_auth_enabled(client_fs: FeatureStore) -> bool:


def _test_get_fv(client_fs: FeatureStore, permissions: list[Permission]):
if _is_auth_enabled(client_fs) and len(permissions) == 0:
with pytest.raises(FeastPermissionError):
client_fs.get_feature_view("driver_hourly_stats")
return

if not _is_auth_enabled(client_fs) or _is_permission_enabled(
client_fs, permissions, read_fv_perm
):
Expand All @@ -249,6 +275,10 @@ def _test_list_fvs(client_fs: FeatureStore, permissions: list[Permission]):
with pytest.raises(Exception):
client_fs.list_feature_views()
return []
elif _is_auth_enabled(client_fs) and len(permissions) == 0:
with pytest.raises(FeastPermissionError):
client_fs.list_feature_views()
return []
else:
fvs = client_fs.list_feature_views()
for fv in fvs:
Expand Down
12 changes: 6 additions & 6 deletions sdk/python/tests/unit/permissions/test_security_manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
@pytest.mark.parametrize(
"username, requested_actions, allowed, allowed_single, raise_error_in_assert, raise_error_in_permit, intra_communication_flag",
[
(None, [], False, [False, False], [True, True], False, False),
(None, [], False, [False, False], [True, True], True, False),
(None, [], True, [True, True], [False, False], False, True),
(
"r",
Expand All @@ -42,7 +42,7 @@
False,
[False, False],
[True, True],
False,
True,
False,
),
("r", [AuthzedAction.UPDATE], True, [True, True], [False, False], False, True),
Expand All @@ -52,7 +52,7 @@
False,
[False, False],
[True, True],
False,
True,
False,
),
(
Expand Down Expand Up @@ -116,7 +116,7 @@
False,
[False, False],
[True, True],
True,
False,
False,
),
(
Expand All @@ -134,7 +134,7 @@
False,
[False, True],
[True, False],
True,
False,
False,
),
(
Expand All @@ -152,7 +152,7 @@
False,
[False, False],
[True, True],
True,
False,
False,
),
(
Expand Down
Loading