Open
Conversation
…t coverage for most of them
Describes a fast intermediate test layer that captures unit-test WireMock payloads, remaps usernames to Rego-compatible principals, and validates the Rego policy logic using the opa test CLI — without integration test overhead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Five tasks: OpaFixtureWriter class, test wiring, Rego files, Maven plugins (download-maven-plugin + exec-maven-plugin), and end-to-end verification. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- OpaFixtureWriter writes to target/test-rego/fixtures.json (was src/test/rego/fixtures.json) so test runs no longer dirty the working tree - pom.xml opa-policy-test execution updated to match new path - hbase_test.rego: add print() calls so --explain notes reports fixture counts - .gitignore: add /docs/plans/ (plan docs are local-only, not committed) - Remove stale design doc and completed implementation plan from git Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
prePrepareBulkLoad, preCleanupBulkLoad, preBulkLoadHFile (region-level), preLockHeartbeat, and preRequestLock (table, namespace, and region-scope branches) were implemented but had no unit tests. Brings coverage from 83 to 90 passing tests. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of #8
Fixes #2
N.B. Code changes - especially unit tests - done with support from Claude.
Summary: Stabilise OPA authorizer — permissions, coverage, and policy testing
Hook implementation
All pre* coprocessor hooks now route to OPA. Key changes vs the previous state:
OpTypeenum is added to every OPA request (GET,SCAN,PUT,DELETE,APPEND,INCREMENT,CHECK_AND_PUT,CHECK_AND_DELETE,ROW_MUTATIONS,NONE), allowing Rego policies to restrict access byoperation type.
OpTypeserialises using Jackson's default enum.name()(uppercase), soacl.operationsentries in Rego must also be uppercase (e.g.["EXISTS", "GET", "SCAN", "NONE"]){ familyName: [qualifier, ...] }) passed on all region-level requests, enabling column-family-level policy decisionspreCheckAndMutatenow explicitly handles RowMutations (previously fell through unchecked); the deprecatedByteArrayComparableand Filter-basedpreCheckAndPut/preCheckAndDeleteoverloads areimplemented because HBase's default
preCheckAndMutatedelegates to themAPPEND,INCREMENT,CHECK_AND_PUT,CHECK_AND_DELETE) enforce bothREADandWRITEAccessController(namespace scoping, action choices)TestCoprocessorInterfaceCoverage— a reflection test that fails the build if any pre* hook is added to the interface without being explicitly overridden or excludedCoverage summary
OPA policy utility tests
There is a lightweight test layer that sits between the Java unit tests and the full kuttl integration tests, so that OPA JSON calls can be tested explicitly against Rego rules.
OpaFixtureWriterregisters as a WireMockServeEventListenerin each test class. After each class teardown it remaps the three canonical test principals to Rego-recognisable Kerberosnames, deduplicates, and writes
target/test-rego/fixtures.json— a single JSON document withallowedanddeniedarrays of captured OPA request bodies.src/test/rego/hbase.regois a committed copy of the Rego policy fromhbase-operator/tests/templates/kuttl/opa/12-rego-rules.txt.j2with$NAMESPACEsubstituted totest-ns. Itmust be manually regenerated when the operator policy changes. The principal remapping in
OpaFixtureWriteris intentionally aligned with the Kerberos principals used in the kuttl integration tests. This isa hard dependency between this component and the operator integration tests.
download-maven-pluginfetches a pinned OPA binary (v0.63.0) duringprocess-test-resources;exec-maven-pluginrunsopa testin theverifyphase after Surefire. Fixtures livein
target/and are not committed.matches_operationandmatches_familiesnon-null branches of the Rego policy, which correspond directly to the readonlyuser scenarios in the kuttl integration tests.Tip
To test these changes, you can use a custom image
oci.stackable.tech/sandbox/andrew/hbase:2.6.4-stackable0.0.0-devin Harbor that contains these changes, along with an operator PR that extends the rego rules to increase the coverage.