From f827bd51d29592c4cbf1cb69d57eff7ca650fbb3 Mon Sep 17 00:00:00 2001
From: Nadav Har'El <nyh@scylladb.com>
Date: Wed, 17 Jul 2024 16:02:36 +0300
Subject: [PATCH] alternator: test for operations that do not need any
 permissions

Some operations, namely ListTables, DescribeTable, DescribeEndpoints,
ListTagsOfResource, DescribeTimeToLive and DescribeContinuousBackups
do not need any permissions to be GRANTed to a role.

Our rationale for this decision is that in CQL, "describe table" and
friends also do not require any permissions.

This patch includes a test that verifies that they really don't need
permissions.

Signed-off-by: Nadav Har'El <nyh@scylladb.com>
---
 test/alternator/test_cql_rbac.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/test/alternator/test_cql_rbac.py b/test/alternator/test_cql_rbac.py
index 48bf38b318..c40a0d8124 100644
--- a/test/alternator/test_cql_rbac.py
+++ b/test/alternator/test_cql_rbac.py
@@ -653,6 +653,24 @@ def test_rbac_updatetable(dynamodb, cql):
                     authorized(lambda: tab.meta.client.update_table(TableName=tab.name,
                         BillingMode='PAY_PER_REQUEST'))
 
+# A test for API operations that do not require any permissions, so can be
+# performed on a new role with no grants. This currently includes
+# ListTables, DescribeTable, DescribeEndpoints, ListTagsOfResource,
+# DescribeTimeToLive, DescribeContinuousBackups
+def test_no_permissions_needed(dynamodb, cql, test_table):
+    with new_role(cql) as (role, key):
+        with new_dynamodb(dynamodb, role, key) as d:
+            # Try the various operations that don't need any permissions,
+            # and check that they don't fail (we don't check what is the
+            # result).
+            d.meta.client.list_tables()
+            d.meta.client.describe_endpoints()
+            r = d.meta.client.describe_table(TableName=test_table.name)
+            arn = r['Table']['TableArn']
+            d.meta.client.list_tags_of_resource(ResourceArn=arn)
+            d.meta.client.describe_time_to_live(TableName=test_table.name)
+            d.meta.client.describe_continuous_backups(TableName=test_table.name)
+
 # A test for permission checks in BatchWriteItem. BatchWriteItem needs the
 # "MODIFY" permission, but one BatchWriteItem may write to several tables
 # so needs MODIFY permissions on all of them, not just one. If any of the