Fixing unit tests

Signed-off-by: jyejare <[email protected]>

Author: jyejare

infra/feast-operator/dist/install.yaml

@@ -8211,6 +8211,12 @@ rules:
   - list
   - update
   - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 - apiGroups:
   - batch
   resources:
@@ -8240,11 +8246,13 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - namespaces
   - pods
   - secrets
   verbs:
   - get
   - list
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -8280,8 +8288,11 @@ rules:
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
+  - clusterrolebindings
+  - clusterroles
   - rolebindings
   - roles
+  - subjectaccessreviews
   verbs:
   - create
   - delete

infra/feast-operator/internal/controller/featurestore_controller_kubernetes_auth_test.go

@@ -227,7 +227,7 @@ var _ = Describe("FeatureStore Controller-Kubernetes authorization", func() {
 				feastRole)
 			Expect(err).NotTo(HaveOccurred())
 			Expect(feastRole.Rules).ToNot(BeEmpty())
-			Expect(feastRole.Rules).To(HaveLen(1))
+			Expect(feastRole.Rules).To(HaveLen(6))
 			Expect(feastRole.Rules[0].APIGroups).To(HaveLen(1))
 			Expect(feastRole.Rules[0].APIGroups[0]).To(Equal(rbacv1.GroupName))
 			Expect(feastRole.Rules[0].Resources).To(HaveLen(2))

sdk/python/feast/permissions/security_manager.py

@@ -173,7 +173,8 @@ def permitted_resources(
     A utility function to invoke the `assert_permissions` method on the global security manager.
 
     If no global `SecurityManager` is defined (NoAuthConfig), all resources are permitted.
-    If a SecurityManager exists but no user context, access is denied for security.
+    If a SecurityManager exists but no user context and actions are requested, deny access for security.
+    If a SecurityManager exists but user is intra-communication, allow access.
 
     Args:
         resources: The resources for which we need to enforce authorized permission.
@@ -184,11 +185,15 @@ def permitted_resources(
 
     sm = get_security_manager()
     if not is_auth_necessary(sm):
-        # Check if this is NoAuthConfig (no security manager) vs missing user context
+        # Check if this is NoAuthConfig (no security manager) vs missing user context vs intra-communication
         if sm is None:
             # NoAuthConfig: allow all resources
             logger.debug("NoAuthConfig enabled - allowing access to all resources")
             return resources
+        elif sm.current_user is not None:
+            # Intra-communication user: allow all resources
+            logger.debug("Intra-communication user - allowing access to all resources")
+            return resources
         else:
             # Security manager exists but no user context - deny access for security
             logger.warning(
@@ -233,8 +238,17 @@ def no_security_manager():
 def is_auth_necessary(sm: Optional[SecurityManager]) -> bool:
     intra_communication_base64 = os.getenv("INTRA_COMMUNICATION_BASE64")
 
-    return (
-        sm is not None
-        and sm.current_user is not None
-        and sm.current_user.username != intra_communication_base64
-    )
+    # If no security manager, no auth is necessary
+    if sm is None:
+        return False
+
+    # If security manager exists but no user context, auth is necessary (security-first approach)
+    if sm.current_user is None:
+        return True
+
+    # If user is intra-communication, no auth is necessary
+    if sm.current_user.username == intra_communication_base64:
+        return False
+
+    # Otherwise, auth is necessary
+    return True

sdk/python/tests/unit/permissions/auth/server/test_auth_registry_server.py

@@ -170,7 +170,8 @@ def _test_list_entities(client_fs: FeatureStore, permissions: list[Permission]):
 
 
 def _no_permission_retrieved(permissions: list[Permission]) -> bool:
-    return len(permissions) == 0
+    # With security-first approach, no permissions means access should be denied
+    return False
 
 
 def _test_list_permissions(
@@ -278,13 +279,17 @@ def _is_permission_enabled(
     permissions: list[Permission],
     permission: Permission,
 ):
-    return _is_auth_enabled(client_fs) and (
-        _no_permission_retrieved(permissions)
-        or (
-            _permissions_exist_in_permission_list(
-                [read_permissions_perm, permission], permissions
-            )
-        )
+    # With security-first approach, if no permissions are defined, access should be denied
+    if not _is_auth_enabled(client_fs):
+        return True  # No auth enabled, allow access
+
+    # If auth is enabled but no permissions are defined, deny access (security-first)
+    if len(permissions) == 0:
+        return False
+
+    # Check if the specific permission exists
+    return _permissions_exist_in_permission_list(
+        [read_permissions_perm, permission], permissions
     )
 
 

sdk/python/tests/unit/permissions/test_decorator.py

@@ -7,7 +7,7 @@
 @pytest.mark.parametrize(
     "username, can_read, can_write",
     [
-        (None, True, True),
+        (None, False, False),
         ("r", True, False),
         ("w", False, True),
         ("rw", True, True),

sdk/python/tests/unit/permissions/test_security_manager.py

@@ -15,7 +15,7 @@
 @pytest.mark.parametrize(
     "username, requested_actions, allowed, allowed_single, raise_error_in_assert, raise_error_in_permit, intra_communication_flag",
     [
-        (None, [], True, [True, True], [False, False], False, False),
+        (None, [], False, [False, False], [True, True], False, False),
         (None, [], True, [True, True], [False, False], False, True),
         (
             "r",
@@ -219,7 +219,7 @@ def test_access_SecuredFeatureView(
 @pytest.mark.parametrize(
     "username, allowed, intra_communication_flag",
     [
-        (None, True, False),
+        (None, False, False),
         (None, True, True),
         ("r", False, False),
         ("r", True, True),
@@ -275,7 +275,7 @@ def getter(name: str, project: str, allow_cache: bool):
 @pytest.mark.parametrize(
     "username, allowed, intra_communication_flag",
     [
-        (None, True, False),
+        (None, False, False),
         (None, True, True),
         ("r", False, False),
         ("r", True, True),