fix(glue): remove batchDeletePartition from grantRead() permissions (#17941)

It is convention in the CDK to expose the underlying `grant()` API to make it simple for users to grant custom permissions to their resource. 

In addition, this PR removes 'glue:BatchDeletePartition' from `readPermissions`, which was previously erroneously added.

closes #17935 and #15116.

BREAKING CHANGE: the grantRead API previously included 'glue:BatchDeletePartition', and now it does not.


 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: kaizencc

packages/@aws-cdk/aws-glue/lib/table.ts

@@ -325,7 +325,10 @@ export class Table extends Resource implements ITable {
     return ret;
   }
 
-  private grant(grantee: iam.IGrantable, actions: string[]) {
+  /**
+   * Grant the given identity custom permissions.
+   */
+  public grant(grantee: iam.IGrantable, actions: string[]) {
     return iam.Grant.addToPrincipal({
       grantee,
       resourceArns: [this.tableArn],
@@ -400,7 +403,6 @@ function createBucket(table: Table, props: TableProps) {
 }
 
 const readPermissions = [
-  'glue:BatchDeletePartition',
   'glue:BatchGetPartition',
   'glue:GetPartition',
   'glue:GetPartitions',

packages/@aws-cdk/aws-glue/test/integ.connection.expected.json

@@ -95,15 +95,15 @@
     "VpcPublicSubnet1NATGateway4D7517AA": {
       "Type": "AWS::EC2::NatGateway",
       "Properties": {
+        "SubnetId": {
+          "Ref": "VpcPublicSubnet1Subnet5C2D37C4"
+        },
         "AllocationId": {
           "Fn::GetAtt": [
             "VpcPublicSubnet1EIPD7E02669",
             "AllocationId"
           ]
         },
-        "SubnetId": {
-          "Ref": "VpcPublicSubnet1Subnet5C2D37C4"
-        },
         "Tags": [
           {
             "Key": "Name",
@@ -192,15 +192,15 @@
     "VpcPublicSubnet2NATGateway9182C01D": {
       "Type": "AWS::EC2::NatGateway",
       "Properties": {
+        "SubnetId": {
+          "Ref": "VpcPublicSubnet2Subnet691E08A3"
+        },
         "AllocationId": {
           "Fn::GetAtt": [
             "VpcPublicSubnet2EIP3C605A87",
             "AllocationId"
           ]
         },
-        "SubnetId": {
-          "Ref": "VpcPublicSubnet2Subnet691E08A3"
-        },
         "Tags": [
           {
             "Key": "Name",
@@ -289,15 +289,15 @@
     "VpcPublicSubnet3NATGateway7640CD1D": {
       "Type": "AWS::EC2::NatGateway",
       "Properties": {
+        "SubnetId": {
+          "Ref": "VpcPublicSubnet3SubnetBE12F0B6"
+        },
         "AllocationId": {
           "Fn::GetAtt": [
             "VpcPublicSubnet3EIP3A666A23",
             "AllocationId"
           ]
         },
-        "SubnetId": {
-          "Ref": "VpcPublicSubnet3SubnetBE12F0B6"
-        },
         "Tags": [
           {
             "Key": "Name",

packages/@aws-cdk/aws-glue/test/integ.security-configuration.expected.json

@@ -158,4 +158,4 @@
       }
     }
   }
-}
+}

packages/@aws-cdk/aws-glue/test/integ.table.expected.json

@@ -433,7 +433,6 @@
           "Statement": [
             {
               "Action": [
-                "glue:BatchDeletePartition",
                 "glue:BatchGetPartition",
                 "glue:GetPartition",
                 "glue:GetPartitions",
@@ -442,6 +441,7 @@
                 "glue:GetTableVersion",
                 "glue:GetTableVersions",
                 "glue:BatchCreatePartition",
+                "glue:BatchDeletePartition",
                 "glue:CreatePartition",
                 "glue:DeletePartition",
                 "glue:UpdatePartition"
@@ -510,7 +510,6 @@
             },
             {
               "Action": [
-                "glue:BatchDeletePartition",
                 "glue:BatchGetPartition",
                 "glue:GetPartition",
                 "glue:GetPartitions",
@@ -519,6 +518,7 @@
                 "glue:GetTableVersion",
                 "glue:GetTableVersions",
                 "glue:BatchCreatePartition",
+                "glue:BatchDeletePartition",
                 "glue:CreatePartition",
                 "glue:DeletePartition",
                 "glue:UpdatePartition"
@@ -622,7 +622,6 @@
           "Statement": [
             {
               "Action": [
-                "glue:BatchDeletePartition",
                 "glue:BatchGetPartition",
                 "glue:GetPartition",
                 "glue:GetPartitions",
@@ -631,6 +630,7 @@
                 "glue:GetTableVersion",
                 "glue:GetTableVersions",
                 "glue:BatchCreatePartition",
+                "glue:BatchDeletePartition",
                 "glue:CreatePartition",
                 "glue:DeletePartition",
                 "glue:UpdatePartition"
@@ -699,7 +699,6 @@
             },
             {
               "Action": [
-                "glue:BatchDeletePartition",
                 "glue:BatchGetPartition",
                 "glue:GetPartition",
                 "glue:GetPartitions",
@@ -708,6 +707,7 @@
                 "glue:GetTableVersion",
                 "glue:GetTableVersions",
                 "glue:BatchCreatePartition",
+                "glue:BatchDeletePartition",
                 "glue:CreatePartition",
                 "glue:DeletePartition",
                 "glue:UpdatePartition"
@@ -743,7 +743,6 @@
             },
             {
               "Action": [
-                "glue:BatchDeletePartition",
                 "glue:BatchGetPartition",
                 "glue:GetPartition",
                 "glue:GetPartitions",
@@ -752,6 +751,7 @@
                 "glue:GetTableVersion",
                 "glue:GetTableVersions",
                 "glue:BatchCreatePartition",
+                "glue:BatchDeletePartition",
                 "glue:CreatePartition",
                 "glue:DeletePartition",
                 "glue:UpdatePartition"
@@ -797,4 +797,4 @@
       }
     }
   }
-}
+}

packages/@aws-cdk/aws-glue/test/table.test.ts

@@ -2,9 +2,9 @@ import { Template } from '@aws-cdk/assertions';
 import * as iam from '@aws-cdk/aws-iam';
 import * as kms from '@aws-cdk/aws-kms';
 import * as s3 from '@aws-cdk/aws-s3';
+import { testFutureBehavior } from '@aws-cdk/cdk-build-tools/lib/feature-flag';
 import * as cdk from '@aws-cdk/core';
 import * as cxapi from '@aws-cdk/cx-api';
-import { testFutureBehavior } from '@aws-cdk/cdk-build-tools/lib/feature-flag';
 import * as glue from '../lib';
 import { CfnTable } from '../lib/glue.generated';
 
@@ -79,7 +79,6 @@ test('unpartitioned JSON table', () => {
       TableType: 'EXTERNAL_TABLE',
     },
   });
-
 });
 
 test('partitioned JSON table', () => {
@@ -157,7 +156,6 @@ test('partitioned JSON table', () => {
       TableType: 'EXTERNAL_TABLE',
     },
   });
-
 });
 
 test('compressed table', () => {
@@ -223,7 +221,6 @@ test('compressed table', () => {
       TableType: 'EXTERNAL_TABLE',
     },
   });
-
 });
 
 test('table.node.defaultChild', () => {
@@ -325,7 +322,6 @@ test('encrypted table: SSE-S3', () => {
       ],
     },
   });
-
 });
 
 test('encrypted table: SSE-KMS (implicitly created key)', () => {
@@ -413,7 +409,6 @@ test('encrypted table: SSE-KMS (implicitly created key)', () => {
       TableType: 'EXTERNAL_TABLE',
     },
   });
-
 });
 
 test('encrypted table: SSE-KMS (explicitly created key)', () => {
@@ -506,7 +501,6 @@ test('encrypted table: SSE-KMS (explicitly created key)', () => {
       TableType: 'EXTERNAL_TABLE',
     },
   });
-
 });
 
 test('encrypted table: SSE-KMS_MANAGED', () => {
@@ -585,7 +579,6 @@ test('encrypted table: SSE-KMS_MANAGED', () => {
       TableType: 'EXTERNAL_TABLE',
     },
   });
-
 });
 
 test('encrypted table: CSE-KMS (implicitly created key)', () => {
@@ -654,7 +647,6 @@ test('encrypted table: CSE-KMS (implicitly created key)', () => {
       TableType: 'EXTERNAL_TABLE',
     },
   });
-
 });
 
 test('encrypted table: CSE-KMS (explicitly created key)', () => {
@@ -729,7 +721,6 @@ test('encrypted table: CSE-KMS (explicitly created key)', () => {
       TableType: 'EXTERNAL_TABLE',
     },
   });
-
 });
 
 test('encrypted table: CSE-KMS (explicitly passed bucket and key)', () => {
@@ -806,7 +797,6 @@ test('encrypted table: CSE-KMS (explicitly passed bucket and key)', () => {
       TableType: 'EXTERNAL_TABLE',
     },
   });
-
 });
 
 test('explicit s3 bucket and prefix', () => {
@@ -874,7 +864,6 @@ test('explicit s3 bucket and prefix', () => {
       TableType: 'EXTERNAL_TABLE',
     },
   });
-
 });
 
 test('explicit s3 bucket and with empty prefix', () => {
@@ -942,7 +931,72 @@ test('explicit s3 bucket and with empty prefix', () => {
       TableType: 'EXTERNAL_TABLE',
     },
   });
+});
+
+test('grants: custom', () => {
+  const stack = new cdk.Stack();
+  const user = new iam.User(stack, 'User');
+  const database = new glue.Database(stack, 'Database', {
+    databaseName: 'database',
+  });
 
+  const table = new glue.Table(stack, 'Table', {
+    database,
+    tableName: 'table',
+    columns: [{
+      name: 'col',
+      type: glue.Schema.STRING,
+    }],
+    compressed: true,
+    dataFormat: glue.DataFormat.JSON,
+  });
+
+  table.grant(user, ['glue:UpdateTable']);
+
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: [
+        {
+          Action: 'glue:UpdateTable',
+          Effect: 'Allow',
+          Resource: {
+            'Fn::Join': [
+              '',
+              [
+                'arn:',
+                {
+                  Ref: 'AWS::Partition',
+                },
+                ':glue:',
+                {
+                  Ref: 'AWS::Region',
+                },
+                ':',
+                {
+                  Ref: 'AWS::AccountId',
+                },
+                ':table/',
+                {
+                  Ref: 'DatabaseB269D8BB',
+                },
+                '/',
+                {
+                  Ref: 'Table4C2D914F',
+                },
+              ],
+            ],
+          },
+        },
+      ],
+      Version: '2012-10-17',
+    },
+    PolicyName: 'UserDefaultPolicy1F97781E',
+    Users: [
+      {
+        Ref: 'User00B015A1',
+      },
+    ],
+  });
 });
 
 test('grants: read only', () => {
@@ -970,7 +1024,6 @@ test('grants: read only', () => {
       Statement: [
         {
           Action: [
-            'glue:BatchDeletePartition',
             'glue:BatchGetPartition',
             'glue:GetPartition',
             'glue:GetPartitions',
@@ -1048,7 +1101,6 @@ test('grants: read only', () => {
       },
     ],
   });
-
 });
 
 testFutureBehavior('grants: write only', s3GrantWriteCtx, cdk.App, (app) => {
@@ -1151,7 +1203,6 @@ testFutureBehavior('grants: write only', s3GrantWriteCtx, cdk.App, (app) => {
       },
     ],
   });
-
 });
 
 testFutureBehavior('grants: read and write', s3GrantWriteCtx, cdk.App, (app) => {
@@ -1179,7 +1230,6 @@ testFutureBehavior('grants: read and write', s3GrantWriteCtx, cdk.App, (app) =>
       Statement: [
         {
           Action: [
-            'glue:BatchDeletePartition',
             'glue:BatchGetPartition',
             'glue:GetPartition',
             'glue:GetPartitions',
@@ -1188,6 +1238,7 @@ testFutureBehavior('grants: read and write', s3GrantWriteCtx, cdk.App, (app) =>
             'glue:GetTableVersion',
             'glue:GetTableVersions',
             'glue:BatchCreatePartition',
+            'glue:BatchDeletePartition',
             'glue:CreatePartition',
             'glue:DeletePartition',
             'glue:UpdatePartition',
@@ -1264,7 +1315,6 @@ testFutureBehavior('grants: read and write', s3GrantWriteCtx, cdk.App, (app) =>
       },
     ],
   });
-
 });
 
 test('validate: at least one column', () => {