Skip to content

fix: update glue data catalog client to include LakeFormation AccessDenied#359

Merged
javsanbel2 merged 1 commit into
mainfrom
fix/glue-client-lakeformation-access-denied
Jun 25, 2026
Merged

fix: update glue data catalog client to include LakeFormation AccessDenied#359
javsanbel2 merged 1 commit into
mainfrom
fix/glue-client-lakeformation-access-denied

Conversation

@javsanbel2

Copy link
Copy Markdown
Contributor

Lake Formation returns AccessDeniedException instead of EntityNotFoundException for resources that do not exist when the caller lacks CREATE_TABLE permission (anti-enumeration design).

The upstream fix in aws-glue-data-catalog-client-for-apache-hive-metastore translates these exceptions to NoSuchObjectException in getDatabase() and getTable(), and treats them as not-found in tableExists(). The behaviour is opt-in via the aws.glue.lakeformation.access-denied-as-not-found config flag (default false) so stock behaviour is unchanged unless explicitly enabled. Every translation is logged at WARN to preserve observability of genuine permission errors.

Origin PR Rebuilt from branch/waggle-dance of the upstream repo (commit 4f36427).

@javsanbel2 javsanbel2 requested a review from a team as a code owner June 25, 2026 12:18
@javsanbel2 javsanbel2 force-pushed the fix/glue-client-lakeformation-access-denied branch from badab8b to 4c0a60c Compare June 25, 2026 12:20
…enied fix

Lake Formation returns AccessDeniedException instead of
EntityNotFoundException for resources that do not exist when the caller
lacks CREATE_TABLE permission (anti-enumeration design).

The upstream fix in aws-glue-data-catalog-client-for-apache-hive-metastore
translates these exceptions to NoSuchObjectException in getDatabase() and
getTable(), and treats them as not-found in tableExists(). The behaviour is
opt-in via the aws.glue.lakeformation.access-denied-as-not-found config flag
(default false) so stock behaviour is unchanged unless explicitly enabled.
Every translation is logged at WARN to preserve observability of genuine
permission errors.

Rebuilt from branch/waggle-dance of the upstream repo (commit 4f36427).

Co-authored-by: Claude Sonnet <noreply@anthropic.com>
@javsanbel2 javsanbel2 force-pushed the fix/glue-client-lakeformation-access-denied branch from 4c0a60c to bd4bbcb Compare June 25, 2026 12:20
@javsanbel2 javsanbel2 merged commit e9734c6 into main Jun 25, 2026
1 check passed
@javsanbel2 javsanbel2 deleted the fix/glue-client-lakeformation-access-denied branch June 25, 2026 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants