Add DynamoDB permission test

[KodaiD]

Description

This PR adds a permission test for DynamoDB under ScalarDB. To check what permissions are required for all ScalarDB operations, all DistributedStorage and DistributedStorageAdmin methods are tested. This is a second step of the permission tests project. Permission tests for JDBC backends will be added in the future.

Related issues and/or PRs

• Add Cassandra permission test #2822

Changes made

• Added a new integration test for the implementations of DistributedStorage in DynamoDB adapter.
• Added a new integration test for the implementations of DistributedStorageAdmin in DynamoDB adapter.
• Added a GitHub Action workflow to run the permission tests on workflow dispatch.

Checklist

• I have commented my code, particularly in hard-to-understand areas.
• I have updated the documentation to reflect the changes.
• I have considered whether similar issues could occur in other products, components, or modules if this PR is for bug fixes.
• Any remaining open issues linked to this PR are documented and up-to-date (Jira, GitHub, etc.).
• Tests (unit, integration, etc.) have been added for the changes.
• My changes generate no new warnings.
• Any dependent changes in other PRs have been merged and published.

Additional notes (optional)

N/A

Release notes

N/A

[gemini-code-assist]

Summary of Changes

Hello @KodaiD, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the testing suite for ScalarDB's DynamoDB adapter by introducing dedicated integration tests to validate the precise AWS IAM permissions required for all DistributedStorage and DistributedStorageAdmin operations. It sets up the necessary build infrastructure and utility classes to dynamically manage IAM policies during test execution, ensuring robust verification of permission requirements for the DynamoDB backend.

Highlights

• New Permission Integration Tests: Introduced comprehensive permission integration tests for DynamoDB, covering both DistributedStorage and DistributedStorageAdmin operations to verify required AWS IAM permissions for ScalarDB operations.
• Dedicated Test Infrastructure: Established a new Gradle source set (integrationTestDynamoPermission) and a corresponding task to isolate and run these specific permission tests, ensuring proper build configuration and dependency management for the new test modules.
• Dynamic IAM Policy Management: Added a new utility class, DynamoPermissionTestUtils, which leverages the AWS IAM SDK to programmatically create, update, and attach IAM policies with the necessary DynamoDB and Application Auto Scaling permissions required for testing various operations.
• AWS SDK IAM Dependencies: Incorporated new AWS SDK dependencies (iam and iam-policy-builder) into the project's build to support programmatic IAM policy generation and management, which is crucial for the new permission testing framework.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces permission tests for DynamoDB, which is a great addition for ensuring the security and correctness of database operations. My feedback focuses on improving the exception handling in the DynamoPermissionTestUtils class for better maintainability and robustness.

[Copilot]

Pull Request Overview

Adds integration tests and supporting configuration to verify required IAM permissions for DynamoDB operations in ScalarDB, including workflow support in GitHub Actions.

• Introduces DynamoPermissionTestUtils for creating and managing IAM policies in tests.
• Adds DynamoPermissionIntegrationTest and DynamoAdminPermissionIntegrationTest classes to validate storage and admin APIs under permission constraints.
• Updates Gradle build and CI workflow to run DynamoDB permission integration tests.

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
core/src/integration-test/java/com/scalar/db/storage/dynamo/DynamoPermissionTestUtils.java	Utility for creating, attaching, and managing IAM policies for DynamoDB permission tests
core/src/integration-test/java/com/scalar/db/storage/dynamo/DynamoPermissionIntegrationTest.java	Integration test for storage-level permission checks
core/src/integration-test/java/com/scalar/db/storage/dynamo/DynamoAdminPermissionIntegrationTest.java	Integration test for admin-level permission checks
core/src/integration-test/java/com/scalar/db/storage/dynamo/DynamoEnv.java	Environment property handling for emulator support and test configuration
core/build.gradle	Configures new integrationTestDynamoPermission source set, tasks, and dependencies
.github/workflows/permission-check.yaml	Adds GitHub Actions job to execute DynamoDB permission integration tests

Comments suppressed due to low confidence (2)

.github/workflows/permission-check.yaml:107

• The Gradle command doesn't pass the scalardb.dynamo.emulator or scalardb.dynamo.region system properties, so the tests default to emulator mode and local endpoint, causing failures in CI. Consider adding -Dscalardb.dynamo.emulator=false and -Dscalardb.dynamo.region=$REGION to the Gradle command.

        run: ./gradlew integrationTestDynamoPermission

core/src/integration-test/java/com/scalar/db/storage/dynamo/DynamoEnv.java:20

• The default value for DEFAULT_DYNAMO_EMULATOR is set to "true", causing tests to always run in emulator mode (overriding actual AWS setup) which will fail in CI. Consider defaulting this to "false" or making it configurable via system properties in CI.

  private static final String DEFAULT_DYNAMO_EMULATOR = "true";

[komamitsu]

LGTM! 👍

[KodaiD]

I've confirmed that the permission test works as expected in:
https://github.com/scalar-labs/scalardb/actions/runs/16256865365

[brfrn169]

Left minor comments. Other than that, LGTM!

[feeblefakie]

LGTM! Thank you!

[Torch3333]

LGTM, thank you!