mchades commented on code in PR #9035: URL: https://github.com/apache/gravitino/pull/9035#discussion_r2510590059
##########
docs/security/access-control.md:
##########
@@ -1025,4 +1033,13 @@ The following table lists the required privileges for
each API.
| grant privilege | `MANAGE_GRANTS` on the metalake or the
owner of the securable object
|
| revoke privilege | `MANAGE_GRANTS` on the metalake or the
owner of the securable object
|
| set owner | The owner of the securable object
|
+| list tags | `APPLY_TAG` on the metalake, the owner
of the metalake or the tag.
|
+| create tag | `CREATE_TAG` on the metalake or the
owner of the metalake.
|
+| get tag | `APPLY_TAG` on the metalake or tag, the
owner of the metalake or the tag.
|
+| alter tag | Must be the owner of the metalake or the
tag.
|
+| delete tag | Must be the owner of the metalake or the
tag.
|
+| list objects for tag | Requires both permission to **get the
tag** and permission to **load metadata objects**.
|
+| list tags for object | Permission to both list tags Requires
both permission to **list tags** and permission to **load metadata objects**.
load metadata objects is required.
|
Review Comment:
Assume user A is the owner of `catalog1`, he created `tag1` and associated
it with `catalog1`; user B is the owner of `catalog1.schema1.table1`, when user
B list tags for `table1`, what permissions are needed to see `tag1`? Or what
permissions should be granted by which users to user B so that he can see
`tag1`?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
