bharos opened a new issue, #9903:
URL: https://github.com/apache/gravitino/issues/9903
### Version
main branch
### Describe what's wrong
Service admins configured via gravitino.authorization.serviceAdmins cannot
bootstrap the RBAC system in a fresh Gravitino installation. While they can
create metalakes, they are blocked from creating users, roles, and granting
permissions, rendering fresh installations with authorization enabled
completely unusable.
I'm not sure if there's a way to add user ?
### Error message and/or stacktrace
Error says user, ie. service admin is not authorized to do operations like
add_user etc..
### How to reproduce
Configure a fresh Gravitino instance with authorization enabled:
```
gravitino.authorization.enable=true
gravitino.authorization.serviceAdmins=admin
```
Start with empty database (no metalakes, no users, no roles)
As service admin "admin", attempt to:
```
# Step 1: Create metalake - WORKS
POST /api/metalakes {"name": "production"}
# Step 2: Create user - FAILS
POST /api/metalakes/production/users {"name": "alice"}
# Error: "Not authorized - need METALAKE::OWNER || METALAKE::MANAGE_USERS"
# Step 3: Create role - FAILS
POST /api/metalakes/production/roles {"name": "admin_role", ...}
# Error: "Not authorized - need METALAKE::OWNER || METALAKE::CREATE_ROLE"
# Step 4: Grant role - FAILS
PUT /api/metalakes/production/permissions/users/alice/grant
# Error: "Not authorized - need METALAKE::OWNER || METALAKE::MANAGE_GRANTS"
```
How can we proceed from initial state to add users etc.. to the system?
Possible workaround is maybe to temporarily disable authorization
(`gravitino.authorization.enable=false`),
bootstrap users/roles/permissions, then re-enable and restart.
### Additional context
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
