roryqi commented on code in PR #10276:
URL: https://github.com/apache/gravitino/pull/10276#discussion_r2894130289
##########
api/src/main/java/org/apache/gravitino/authorization/Privileges.java:
##########
@@ -64,6 +64,18 @@ public class Privileges {
MetadataObject.Type.SCHEMA,
MetadataObject.Type.VIEW);
+ /**
+ * Object types to which MANAGE_GRANTS can be bound. Allows scoped grant
delegation at catalog,
+ * schema, table, or view level — not just metalake-wide.
+ */
+ private static final Set<MetadataObject.Type> GRANT_SUPPORTED_TYPES =
+ Sets.immutableEnumSet(
+ MetadataObject.Type.METALAKE,
+ MetadataObject.Type.CATALOG,
+ MetadataObject.Type.SCHEMA,
+ MetadataObject.Type.TABLE,
+ MetadataObject.Type.VIEW);
Review Comment:
Two solutions:
1. We add a new privilege property like GRANT_OPTION
2. `MANAGE_GRANTS` to object level.
Option 2 won't add new concepts. It may be easier for understanding.
Option 1 could be more restricted.
I prefer option 2.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
