To clarify my earlier email: Certain call paths require the storage config to be provided at catalog creation time, IIRC. At the same time processing storage config requires access to feature flags.
Admins can indeed manage grants without exposing access to end users. However, I think the chicken and egg problem still exists with storage configuration even for admins. Cheers, Dmitri. On Tue, Oct 14, 2025 at 1:48 AM Eric Maynard <[email protected]> wrote: > Could an administrator implement this two-step process by first creating > the catalog and granting themself " CATALOG_MANAGE_CONTENT " before doing > any other grants? > > --EM > > On Mon, Oct 13, 2025 at 10:25 AM Jean-Baptiste Onofré <[email protected]> > wrote: > > > Hi Dmitri > > > > That's a good point. > > Imho, we should have a two step approach for catalog creation: first > > create the "abstract" entity, and then all permission, etc. > > > > Regards > > JB > > > > On Thu, Sep 25, 2025 at 5:36 PM Dmitri Bourlatchkov <[email protected]> > > wrote: > > > > > > Hi All, > > > > > > Our feature flags code supports setting flags per catalog [1]. However > > when > > > dealing with catalog creation, it may be necessary to check those flags > > too. > > > > > > This creates a chicken and egg problem where certain flags that apply > to > > > catalogs (e.g. ALLOW_SETTING_S3_ENDPOINTS) can only be set per realm. > > > > > > Would it make sense to allow a two phase approach to creating catalogs > > > where > > > 1) a catalog object is created as an empty shell (ID + name) > > > 2) An admin user adjusts feature flags / permissions > > > 3) A regular user sets catalog config properties > > > > > > Any other thoughts / suggestions on this matter? > > > > > > [1] > > > > > > https://github.com/apache/polaris/blob/453e9fb19aaad48f8c46ef4ffe3d516df62e4706/polaris-core/src/main/java/org/apache/polaris/core/config/PolarisConfiguration.java#L167 > > > > > > Thanks, > > > Dmitri. > > >
