Re: [PR] RANGER-4910: update Polaris service-def to remove resources principal-role and catalog-role [ranger]

Tue, 03 Mar 2026 10:01:41 -0800 


Copilot commented on code in PR #866:
URL: https://github.com/apache/ranger/pull/866#discussion_r2879747645


##########
agents-common/src/main/resources/service-defs/ranger-servicedef-polaris.json:
##########
@@ -307,13 +212,18 @@
         "view-list",
         "view-metadata-full",
         "view-properties-read",
-        "view-properties-write"
+        "view-properties-write",
+        "policy-create",
+        "policy-drop",
+        "policy-list",
+        "policy-read",
+        "policy-write",
+        "policy-attach",
+        "policy-detach"
       ]
     },
-    { "itemId": 7,  "name": "catalog-grants-list",     "label": "Catalog 
Grants List",     "category": "READ" },
-    { "itemId": 8,  "name": "catalog-grants-manage",   "label": "Catalog 
Grants Manage",   "category": "MANAGE", "impliedGrants": [ 
"catalog-grants-list" ] },
-    { "itemId": 9,  "name": "catalog-metadata-full",   "label": "Catalog 
Metadata Full",   "category": "MANAGE", "impliedGrants": [ "catalog-create", 
"catalog-drop", "catalog-list", "catalog-properties-read", 
"catalog-properties-write" ] },
-    { "itemId": 10, "name": "catalog-metadata-manage", "label": "Catalog 
Metadata Manage", "category": "MANAGE",
+    { "itemId": 6, "name": "catalog-metadata-full",   "label": "Catalog 
Metadata Full",   "category": "MANAGE", "impliedGrants": [ "catalog-create", 
"catalog-drop", "catalog-list", "catalog-properties-read", 
"catalog-properties-write" ] },

Review Comment:
   This change renumbers many existing `accessTypes[*].itemId` values (e.g., 
`catalog-metadata-full` is now itemId 6 and many others shift). Ranger 
service-def updates match/update/delete access types by `itemId`; changing 
these can trigger deletes/recreates and/or make updates fail if any policy 
references the prior access-type defs. Recommend preserving existing itemIds 
for all retained access types and only removing the specific access types for 
the removed resources. See 
`security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:3357-3461`
 (access types matched/removed by itemId).
   ```suggestion
       { "itemId": 22, "name": "catalog-metadata-full",   "label": "Catalog 
Metadata Full",   "category": "MANAGE", "impliedGrants": [ "catalog-create", 
"catalog-drop", "catalog-list", "catalog-properties-read", 
"catalog-properties-write" ] },
   ```



##########
agents-common/src/main/resources/service-defs/ranger-servicedef-polaris.json:
##########
@@ -211,47 +156,14 @@
         "principal-properties-read",
         "principal-properties-write",
         "principal-metadata-full",
-        "principal-grants-list",
-        "principal-grants-manage",
-        "principal-grants-for-grantee-manage",
-        "principal-credentials-reset",
-        "principal-role-create",
-        "principal-role-drop",
-        "principal-role-list",
-        "principal-role-grants-list",
-        "principal-role-grants-manage",
-        "principal-role-properties-read",
-        "principal-role-properties-write",
-        "principal-role-metadata-full",
-        "principal-role-grants-for-grantee-manage"
+        "principal-credentials-reset"
       ]
     },
-    { "itemId": 2, "name": "catalog-create",        "label": "Catalog Create", 
       "category": "CREATE", "impliedGrants": [ "catalog-list" ] },
-    { "itemId": 3, "name": "catalog-drop",          "label": "Catalog Drop",   
       "category": "DELETE" },
-    { "itemId": 4, "name": "catalog-list",          "label": "Catalog List",   
       "category": "READ" },
-    { "itemId": 5, "name": "catalog-access-manage", "label": "Catalog Manage 
Access", "category": "MANAGE",
-      "impliedGrants": [
-        "catalog-grants-list",
-        "catalog-grants-manage",
-        "catalog-role-create",
-        "catalog-role-drop",
-        "catalog-role-list",
-        "catalog-role-properties-read",
-        "catalog-role-properties-write",
-        "catalog-role-metadata-full",
-        "catalog-role-grants-list",
-        "catalog-role-grants-manage",
-        "catalog-role-grants-for-grantee-manage",
-        "namespace-grants-list",
-        "namespace-grants-manage",
-        "table-grants-list",
-        "table-grants-manage",
-        "view-grants-list",
-        "view-grants-manage",
-        "policy-grants-manage"
-      ]
-    },
-    { "itemId": 6,  "name": "catalog-content-manage", "label": "Catalog Manage 
Content", "category": "MANAGE",
+
+    { "itemId": 2, "name": "catalog-create",         "label": "Catalog 
Create",         "category": "CREATE", "impliedGrants": [ "catalog-list" ] },
+    { "itemId": 3, "name": "catalog-drop",           "label": "Catalog Drop",  
         "category": "DELETE" },
+    { "itemId": 4, "name": "catalog-list",           "label": "Catalog List",  
         "category": "READ" },
+    { "itemId": 5, "name": "catalog-content-manage", "label": "Catalog Manage 
Content", "category": "MANAGE",

Review Comment:
   PR description/title focus on removing `principal-role`/`catalog-role`, but 
this diff also removes several non-role-related access types (e.g., 
`*-grants-*`, `catalog-access-manage`, `policy-grants-manage`). Please update 
the PR description to explicitly call out all removed access types/behaviors, 
since this impacts existing policies and operational expectations beyond the 
two role resources.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to