HonahX commented on code in PR #2696:
URL: https://github.com/apache/polaris/pull/2696#discussion_r2383308149
##########
polaris-core/src/main/java/org/apache/polaris/core/config/FeatureConfiguration.java:
##########
@@ -386,4 +386,14 @@ public static void enforceFeatureEnabledOrThrow(
+ "Defaults to enabled, but service providers may want to
disable it.")
.defaultValue(true)
.buildFeatureConfiguration();
+
+ public static final FeatureConfiguration<Boolean>
+ ALLOW_SETTING_SUB_CATALOG_RBAC_FOR_FEDERATED_CATALOGS =
+ PolarisConfiguration.<Boolean>builder()
+ .key("ALLOW_SETTING_SUB_CATALOG_RBAC_FOR_FEDERATED_CATALOGS")
+ .description(
+ "If set to true (default), Polaris will allow configuring
namespace/table-level RBAC for federated catalogs per catalog."
+ + "If set to false, Polaris will only allow configuring
namespace/table-level RBAC for federated catalogs at realm level.")
Review Comment:
Good catch! It will be applied to other sub catalog objects in the future.
It's just currently we only support namespace/table level RBAC. But for param
description I should use more general term. Let me update that.
> it's basically meant to disallow privilege grants (?) on all entities
other than a catalog.
Reading the description again, I think it is somewhat misleading. This flag
aims to control whether we can change the
`ENABLE_SUB_CATALOG_RBAC_FOR_FEDERATED_CATALOGS` setting in a per-catalog
basis. Let me update that. If
`ALLOW_SETTING_SUB_CATALOG_RBAC_FOR_FEDERATED_CATALOGS` is false, it means you
cannot toggle the `ENABLE_SUB_CATALOG_RBAC_FOR_FEDERATED_CATALOGS` per catalog,
but rather either respect what has been configured for the catalog or respect
the realm-level config.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
