Re: [PR] Persistence: use correct grant loading method [polaris]

Sat, 28 Feb 2026 16:30:02 -0800 


flyrain commented on code in PR #3908:
URL: https://github.com/apache/polaris/pull/3908#discussion_r2868061246


##########
polaris-core/src/testFixtures/java/org/apache/polaris/core/persistence/PolarisTestMetaStoreManager.java:
##########
@@ -2801,6 +2801,66 @@ public void testLoadResolvedEntitiesById() {
         .containsExactly(getEntityCore(N1_N2));
   }
 
+  /**
+   * Verify that loadResolvedEntities returns distinct grantee and securable 
grant records for
+   * entities that are both grantees and securables (e.g. catalog roles).
+   */
+  public void testLoadResolvedEntitiesGranteeVsSecurableRecords() {
+    // create a catalog
+    PolarisBaseEntity catalog =
+        new PolarisBaseEntity(
+            PolarisEntityConstants.getNullId(),
+            
polarisMetaStoreManager.generateNewEntityId(this.polarisCallContext).getId(),
+            PolarisEntityType.CATALOG,
+            PolarisEntitySubType.NULL_SUBTYPE,
+            PolarisEntityConstants.getRootEntityId(),
+            "grantee_test");
+    CreateCatalogResult catalogCreated =
+        polarisMetaStoreManager.createCatalog(this.polarisCallContext, 
catalog, List.of());
+    Assertions.assertThat(catalogCreated).isNotNull();
+    catalog = catalogCreated.getCatalog();
+
+    // create a namespace (securable target for the grant TO the role)
+    PolarisBaseEntity N1 = this.createEntity(List.of(catalog), 
PolarisEntityType.NAMESPACE, "N1");
+
+    // create a catalog role — both a grantee and a securable
+    PolarisBaseEntity R1 =
+        this.createEntity(List.of(catalog), PolarisEntityType.CATALOG_ROLE, 
"R1");
+
+    // grant a privilege TO R1 on N1 (R1 is the grantee)
+    grantPrivilege(R1, List.of(catalog, N1), N1, 
PolarisPrivilege.TABLE_READ_DATA);
+
+    // create a principal role and grant R1 usage to it (R1 is the securable)

Review Comment:
   I have a hard time to understand R1 is a securable, however, looks like 
Polaris is using the special privilege(`catalog_role_usage`) to avoid another 
relation(the relation between catalog role and principal). It should just work, 
but still I not 100% convinced that R1 is a securable. I'd consider it is a 
special securable at most. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to