vignesh-manel commented on code in PR #3852:
URL: https://github.com/apache/polaris/pull/3852#discussion_r2899514660
##########
polaris-core/src/main/java/org/apache/polaris/core/entity/PolarisEntityConstants.java:
##########
@@ -43,6 +43,9 @@ public class PolarisEntityConstants {
// the name of the principal role we create to manage the entire Polaris
service
private static final String ADMIN_PRINCIPAL_ROLE_NAME = "service_admin";
+ // the name of the principal role for catalog admins to list principal roles
+ private static final String CATALOG_ROLE_MANAGER_PRINCIPAL_ROLE_NAME =
"catalog_role_manager";
Review Comment:
made it similar to service_admin
##########
runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java:
##########
@@ -1534,8 +1544,17 @@ public PrivilegeResult
revokeCatalogRoleFromPrincipalRole(
getPrincipalRoleByName(resolutionManifest, principalRoleName);
CatalogEntity catalogEntity = getCatalogByName(resolutionManifest,
catalogName);
CatalogRoleEntity catalogRoleEntity =
getCatalogRoleByName(resolutionManifest, catalogRoleName);
- return metaStoreManager.revokeUsageOnRoleFromGrantee(
- getCurrentPolarisContext(), catalogEntity, catalogRoleEntity,
principalRoleEntity);
+ PrivilegeResult result =
+ metaStoreManager.revokeUsageOnRoleFromGrantee(
+ getCurrentPolarisContext(), catalogEntity, catalogRoleEntity,
principalRoleEntity);
+
+ // if revoking catalog_admin, check if principal still has catalog_admin
on other catalogs
+ if (result.isSuccess()
+ &&
PolarisEntityConstants.getNameOfCatalogAdminRole().equals(catalogRoleName)) {
+ revokeCatalogRoleManagerIfNeeded(principalRoleEntity);
Review Comment:
good catch. made relevant changes to cleanup on catalog drop and also to
revoke catalog_role_manager when principal loses a principal role
##########
runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java:
##########
@@ -2335,4 +2354,195 @@ private static PolarisEntitySubType
selectEntitySubType(List<PolarisEntitySubTyp
subTypes));
}
}
+
+ /**
+ * Grants the catalog_role_manager principal role to all principals assigned
to the specified
+ * principal role. This allows catalog admins to list principal roles.
+ */
+ private void grantCatalogRoleManagerIfNeeded(PrincipalRoleEntity
principalRoleEntity) {
+ // Load catalog_role_manager directly from metastore
+ EntityResult catalogRoleManagerResult =
+ metaStoreManager.readEntityByName(
+ getCurrentPolarisContext(),
+ null,
+ PolarisEntityType.PRINCIPAL_ROLE,
+ PolarisEntitySubType.NULL_SUBTYPE,
+ PolarisEntityConstants.getNameOfCatalogRoleManagerPrincipalRole());
+
+ if (!catalogRoleManagerResult.isSuccess() ||
catalogRoleManagerResult.getEntity() == null) {
+ return;
Review Comment:
added log
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
