dimas-b commented on code in PR #3852:
URL: https://github.com/apache/polaris/pull/3852#discussion_r2976515674
##########
polaris-core/src/main/java/org/apache/polaris/core/auth/AuthBootstrapUtil.java:
##########
@@ -104,6 +104,23 @@ public static PrincipalSecretsResult
createPolarisPrincipalForRealm(
rootContainer,
PolarisPrivilege.SERVICE_MANAGE_ACCESS);
+ // create the catalog_role_manager principal role for catalog admins to
list principal roles
+ PrincipalRoleEntity catalogRoleManagerPrincipalRole =
+ new PrincipalRoleEntity.Builder()
+ .setId(generateId(metaStoreManager, ctx))
+
.setName(PolarisEntityConstants.getNameOfCatalogRoleManagerPrincipalRole())
+ .setCreateTimestamp(System.currentTimeMillis())
+ .build();
+ metaStoreManager.createEntityIfNotExists(ctx, null,
catalogRoleManagerPrincipalRole);
+
+ // grant PRINCIPAL_ROLE_LIST on the rootContainer to the
catalogRoleManagerPrincipalRole
+ metaStoreManager.grantPrivilegeOnSecurableToRole(
+ ctx,
+ catalogRoleManagerPrincipalRole,
+ null,
+ rootContainer,
+ PolarisPrivilege.PRINCIPAL_ROLE_LIST);
Review Comment:
We grant a "principal" privilege to a "catalog admin" role. This looks a bit
out of line with the general distinction of principals (which are global to the
realm) and catalog-specific roles (scoped under a catalog). Should the new role
be named "principal role manager" perhaps?
##########
polaris-core/src/main/java/org/apache/polaris/core/auth/AuthBootstrapUtil.java:
##########
@@ -104,6 +104,23 @@ public static PrincipalSecretsResult
createPolarisPrincipalForRealm(
rootContainer,
PolarisPrivilege.SERVICE_MANAGE_ACCESS);
+ // create the catalog_role_manager principal role for catalog admins to
list principal roles
+ PrincipalRoleEntity catalogRoleManagerPrincipalRole =
+ new PrincipalRoleEntity.Builder()
+ .setId(generateId(metaStoreManager, ctx))
+
.setName(PolarisEntityConstants.getNameOfCatalogRoleManagerPrincipalRole())
+ .setCreateTimestamp(System.currentTimeMillis())
+ .build();
+ metaStoreManager.createEntityIfNotExists(ctx, null,
catalogRoleManagerPrincipalRole);
Review Comment:
As an alternative to adding a new default role in the server code, WDYT
about using the new `setup` CLI (#3929) command instead?
This way, the server does not have to manage a lot of default roles, and
admin users can still have convenient methods of managing new grants.
##########
runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java:
##########
@@ -1518,8 +1569,17 @@ public PrivilegeResult assignCatalogRoleToPrincipalRole(
CatalogEntity catalogEntity = getCatalogByName(resolutionManifest,
catalogName);
CatalogRoleEntity catalogRoleEntity =
getCatalogRoleByName(resolutionManifest, catalogRoleName);
- return metaStoreManager.grantUsageOnRoleToGrantee(
- getCurrentPolarisContext(), catalogEntity, catalogRoleEntity,
principalRoleEntity);
+ PrivilegeResult result =
+ metaStoreManager.grantUsageOnRoleToGrantee(
+ getCurrentPolarisContext(), catalogEntity, catalogRoleEntity,
principalRoleEntity);
+
+ // if granting catalog_admin, also grant catalog_role_manager to allow
listing principal roles
+ if (result.isSuccess()
+ &&
PolarisEntityConstants.getNameOfCatalogAdminRole().equals(catalogRoleName)) {
+ grantCatalogRoleManagerIfNeeded(principalRoleEntity);
Review Comment:
Why not grant `PRINCIPAL_ROLE_LIST` to `catalog_admin` directly?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
