vignesh-manel commented on code in PR #3852:
URL: https://github.com/apache/polaris/pull/3852#discussion_r2983617650
##########
runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java:
##########
@@ -1518,8 +1569,17 @@ public PrivilegeResult assignCatalogRoleToPrincipalRole(
CatalogEntity catalogEntity = getCatalogByName(resolutionManifest,
catalogName);
CatalogRoleEntity catalogRoleEntity =
getCatalogRoleByName(resolutionManifest, catalogRoleName);
- return metaStoreManager.grantUsageOnRoleToGrantee(
- getCurrentPolarisContext(), catalogEntity, catalogRoleEntity,
principalRoleEntity);
+ PrivilegeResult result =
+ metaStoreManager.grantUsageOnRoleToGrantee(
+ getCurrentPolarisContext(), catalogEntity, catalogRoleEntity,
principalRoleEntity);
+
+ // if granting catalog_admin, also grant catalog_role_manager to allow
listing principal roles
+ if (result.isSuccess()
+ &&
PolarisEntityConstants.getNameOfCatalogAdminRole().equals(catalogRoleName)) {
+ grantCatalogRoleManagerIfNeeded(principalRoleEntity);
Review Comment:
As per my understanding this is not possible as `catalog_admin` is a catalog
scoped role that cannot hold root-scoped privilege `PRINCIPAL_ROLE_LIST`. That
is the reason we need a principal role (catalog_role_manager) which can have
`PRINCIPAL_ROLE_LIST` privilege, and this principal role is automatically
granted to principals who have catalog_admin.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
