danhuawang opened a new issue, #10150:
URL: https://github.com/apache/gravitino/issues/10150
### Version
main branch
### Describe what's wrong
Schema Owner with the USE_CATALOG privilege failed to replace View
(ForbiddenException).
After I restart the server, then I replace view sucessully.
### Error message and/or stacktrace
```
{
"error": {
"message": "User 'Lisa' is not authorized to perform operation
'replaceView' on metadata 'irc_test.irc_catalog.s1.test_view_1' with expression
'ANY(OWNER, METALAKE, CATALOG) || SCHEMA_OWNER_WITH_USE_CATALOG ||
ANY_USE_CATALOG && ANY_USE_SCHEMA && VIEW::OWNER'",
"type": "ForbiddenException",
"code": 403,
"stack": [
"org.apache.iceberg.exceptions.ForbiddenException: User 'Lisa'
is not authorized to perform operation 'replaceView' on metadata
'irc_test.irc_catalog.s1.test_view_1' with expression 'ANY(OWNER, METALAKE,
CATALOG) || SCHEMA_OWNER_WITH_USE_CATALOG || ANY_USE_CATALOG && ANY_USE_SCHEMA
&& VIEW::OWNER'",
"\tat
org.apache.gravitino.server.web.filter.BaseMetadataAuthorizationMethodInterceptor.invoke(BaseMetadataAuthorizationMethodInterceptor.java:184)",
"\tat
org.jvnet.hk2.internal.MethodInterceptorHandler.invoke(MethodInterceptorHandler.java:97)",
"\tat
org.apache.gravitino.iceberg.service.rest.IcebergViewOperations_$$_jvstaca_a.replaceView(IcebergViewOperations_$$_jvstaca_a.java)",
"\tat
jdk.internal.reflect.GeneratedMethodAccessor230.invoke(Unknown Source)",
"\tat
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)",
"\tat
java.base/java.lang.reflect.Method.invoke(Method.java:568)",
"\tat
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)",
"\tat
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:146)",
"\tat
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:189)",
"\tat
org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)",
"\tat
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:93)",
"\tat
org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:478)",
"\tat
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:400)",
"\tat
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:81)",
"\tat
org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:256)",
"\tat
org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)",
"\tat
org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)",
"\tat
org.glassfish.jersey.internal.Errors.process(Errors.java:292)",
"\tat
org.glassfish.jersey.internal.Errors.process(Errors.java:274)",
"\tat
org.glassfish.jersey.internal.Errors.process(Errors.java:244)",
"\tat
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:265)",
"\tat
org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:235)",
"\tat
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:684)",
"\tat
org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:394)",
"\tat
org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:346)",
"\tat
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:358)",
"\tat
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:311)",
"\tat
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:205)",
"\tat
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)",
"\tat
org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1656)",
"\tat
org.apache.gravitino.server.authentication.AuthenticationFilter.lambda$doFilter$0(AuthenticationFilter.java:89)",
"\tat
java.base/java.security.AccessController.doPrivileged(AccessController.java:712)",
"\tat
java.base/javax.security.auth.Subject.doAs(Subject.java:439)",
"\tat
org.apache.gravitino.utils.PrincipalUtils.doAs(PrincipalUtils.java:44)",
"\tat
org.apache.gravitino.server.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:86)",
"\tat
org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)",
"\tat
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)",
"\tat
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552)",
"\tat
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)",
"\tat
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)",
"\tat
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)",
"\tat
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)",
"\tat
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)",
"\tat
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)",
"\tat
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)",
"\tat
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)",
"\tat
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)",
"\tat org.eclipse.jetty.server.Server.handle(Server.java:516)",
"\tat
org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)",
"\tat
org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)",
"\tat
org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)",
"\tat
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)",
"\tat
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)",
"\tat
org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)",
"\tat
org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)",
"\tat
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)",
"\tat
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)",
"\tat
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)",
"\tat
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)",
"\tat
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)",
"\tat
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)",
"\tat
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)",
"\tat java.base/java.lang.Thread.run(Thread.java:840)"
]
}
}
```
### How to reproduce
1. Create a view under schema `irc_catalog.s1`
POST http://127.0.0.1:19001/iceberg/v1/irc_catalog/namespaces/s1/views
```
{
"name": "test_view_1",
"schema": {
"type": "struct",
"schema-id": 0,
"fields": [
{
"id": 1,
"name": "id",
"required": true,
"type": "int"
},
{
"id": 2,
"name": "data",
"required": false,
"type": "string"
}
]
},
"view-version": {
"version-id": 1,
"timestamp-ms": 1772530509921,
"schema-id": 0,
"summary": {
"operation": "create"
},
"representations": [
{
"type": "sql",
"sql": "SELECT id, data FROM s1.source_table",
"dialect": "spark"
}
],
"default-namespace": [
"s1"
]
},
"properties": {
"comment": "Test view"
}
}
```
2. Set the schema `irc_catalog.s1` owner to user `Lisa`<img width="530"
height="535" alt="Image"
src="https://github.com/user-attachments/assets/d6fcd277-c913-472f-8382-65d7e6dac35b";
/>
3. Create a role `ircViewRole5b` with use_catalog privilege
```
{
"code": 0,
"role": {
"name": "ircViewRole5b",
"audit": {
"creator": "anonymous",
"createTime": "2026-03-03T09:35:30.764831Z",
"lastModifier": "anonymous",
"lastModifiedTime": "2026-03-03T09:35:30.787942Z"
},
"properties": {
"k1": "v1"
},
"securableObjects": [
{
"type": "catalog",
"privileges": [
{
"name": "use_catalog",
"condition": "allow"
}
],
"fullName": "irc_catalog"
},
{
"type": "metalake",
"privileges": [
{
"name": "use_schema",
"condition": "allow"
},
{
"name": "use_catalog",
"condition": "allow"
}
],
"fullName": "irc_test"
}
]
}
}
```
4. Grant the role to the user
5. Use the user `Lisa` to replace view
POST {{irchost}}/iceberg/v1/:catalog/namespaces/:schema/views/:view
```
{
"requirements": [
],
"updates": [
{
"action": "add-view-version",
"view-version": {
"version-id": 2,
"timestamp-ms": 1772530530809,
"schema-id": 0,
"summary": {
"operation": "replace"
},
"representations": [
{
"type": "sql",
"sql": "SELECT id, data FROM s1.updated_table",
"dialect": "spark"
}
],
"default-namespace": [
"s1"
]
}
},
{
"action": "set-current-view-version",
"view-version-id": 2
}
]
}
```
### Additional context
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
