For context, I implemented something that looks like that (if I
understood correctly) in Apache ActiveMQ:
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue="TEST.Q" read="users"
write="users" admin="users" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="*"
write="*" admin="*"/>
</authorizationEntries>
<tempDestinationAuthorizationEntry>
<tempDestinationAuthorizationEntry read="admin"
write="admin" admin="admin"/>
</tempDestinationAuthorizationEntry>
</authorizationMap>
</map>
</authorizationPlugin>
see https://activemq.apache.org/components/classic/documentation/security
So, here, you have the permission (read, write, admin) mapped to roles
(admin, users, everyone e.g. *).
In Polaris, instead of queue/topic, it would be entities, and we can
do the same sort of "mapping".
Just my $0.01
Regards
JB
On Tue, Sep 23, 2025 at 5:06 PM Jean-Baptiste Onofré <[email protected]> wrote:
>
> Hi Graeme
>
> So, you proposal is to declare the roles mapping to action in a
> configuration file. Something like this (pseudo config):
>
> Entity FOO
> Role1: read
> Role2: write
>
> Entity BAR
> Role1: admin
> Role3: write
>
> So, the roles are still coming possibly from "external" providers, but
> the "mapping" role/permission would be declarative. Is it what you
> mean ?
>
> Regards
> JB
>
> On Tue, Sep 23, 2025 at 4:29 PM Graeme Hendrickson
> <[email protected]> wrote:
> >
> > Hi folks,
> >
> > One of the things that’s been a little painful for us operating Polaris is
> > configuring new catalogs or ensuring that a catalog has the roles and
> > grants configured that we expect. Has there been any interest or thought
> > put into an idempotent “apply” action for principal roles, catalog roles,
> > and privilege grants based on some sort of configuration file? If not, is
> > that something that’s interesting to this group?
> >
> > Cheers,
> > Graeme
