Hi Graeme, Could you share a bit more about your use case? We’ve been discussing pre‑setting catalog roles, grants, namespaces, policies whenever a new catalog is created. Does that match what you’re trying to do?
If so, a quick approach is to run a script that executes the required steps via the Polaris CLI in sequence. Long term, we could allow a template for catalog creation. Yufei On Tue, Sep 23, 2025 at 9:16 AM Jean-Baptiste Onofré <[email protected]> wrote: > For context, I implemented something that looks like that (if I > understood correctly) in Apache ActiveMQ: > > <authorizationPlugin> > <map> > <authorizationMap> > <authorizationEntries> > <authorizationEntry queue="TEST.Q" read="users" > write="users" admin="users" /> > <authorizationEntry topic="ActiveMQ.Advisory.>" read="*" > write="*" admin="*"/> > </authorizationEntries> > <tempDestinationAuthorizationEntry> > <tempDestinationAuthorizationEntry read="admin" > write="admin" admin="admin"/> > </tempDestinationAuthorizationEntry> > </authorizationMap> > </map> > </authorizationPlugin> > > see https://activemq.apache.org/components/classic/documentation/security > > So, here, you have the permission (read, write, admin) mapped to roles > (admin, users, everyone e.g. *). > > In Polaris, instead of queue/topic, it would be entities, and we can > do the same sort of "mapping". > > Just my $0.01 > > Regards > JB > > On Tue, Sep 23, 2025 at 5:06 PM Jean-Baptiste Onofré <[email protected]> > wrote: > > > > Hi Graeme > > > > So, you proposal is to declare the roles mapping to action in a > > configuration file. Something like this (pseudo config): > > > > Entity FOO > > Role1: read > > Role2: write > > > > Entity BAR > > Role1: admin > > Role3: write > > > > So, the roles are still coming possibly from "external" providers, but > > the "mapping" role/permission would be declarative. Is it what you > > mean ? > > > > Regards > > JB > > > > On Tue, Sep 23, 2025 at 4:29 PM Graeme Hendrickson > > <[email protected]> wrote: > > > > > > Hi folks, > > > > > > One of the things that’s been a little painful for us operating > Polaris is configuring new catalogs or ensuring that a catalog has the > roles and grants configured that we expect. Has there been any interest or > thought put into an idempotent “apply” action for principal roles, catalog > roles, and privilege grants based on some sort of configuration file? If > not, is that something that’s interesting to this group? > > > > > > Cheers, > > > Graeme >
