Hello,
As suggested in PR #274, all authorizer implementations are expected to handle all operations in PolarisAuthorizableOperation. However, entity types PRINCIPAL_ROLE and CATALOG_ROLE are used to manage grants – which seems specific to Polaris’s default authorization. An authorizer implementation, like Apache Ranger, will manage grants in its own policy model, hence may not require/support grants managed via PRINCIPAL_ROLE and CATALOG_ROLE. Given this, I am looking for guidance on how an authorizer implementation should handle such operations. 1) Should an implementation ignore such operations by failing them? This might be okay if Polaris core doesn’t have any dependency on these operations. 2) If implementations are expected to authorize these operations, are they expected to manage the resulting metadata updates as well (like create/drop/list of principal roles/catalog roles/grants/revokes) as well? Or would Polaris maintain the metadata updates? If Polaris maintains the metadata, are all implementations expected to honor the grants/revokes stored in this metadata? Thanks, Madhan
