flyingImer commented on code in PR #3852:
URL: https://github.com/apache/polaris/pull/3852#discussion_r2908498163
##########
runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java:
##########
@@ -1518,8 +1531,17 @@ public PrivilegeResult assignCatalogRoleToPrincipalRole(
CatalogEntity catalogEntity = getCatalogByName(resolutionManifest,
catalogName);
CatalogRoleEntity catalogRoleEntity =
getCatalogRoleByName(resolutionManifest, catalogRoleName);
- return metaStoreManager.grantUsageOnRoleToGrantee(
- getCurrentPolarisContext(), catalogEntity, catalogRoleEntity,
principalRoleEntity);
+ PrivilegeResult result =
+ metaStoreManager.grantUsageOnRoleToGrantee(
+ getCurrentPolarisContext(), catalogEntity, catalogRoleEntity,
principalRoleEntity);
+
+ // if granting catalog_admin, also grant catalog_role_manager to allow
listing principal roles
+ if (result.isSuccess()
+ &&
PolarisEntityConstants.getNameOfCatalogAdminRole().equals(catalogRoleName)) {
+ grantCatalogRoleManagerIfNeeded(principalRoleEntity);
Review Comment:
IIUC, the current fix covers the assign-then-grant order, but I think the
reverse order still looks open: if a principal role already holds
`catalog_admin` on a catalog and a principal is added later via
`assignPrincipalRole`, the new principal does not seem to inherit
`catalog_role_manager`. Would it make sense to handle that mirror case as well,
or add a test showing why the current lifecycle is still safe?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
