vignesh-manel commented on code in PR #3852:
URL: https://github.com/apache/polaris/pull/3852#discussion_r2983689403
##########
polaris-core/src/main/java/org/apache/polaris/core/auth/AuthBootstrapUtil.java:
##########
@@ -104,6 +104,23 @@ public static PrincipalSecretsResult
createPolarisPrincipalForRealm(
rootContainer,
PolarisPrivilege.SERVICE_MANAGE_ACCESS);
+ // create the catalog_role_manager principal role for catalog admins to
list principal roles
+ PrincipalRoleEntity catalogRoleManagerPrincipalRole =
+ new PrincipalRoleEntity.Builder()
+ .setId(generateId(metaStoreManager, ctx))
+
.setName(PolarisEntityConstants.getNameOfCatalogRoleManagerPrincipalRole())
+ .setCreateTimestamp(System.currentTimeMillis())
+ .build();
+ metaStoreManager.createEntityIfNotExists(ctx, null,
catalogRoleManagerPrincipalRole);
Review Comment:
Yes, this is possible via CLI for a service_admin to create a new principal
role with PRINCIPAL_ROLE_LIST privilege and manually assign it to all
principals having the catalog_admin catalog role
(and revoke it when principals no longer have catalog_admin). However, this
manual process can be error-prone and operationally cumbersome.
This feature automates the above mentioned grant and revoke process as
described in https://github.com/apache/polaris/issues/363. After
https://github.com/apache/polaris/pull/361 enabled catalog_admin to grant
catalog roles to principal roles, issue #363 was that catalog_admin still
cannot list available principal roles, making it difficult to know which roles
to grant. This PR solves that problem through automatic role management.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
