Update privilege model to support granting CatalogRole access to Prin…

…cipalRoles (#361) Co-authored-by: Michael Collado <[email protected]>
apache · Oct 9, 2024 · 5c1f9bb · 5c1f9bb
1 parent baf2b8c
commit 5c1f9bb
Show file tree

Hide file tree

Showing 2 changed files with 594 additions and 112 deletions.
diff --git a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizableOperation.java b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizableOperation.java
@@ -141,8 +141,7 @@ public enum PolarisAuthorizableOperation {
   DELETE_PRINCIPAL_ROLE(PRINCIPAL_ROLE_DROP),
   LIST_ASSIGNEE_PRINCIPALS_FOR_PRINCIPAL_ROLE(PRINCIPAL_ROLE_LIST_GRANTS),
   LIST_CATALOG_ROLES_FOR_PRINCIPAL_ROLE(PRINCIPAL_ROLE_LIST_GRANTS),
-  ASSIGN_CATALOG_ROLE_TO_PRINCIPAL_ROLE(
-      CATALOG_ROLE_MANAGE_GRANTS_ON_SECURABLE, PRINCIPAL_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
+  ASSIGN_CATALOG_ROLE_TO_PRINCIPAL_ROLE(CATALOG_ROLE_MANAGE_GRANTS_ON_SECURABLE),
   REVOKE_CATALOG_ROLE_FROM_PRINCIPAL_ROLE(
       CATALOG_ROLE_MANAGE_GRANTS_ON_SECURABLE, PRINCIPAL_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
   LIST_CATALOG_ROLES(CATALOG_ROLE_LIST),
@@ -156,38 +155,31 @@ public enum PolarisAuthorizableOperation {
   REVOKE_ROOT_GRANT_FROM_PRINCIPAL_ROLE(
       SERVICE_MANAGE_ACCESS, PRINCIPAL_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
   LIST_GRANTS_ON_ROOT(SERVICE_MANAGE_ACCESS),
-  ADD_PRINCIPAL_GRANT_TO_PRINCIPAL_ROLE(
-      PRINCIPAL_MANAGE_GRANTS_ON_SECURABLE, PRINCIPAL_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
+  ADD_PRINCIPAL_GRANT_TO_PRINCIPAL_ROLE(PRINCIPAL_MANAGE_GRANTS_ON_SECURABLE),
   REVOKE_PRINCIPAL_GRANT_FROM_PRINCIPAL_ROLE(
       PRINCIPAL_MANAGE_GRANTS_ON_SECURABLE, PRINCIPAL_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
   LIST_GRANTS_ON_PRINCIPAL(PRINCIPAL_LIST_GRANTS),
-  ADD_PRINCIPAL_ROLE_GRANT_TO_PRINCIPAL_ROLE(
-      PRINCIPAL_ROLE_MANAGE_GRANTS_ON_SECURABLE, PRINCIPAL_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
+  ADD_PRINCIPAL_ROLE_GRANT_TO_PRINCIPAL_ROLE(PRINCIPAL_ROLE_MANAGE_GRANTS_ON_SECURABLE),
   REVOKE_PRINCIPAL_ROLE_GRANT_FROM_PRINCIPAL_ROLE(
       PRINCIPAL_ROLE_MANAGE_GRANTS_ON_SECURABLE, PRINCIPAL_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
   LIST_GRANTS_ON_PRINCIPAL_ROLE(PRINCIPAL_ROLE_LIST_GRANTS),
-  ADD_CATALOG_ROLE_GRANT_TO_CATALOG_ROLE(
-      CATALOG_ROLE_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
+  ADD_CATALOG_ROLE_GRANT_TO_CATALOG_ROLE(CATALOG_ROLE_MANAGE_GRANTS_ON_SECURABLE),
   REVOKE_CATALOG_ROLE_GRANT_FROM_CATALOG_ROLE(
       CATALOG_ROLE_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
   LIST_GRANTS_ON_CATALOG_ROLE(CATALOG_ROLE_LIST_GRANTS),
-  ADD_CATALOG_GRANT_TO_CATALOG_ROLE(
-      CATALOG_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
+  ADD_CATALOG_GRANT_TO_CATALOG_ROLE(CATALOG_MANAGE_GRANTS_ON_SECURABLE),
   REVOKE_CATALOG_GRANT_FROM_CATALOG_ROLE(
       CATALOG_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
   LIST_GRANTS_ON_CATALOG(CATALOG_LIST_GRANTS),
-  ADD_NAMESPACE_GRANT_TO_CATALOG_ROLE(
-      NAMESPACE_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
+  ADD_NAMESPACE_GRANT_TO_CATALOG_ROLE(NAMESPACE_MANAGE_GRANTS_ON_SECURABLE),
   REVOKE_NAMESPACE_GRANT_FROM_CATALOG_ROLE(
       NAMESPACE_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
   LIST_GRANTS_ON_NAMESPACE(NAMESPACE_LIST_GRANTS),
-  ADD_TABLE_GRANT_TO_CATALOG_ROLE(
-      TABLE_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
+  ADD_TABLE_GRANT_TO_CATALOG_ROLE(TABLE_MANAGE_GRANTS_ON_SECURABLE),
   REVOKE_TABLE_GRANT_FROM_CATALOG_ROLE(
       TABLE_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
   LIST_GRANTS_ON_TABLE(TABLE_LIST_GRANTS),
-  ADD_VIEW_GRANT_TO_CATALOG_ROLE(
-      VIEW_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
+  ADD_VIEW_GRANT_TO_CATALOG_ROLE(VIEW_MANAGE_GRANTS_ON_SECURABLE),
   REVOKE_VIEW_GRANT_FROM_CATALOG_ROLE(
       VIEW_MANAGE_GRANTS_ON_SECURABLE, CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE),
   LIST_GRANTS_ON_VIEW(VIEW_LIST_GRANTS),