GitHub user bharos closed a discussion: Scoped MANAGE_GRANTS in Gravitino — equivalent of SQL `WITH GRANT OPTION`
## Context Considering the path of migrating from Hive SQL Standard Based Authorization to Gravitino's access control model. One of the features we rely on in Hive is `WITH GRANT OPTION`, which allows a user to delegate the ability to grant a specific privilege on a specific object to others: ```sql GRANT SELECT ON TABLE finance.orders TO USER alice WITH GRANT OPTION; -- Alice can now grant SELECT on finance.orders to other users/roles ``` Gravitino has MANAGE_GRANTS as the closest concept, but after reviewing the source code I found it is fundamentally metalake-wide and cannot be scoped to a catalog, schema, or table: [Privileges.ManageGrants.canBindTo()](https://github.com/apache/gravitino/blob/main/api/src/main/java/org/apache/gravitino/authorization/Privileges.java#L866) only returns true for MetadataObject.Type.METALAKE hasMetadataPrivilegePermission() in JcasbinAuthorizer only checks MANAGE_GRANTS against the metalake object, not the target object's ancestor hierarchy [grantRolesToUser and grantPrivilegesToRole in PermissionOperations](https://github.com/apache/gravitino/blob/7f94ffdb51117346b092716eb00a9c318fc76705/server/src/main/java/org/apache/gravitino/server/web/rest/PermissionOperations.java#L85) have hardcoded `@AuthorizationExpression(expression = "METALAKE::OWNER || METALAKE::MANAGE_GRANTS")` , so even if the above were fixed, role assignment still requires metalake-level authority. I also explored object ownership as a workaround — the owner of a parent object (e.g. schema) can grant privileges on children — but: - Only one USER can own an object (GROUP ownership is not yet supported) - Ownership grants full ALL access to the object, not just grant-delegation authority (also this can just be single user, can't make a bunch of users as owners) Questions: Is scoped MANAGE_GRANTS something reasonable to support? Or is there a recommended workaround today beyond centralizing all grant management through metalake admins? GitHub link: https://github.com/apache/gravitino/discussions/10267 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
