adutra commented on issue #2306: URL: https://github.com/apache/polaris/issues/2306#issuecomment-3242918415
Hi @FredKhayat thanks for reporting this. First off: `CATALOG_MANAGE_CONTENT` is _not_ required for a principal to list namespaces or tables. We have tests for that; for example, here we test sufficient privileges for listing tables: https://github.com/apache/polaris/blob/3bc92b461f299c2c197949d4f42be23bfa3363ad/runtime/service/src/test/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandlerAuthzTest.java#L528-L541 The test explicitly checks that the `TABLE_LIST` privilege _alone_ is enough for listing tables. And now taking a step back. What is the issue exactly? 1️⃣ Is it that you would like a principal to be able to list his own tables, _even if they don't have sufficient privileges such as `TABLE_LIST`_? 2️⃣ Or is it, as @flyrain suggested, that Polaris should filter out objects that are not readable for a given principal, even if they have privileges for listing such objects? In any case, I think this issue deserves some clarification, and even maybe as @snazy proposed, an ML discussion. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
