adutra commented on code in PR #3682:
URL: https://github.com/apache/polaris/pull/3682#discussion_r2773469615
##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java:
##########
@@ -634,11 +640,110 @@ public LoadTableResponse createTableStaged(
* @return ETagged {@link LoadTableResponse} to uniquely identify the table
metadata
*/
public LoadTableResponse registerTable(Namespace namespace,
RegisterTableRequest request) {
- PolarisAuthorizableOperation op =
PolarisAuthorizableOperation.REGISTER_TABLE;
- authorizeCreateTableLikeUnderNamespaceOperationOrThrow(
- op, TableIdentifier.of(namespace, request.name()));
+ TableIdentifier identifier = TableIdentifier.of(namespace, request.name());
+ boolean overwrite = RegisterTableRequestContext.getOverwrite();
+
+ if (overwrite) {
+ // Resolve the namespace and table (optional) so we can distinguish
overwrite from create.
+ resolutionManifest = newResolutionManifest();
+ resolutionManifest.addPath(
+ new ResolverPath(Arrays.asList(namespace.levels()),
PolarisEntityType.NAMESPACE),
+ namespace);
+ ResolverPath tablePath =
+ new ResolverPath(
+ PolarisCatalogHelpers.tableIdentifierToList(identifier),
+ PolarisEntityType.TABLE_LIKE,
+ true /* optional */);
+ resolutionManifest.addPassthroughPath(tablePath, identifier);
+ resolutionManifest.resolveAll();
+
+ boolean tableExists =
+ resolutionManifest.getResolvedPath(
+ identifier,
+ PolarisEntityType.TABLE_LIKE,
+ PolarisEntitySubType.ICEBERG_TABLE,
+ true)
+ != null;
+ if (tableExists) {
+ authorizeUpdateTableOverwriteOrThrow(identifier);
+ LOGGER.debug(
+ "registerTable: overwrite=true, authorized for UPDATE_TABLE on
existing table");
+ } else {
+ // Table doesn't exist, fall back to REGISTER_TABLE authorization
+ LOGGER.debug(
+ "registerTable: overwrite=true, table not found, falling back to
REGISTER_TABLE");
+ PolarisAuthorizableOperation op =
PolarisAuthorizableOperation.REGISTER_TABLE;
+ authorizeCreateTableLikeUnderNamespaceOperationOrThrow(op, identifier);
+ }
+ } else {
+ // Creating new table requires REGISTER_TABLE privilege
+ PolarisAuthorizableOperation op =
PolarisAuthorizableOperation.REGISTER_TABLE;
+ authorizeCreateTableLikeUnderNamespaceOperationOrThrow(op, identifier);
+ }
+
+ try {
+ return catalogHandlerUtils.registerTable(baseCatalog, namespace,
request);
+ } finally {
+ // Clean up context
+ RegisterTableRequestContext.clear();
+ }
+ }
+
+ private void authorizeUpdateTableOverwriteOrThrow(TableIdentifier
identifier) {
+ authorizeBasicTableLikeOperationsOrThrow(
+ EnumSet.of(PolarisAuthorizableOperation.UPDATE_TABLE),
+ PolarisEntitySubType.ICEBERG_TABLE,
+ identifier);
- return catalogHandlerUtils.registerTable(baseCatalog, namespace, request);
+ if (!(authorizer instanceof PolarisAuthorizerImpl authorizerImpl)) {
+ return;
+ }
+
+ PolarisResolvedPathWrapper target =
+ resolutionManifest.getResolvedPath(
+ identifier, PolarisEntityType.TABLE_LIKE,
PolarisEntitySubType.ICEBERG_TABLE, true);
+ if (target == null) {
+ throw new NoSuchTableException("Table does not exist: %s", identifier);
+ }
+
+ Set<Long> activatedEntityIds =
+
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles().stream()
+ .map(PolarisEntityCore::getId)
+ .collect(Collectors.toSet());
+ boolean hasNonDataWritePrivilege =
+ hasWritePropertiesPrivilegeExcludingWriteData(authorizerImpl,
activatedEntityIds, target);
+ if (!hasNonDataWritePrivilege) {
+ throw new ForbiddenException(
+ "Principal '%s' with activated PrincipalRoles '%s' and activated
grants via '%s' is not authorized for op %s",
+ polarisPrincipal.getName(),
+ polarisPrincipal.getRoles(),
+
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles().stream()
+ .map(PolarisEntityCore::getName)
+ .collect(Collectors.toSet()),
+ PolarisAuthorizableOperation.UPDATE_TABLE);
+ }
+ }
+
+ private boolean hasWritePropertiesPrivilegeExcludingWriteData(
+ PolarisAuthorizerImpl authorizerImpl,
+ Set<Long> activatedEntityIds,
+ PolarisResolvedPathWrapper target) {
+ for (ResolvedPolarisEntity resolvedSecurableEntity :
target.getResolvedFullPath()) {
+ for (PolarisGrantRecord grantRecord :
resolvedSecurableEntity.getGrantRecordsAsSecurable()) {
+ if (activatedEntityIds.contains(grantRecord.getGranteeId())) {
+ PolarisPrivilege grantedPrivilege =
+ PolarisPrivilege.fromCode(grantRecord.getPrivilegeCode());
+ if (grantedPrivilege == PolarisPrivilege.TABLE_WRITE_DATA) {
+ continue;
+ }
+ if (authorizerImpl.matchesOrIsSubsumedBy(
+ PolarisPrivilege.TABLE_WRITE_PROPERTIES, grantedPrivilege)) {
+ return true;
+ }
+ }
+ }
+ }
+ return false;
Review Comment:
This feels very low-level and like it should be in the authorizer.
##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java:
##########
@@ -634,11 +640,110 @@ public LoadTableResponse createTableStaged(
* @return ETagged {@link LoadTableResponse} to uniquely identify the table
metadata
*/
public LoadTableResponse registerTable(Namespace namespace,
RegisterTableRequest request) {
- PolarisAuthorizableOperation op =
PolarisAuthorizableOperation.REGISTER_TABLE;
- authorizeCreateTableLikeUnderNamespaceOperationOrThrow(
- op, TableIdentifier.of(namespace, request.name()));
+ TableIdentifier identifier = TableIdentifier.of(namespace, request.name());
+ boolean overwrite = RegisterTableRequestContext.getOverwrite();
+
+ if (overwrite) {
+ // Resolve the namespace and table (optional) so we can distinguish
overwrite from create.
+ resolutionManifest = newResolutionManifest();
+ resolutionManifest.addPath(
+ new ResolverPath(Arrays.asList(namespace.levels()),
PolarisEntityType.NAMESPACE),
+ namespace);
+ ResolverPath tablePath =
+ new ResolverPath(
+ PolarisCatalogHelpers.tableIdentifierToList(identifier),
+ PolarisEntityType.TABLE_LIKE,
+ true /* optional */);
+ resolutionManifest.addPassthroughPath(tablePath, identifier);
+ resolutionManifest.resolveAll();
+
+ boolean tableExists =
+ resolutionManifest.getResolvedPath(
+ identifier,
+ PolarisEntityType.TABLE_LIKE,
+ PolarisEntitySubType.ICEBERG_TABLE,
+ true)
+ != null;
+ if (tableExists) {
+ authorizeUpdateTableOverwriteOrThrow(identifier);
+ LOGGER.debug(
+ "registerTable: overwrite=true, authorized for UPDATE_TABLE on
existing table");
+ } else {
+ // Table doesn't exist, fall back to REGISTER_TABLE authorization
+ LOGGER.debug(
+ "registerTable: overwrite=true, table not found, falling back to
REGISTER_TABLE");
+ PolarisAuthorizableOperation op =
PolarisAuthorizableOperation.REGISTER_TABLE;
+ authorizeCreateTableLikeUnderNamespaceOperationOrThrow(op, identifier);
+ }
+ } else {
+ // Creating new table requires REGISTER_TABLE privilege
+ PolarisAuthorizableOperation op =
PolarisAuthorizableOperation.REGISTER_TABLE;
+ authorizeCreateTableLikeUnderNamespaceOperationOrThrow(op, identifier);
+ }
+
+ try {
+ return catalogHandlerUtils.registerTable(baseCatalog, namespace,
request);
+ } finally {
+ // Clean up context
+ RegisterTableRequestContext.clear();
+ }
+ }
+
+ private void authorizeUpdateTableOverwriteOrThrow(TableIdentifier
identifier) {
+ authorizeBasicTableLikeOperationsOrThrow(
+ EnumSet.of(PolarisAuthorizableOperation.UPDATE_TABLE),
+ PolarisEntitySubType.ICEBERG_TABLE,
+ identifier);
- return catalogHandlerUtils.registerTable(baseCatalog, namespace, request);
+ if (!(authorizer instanceof PolarisAuthorizerImpl authorizerImpl)) {
Review Comment:
Why? Implementation details of the authorizer shouldn't matter here.
##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/CatalogHandlerUtils.java:
##########
@@ -348,7 +349,21 @@ public LoadTableResponse registerTable(
request.validate();
TableIdentifier identifier = TableIdentifier.of(namespace, request.name());
- Table table = catalog.registerTable(identifier,
request.metadataLocation());
+ // Determine whether the client requested overwrite semantics. For
catalogs that
Review Comment:
This class was copied from Iceberg. I'm not sure it's a good idea to modify
it in a divergent way. I would place the Polaris-specific logic in
`IcebergCatalogHandler` or `IcebergCatalog` directly.
##########
runtime/service/src/main/java/org/apache/polaris/service/config/Serializers.java:
##########
@@ -58,6 +61,7 @@ public static void registerSerializers(ObjectMapper mapper) {
GrantCatalogRoleRequest.class, new
GrantCatalogRoleRequestDeserializer());
module.addDeserializer(AddGrantRequest.class, new
AddGrantRequestDeserializer());
module.addDeserializer(RevokeGrantRequest.class, new
RevokeGrantRequestDeserializer());
+ module.addDeserializer(RegisterTableRequest.class, new
RegisterTableRequestDeserializer());
Review Comment:
This is going to conflict with
`org.apache.iceberg.rest.RESTSerializers.RegisterTableRequestDeserializer`.
##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalog.java:
##########
@@ -330,6 +357,80 @@ public Table registerTable(TableIdentifier identifier,
String metadataFileLocati
return new BaseTable(ops, fullTableName(name(), identifier),
metricsReporter());
}
+ private Table overwriteRegisteredTable(
+ TableIdentifier identifier, String metadataFileLocation, String
locationDir) {
+ /*
+ * High-level overview:
+ * - Resolve the authorized parent for the table so we know the storage
context.
+ * - Validate and read the provided metadata file using a FileIO tied to
that
+ * storage context.
+ * - Ensure the target entity exists and is the correct table-like subtype.
+ * - Replace the stored entity properties (including metadata-location)
with
+ * values derived from the parsed TableMetadata and persist the change.
+ */
+
+ // Resolve the parent namespace path that was authorized for this catalog.
+ PolarisResolvedPathWrapper resolvedParent =
+ resolvedEntityView.getResolvedPath(identifier.namespace());
+ if (resolvedParent == null) {
+ throw new IllegalStateException(
+ String.format("Failed to fetch resolved parent for TableIdentifier
'%s'", identifier));
+ }
+
+ // Validate the supplied metadata file location against the resolved
storage.
+ validateLocationForTableLike(identifier, metadataFileLocation,
resolvedParent);
+
+ // Configure FileIO for the resolved storage and read the metadata file.
+ FileIO fileIO =
+ loadFileIOForTableLike(
+ identifier,
+ Set.of(locationDir),
+ resolvedParent,
+ new HashMap<>(tableDefaultProperties),
+ Set.of(PolarisStorageActions.READ, PolarisStorageActions.LIST));
+
+ TableMetadata metadata = TableMetadataParser.read(fileIO,
metadataFileLocation);
+ validateLocationForTableLike(identifier, metadata.location(),
resolvedParent);
+ validateMetadataFileInTableDir(identifier, metadata);
+
+ // Find the passthrough-resolved entity so we can update the stored record.
+ PolarisResolvedPathWrapper resolvedPath =
+ resolvedEntityView.getPassthroughResolvedPath(
+ identifier, PolarisEntityType.TABLE_LIKE,
PolarisEntitySubType.ANY_SUBTYPE);
+ if (resolvedPath == null || resolvedPath.getRawLeafEntity() == null) {
+ throw new NoSuchTableException("Table does not exist: %s", identifier);
+ }
+
+ // Ensure the raw entity is an Iceberg table-like entity (not a
view/generic table).
+ PolarisEntity rawEntity = resolvedPath.getRawLeafEntity();
+ if (rawEntity.getSubType() == PolarisEntitySubType.ICEBERG_VIEW) {
+ throw new AlreadyExistsException("View with same name already exists:
%s", identifier);
+ } else if (rawEntity.getSubType() == PolarisEntitySubType.GENERIC_TABLE) {
+ throw new AlreadyExistsException(
+ "Generic table with same name already exists: %s", identifier);
+ }
+
+ IcebergTableLikeEntity existingEntity =
IcebergTableLikeEntity.of(rawEntity);
+ if (existingEntity == null) {
+ throw new NoSuchTableException("Table does not exist: %s", identifier);
+ }
+
+ // Build updated entity from parsed metadata and persist the update.
+ Map<String, String> storedProperties =
buildTableMetadataPropertiesMap(metadata);
+ IcebergTableLikeEntity updatedEntity =
+ new IcebergTableLikeEntity.Builder(existingEntity)
+ .setInternalProperties(storedProperties)
+ .setMetadataLocation(metadataFileLocation)
+ .build();
+
+ updateTableLike(identifier, updatedEntity);
Review Comment:
Are we keeping the old table UUID here, or switching to the new UUID? I
think the expected semantics is to switch to the new one.
##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalog.java:
##########
@@ -330,6 +357,80 @@ public Table registerTable(TableIdentifier identifier,
String metadataFileLocati
return new BaseTable(ops, fullTableName(name(), identifier),
metricsReporter());
}
+ private Table overwriteRegisteredTable(
+ TableIdentifier identifier, String metadataFileLocation, String
locationDir) {
+ /*
+ * High-level overview:
+ * - Resolve the authorized parent for the table so we know the storage
context.
+ * - Validate and read the provided metadata file using a FileIO tied to
that
+ * storage context.
+ * - Ensure the target entity exists and is the correct table-like subtype.
+ * - Replace the stored entity properties (including metadata-location)
with
+ * values derived from the parsed TableMetadata and persist the change.
+ */
+
+ // Resolve the parent namespace path that was authorized for this catalog.
+ PolarisResolvedPathWrapper resolvedParent =
+ resolvedEntityView.getResolvedPath(identifier.namespace());
+ if (resolvedParent == null) {
+ throw new IllegalStateException(
+ String.format("Failed to fetch resolved parent for TableIdentifier
'%s'", identifier));
+ }
+
+ // Validate the supplied metadata file location against the resolved
storage.
+ validateLocationForTableLike(identifier, metadataFileLocation,
resolvedParent);
+
+ // Configure FileIO for the resolved storage and read the metadata file.
+ FileIO fileIO =
+ loadFileIOForTableLike(
+ identifier,
+ Set.of(locationDir),
+ resolvedParent,
+ new HashMap<>(tableDefaultProperties),
+ Set.of(PolarisStorageActions.READ, PolarisStorageActions.LIST));
+
+ TableMetadata metadata = TableMetadataParser.read(fileIO,
metadataFileLocation);
+ validateLocationForTableLike(identifier, metadata.location(),
resolvedParent);
+ validateMetadataFileInTableDir(identifier, metadata);
+
+ // Find the passthrough-resolved entity so we can update the stored record.
+ PolarisResolvedPathWrapper resolvedPath =
+ resolvedEntityView.getPassthroughResolvedPath(
+ identifier, PolarisEntityType.TABLE_LIKE,
PolarisEntitySubType.ANY_SUBTYPE);
+ if (resolvedPath == null || resolvedPath.getRawLeafEntity() == null) {
+ throw new NoSuchTableException("Table does not exist: %s", identifier);
+ }
+
+ // Ensure the raw entity is an Iceberg table-like entity (not a
view/generic table).
+ PolarisEntity rawEntity = resolvedPath.getRawLeafEntity();
+ if (rawEntity.getSubType() == PolarisEntitySubType.ICEBERG_VIEW) {
+ throw new AlreadyExistsException("View with same name already exists:
%s", identifier);
+ } else if (rawEntity.getSubType() == PolarisEntitySubType.GENERIC_TABLE) {
+ throw new AlreadyExistsException(
+ "Generic table with same name already exists: %s", identifier);
+ }
+
+ IcebergTableLikeEntity existingEntity =
IcebergTableLikeEntity.of(rawEntity);
+ if (existingEntity == null) {
+ throw new NoSuchTableException("Table does not exist: %s", identifier);
+ }
+
+ // Build updated entity from parsed metadata and persist the update.
+ Map<String, String> storedProperties =
buildTableMetadataPropertiesMap(metadata);
+ IcebergTableLikeEntity updatedEntity =
+ new IcebergTableLikeEntity.Builder(existingEntity)
+ .setInternalProperties(storedProperties)
+ .setMetadataLocation(metadataFileLocation)
+ .build();
+
+ updateTableLike(identifier, updatedEntity);
Review Comment:
Is this switching the table UUID to the new UUID, or keeping the old UUID?
From this ML discussions, I think it should be the new UUID:
https://lists.apache.org/thread/b5k7vdng904zr3n3q8wv83y8l30rnd4c
https://lists.apache.org/thread/k3595bttvohb6c3ms36o16gppdfllqmp
##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/CatalogHandlerUtils.java:
##########
@@ -348,7 +349,21 @@ public LoadTableResponse registerTable(
request.validate();
TableIdentifier identifier = TableIdentifier.of(namespace, request.name());
- Table table = catalog.registerTable(identifier,
request.metadataLocation());
+ // Determine whether the client requested overwrite semantics. For
catalogs that
Review Comment:
This class is copied from Iceberg, I'm not sure it's a good idea to modify
it. I would move the Polaris-specific logic to `IcebergCatalog` or
`IcebergCatalogHandler`.
##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java:
##########
@@ -634,11 +640,110 @@ public LoadTableResponse createTableStaged(
* @return ETagged {@link LoadTableResponse} to uniquely identify the table
metadata
*/
public LoadTableResponse registerTable(Namespace namespace,
RegisterTableRequest request) {
- PolarisAuthorizableOperation op =
PolarisAuthorizableOperation.REGISTER_TABLE;
- authorizeCreateTableLikeUnderNamespaceOperationOrThrow(
- op, TableIdentifier.of(namespace, request.name()));
+ TableIdentifier identifier = TableIdentifier.of(namespace, request.name());
+ boolean overwrite = RegisterTableRequestContext.getOverwrite();
+
+ if (overwrite) {
+ // Resolve the namespace and table (optional) so we can distinguish
overwrite from create.
+ resolutionManifest = newResolutionManifest();
+ resolutionManifest.addPath(
+ new ResolverPath(Arrays.asList(namespace.levels()),
PolarisEntityType.NAMESPACE),
+ namespace);
+ ResolverPath tablePath =
+ new ResolverPath(
+ PolarisCatalogHelpers.tableIdentifierToList(identifier),
+ PolarisEntityType.TABLE_LIKE,
+ true /* optional */);
+ resolutionManifest.addPassthroughPath(tablePath, identifier);
+ resolutionManifest.resolveAll();
+
+ boolean tableExists =
+ resolutionManifest.getResolvedPath(
+ identifier,
+ PolarisEntityType.TABLE_LIKE,
+ PolarisEntitySubType.ICEBERG_TABLE,
+ true)
+ != null;
+ if (tableExists) {
+ authorizeUpdateTableOverwriteOrThrow(identifier);
+ LOGGER.debug(
+ "registerTable: overwrite=true, authorized for UPDATE_TABLE on
existing table");
+ } else {
+ // Table doesn't exist, fall back to REGISTER_TABLE authorization
+ LOGGER.debug(
+ "registerTable: overwrite=true, table not found, falling back to
REGISTER_TABLE");
+ PolarisAuthorizableOperation op =
PolarisAuthorizableOperation.REGISTER_TABLE;
+ authorizeCreateTableLikeUnderNamespaceOperationOrThrow(op, identifier);
+ }
+ } else {
+ // Creating new table requires REGISTER_TABLE privilege
+ PolarisAuthorizableOperation op =
PolarisAuthorizableOperation.REGISTER_TABLE;
+ authorizeCreateTableLikeUnderNamespaceOperationOrThrow(op, identifier);
+ }
+
+ try {
+ return catalogHandlerUtils.registerTable(baseCatalog, namespace,
request);
+ } finally {
+ // Clean up context
+ RegisterTableRequestContext.clear();
+ }
+ }
+
+ private void authorizeUpdateTableOverwriteOrThrow(TableIdentifier
identifier) {
+ authorizeBasicTableLikeOperationsOrThrow(
+ EnumSet.of(PolarisAuthorizableOperation.UPDATE_TABLE),
+ PolarisEntitySubType.ICEBERG_TABLE,
+ identifier);
- return catalogHandlerUtils.registerTable(baseCatalog, namespace, request);
+ if (!(authorizer instanceof PolarisAuthorizerImpl authorizerImpl)) {
Review Comment:
This is odd, the exact authorizer being used shouldn't matter. The rest of
this method feels to low-level for this class.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
