Re: [PR] [DRAFT] feat: add RegisterTable overwrite support; preserve correct auth for overwrites [polaris]

Fri, 06 Feb 2026 02:51:20 -0800 


adutra commented on code in PR #3682:
URL: https://github.com/apache/polaris/pull/3682#discussion_r2773469615


##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogHandler.java:
##########
@@ -634,11 +640,110 @@ public LoadTableResponse createTableStaged(
    * @return ETagged {@link LoadTableResponse} to uniquely identify the table 
metadata
    */
   public LoadTableResponse registerTable(Namespace namespace, 
RegisterTableRequest request) {
-    PolarisAuthorizableOperation op = 
PolarisAuthorizableOperation.REGISTER_TABLE;
-    authorizeCreateTableLikeUnderNamespaceOperationOrThrow(
-        op, TableIdentifier.of(namespace, request.name()));
+    TableIdentifier identifier = TableIdentifier.of(namespace, request.name());
+    boolean overwrite = RegisterTableRequestContext.getOverwrite();
+
+    if (overwrite) {
+      // Resolve the namespace and table (optional) so we can distinguish 
overwrite from create.
+      resolutionManifest = newResolutionManifest();
+      resolutionManifest.addPath(
+          new ResolverPath(Arrays.asList(namespace.levels()), 
PolarisEntityType.NAMESPACE),
+          namespace);
+      ResolverPath tablePath =
+          new ResolverPath(
+              PolarisCatalogHelpers.tableIdentifierToList(identifier),
+              PolarisEntityType.TABLE_LIKE,
+              true /* optional */);
+      resolutionManifest.addPassthroughPath(tablePath, identifier);
+      resolutionManifest.resolveAll();
+
+      boolean tableExists =
+          resolutionManifest.getResolvedPath(
+                  identifier,
+                  PolarisEntityType.TABLE_LIKE,
+                  PolarisEntitySubType.ICEBERG_TABLE,
+                  true)
+              != null;
+      if (tableExists) {
+        authorizeUpdateTableOverwriteOrThrow(identifier);
+        LOGGER.debug(
+            "registerTable: overwrite=true, authorized for UPDATE_TABLE on 
existing table");
+      } else {
+        // Table doesn't exist, fall back to REGISTER_TABLE authorization
+        LOGGER.debug(
+            "registerTable: overwrite=true, table not found, falling back to 
REGISTER_TABLE");
+        PolarisAuthorizableOperation op = 
PolarisAuthorizableOperation.REGISTER_TABLE;
+        authorizeCreateTableLikeUnderNamespaceOperationOrThrow(op, identifier);
+      }
+    } else {
+      // Creating new table requires REGISTER_TABLE privilege
+      PolarisAuthorizableOperation op = 
PolarisAuthorizableOperation.REGISTER_TABLE;
+      authorizeCreateTableLikeUnderNamespaceOperationOrThrow(op, identifier);
+    }
+
+    try {
+      return catalogHandlerUtils.registerTable(baseCatalog, namespace, 
request);
+    } finally {
+      // Clean up context
+      RegisterTableRequestContext.clear();
+    }
+  }
+
+  private void authorizeUpdateTableOverwriteOrThrow(TableIdentifier 
identifier) {
+    authorizeBasicTableLikeOperationsOrThrow(
+        EnumSet.of(PolarisAuthorizableOperation.UPDATE_TABLE),
+        PolarisEntitySubType.ICEBERG_TABLE,
+        identifier);
 
-    return catalogHandlerUtils.registerTable(baseCatalog, namespace, request);
+    if (!(authorizer instanceof PolarisAuthorizerImpl authorizerImpl)) {
+      return;
+    }
+
+    PolarisResolvedPathWrapper target =
+        resolutionManifest.getResolvedPath(
+            identifier, PolarisEntityType.TABLE_LIKE, 
PolarisEntitySubType.ICEBERG_TABLE, true);
+    if (target == null) {
+      throw new NoSuchTableException("Table does not exist: %s", identifier);
+    }
+
+    Set<Long> activatedEntityIds =
+        
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles().stream()
+            .map(PolarisEntityCore::getId)
+            .collect(Collectors.toSet());
+    boolean hasNonDataWritePrivilege =
+        hasWritePropertiesPrivilegeExcludingWriteData(authorizerImpl, 
activatedEntityIds, target);
+    if (!hasNonDataWritePrivilege) {
+      throw new ForbiddenException(
+          "Principal '%s' with activated PrincipalRoles '%s' and activated 
grants via '%s' is not authorized for op %s",
+          polarisPrincipal.getName(),
+          polarisPrincipal.getRoles(),
+          
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles().stream()
+              .map(PolarisEntityCore::getName)
+              .collect(Collectors.toSet()),
+          PolarisAuthorizableOperation.UPDATE_TABLE);
+    }
+  }
+
+  private boolean hasWritePropertiesPrivilegeExcludingWriteData(
+      PolarisAuthorizerImpl authorizerImpl,
+      Set<Long> activatedEntityIds,
+      PolarisResolvedPathWrapper target) {
+    for (ResolvedPolarisEntity resolvedSecurableEntity : 
target.getResolvedFullPath()) {
+      for (PolarisGrantRecord grantRecord : 
resolvedSecurableEntity.getGrantRecordsAsSecurable()) {
+        if (activatedEntityIds.contains(grantRecord.getGranteeId())) {
+          PolarisPrivilege grantedPrivilege =
+              PolarisPrivilege.fromCode(grantRecord.getPrivilegeCode());
+          if (grantedPrivilege == PolarisPrivilege.TABLE_WRITE_DATA) {
+            continue;
+          }
+          if (authorizerImpl.matchesOrIsSubsumedBy(
+              PolarisPrivilege.TABLE_WRITE_PROPERTIES, grantedPrivilege)) {
+            return true;
+          }
+        }
+      }
+    }
+    return false;

Review Comment:
   This feels very low-level and like it should be in the authorizer.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to