flyingImer commented on code in PR #3761:
URL: https://github.com/apache/polaris/pull/3761#discussion_r2819453931
##########
runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java:
##########
@@ -2335,4 +2354,195 @@ private static PolarisEntitySubType
selectEntitySubType(List<PolarisEntitySubTyp
subTypes));
}
}
+
+ /**
+ * Grants the catalog_role_manager principal role to all principals assigned
to the specified
+ * principal role. This allows catalog admins to list principal roles.
+ */
+ private void grantCatalogRoleManagerIfNeeded(PrincipalRoleEntity
principalRoleEntity) {
+ // Load catalog_role_manager directly from metastore
+ EntityResult catalogRoleManagerResult =
+ metaStoreManager.readEntityByName(
+ getCurrentPolarisContext(),
+ null,
+ PolarisEntityType.PRINCIPAL_ROLE,
+ PolarisEntitySubType.NULL_SUBTYPE,
+ PolarisEntityConstants.getNameOfCatalogRoleManagerPrincipalRole());
+
+ if (!catalogRoleManagerResult.isSuccess() ||
catalogRoleManagerResult.getEntity() == null) {
+ return;
+ }
+
+ PrincipalRoleEntity catalogRoleManagerEntity =
+ PrincipalRoleEntity.of(catalogRoleManagerResult.getEntity());
+
+ // Find all principals that have this principal role and grant
catalog_role_manager to them
+ LoadGrantsResult grantsResult =
+ metaStoreManager.loadGrantsOnSecurable(getCurrentPolarisContext(),
principalRoleEntity);
+
+ if (grantsResult.isSuccess()) {
+ for (PolarisGrantRecord grant : grantsResult.getGrantRecords()) {
+ // Check if this is a PRINCIPAL_ROLE_USAGE grant (principal using this
role)
+ if (grant.getPrivilegeCode() ==
PolarisPrivilege.PRINCIPAL_ROLE_USAGE.getCode()) {
+ // Load the principal (grantee)
+ EntityResult principalResult =
+ metaStoreManager.loadEntity(
+ getCurrentPolarisContext(),
+ grant.getGranteeCatalogId(),
+ grant.getGranteeId(),
+ PolarisEntityType.PRINCIPAL);
+
+ if (principalResult.isSuccess() && principalResult.getEntity() !=
null) {
+ PrincipalEntity principal =
PrincipalEntity.of(principalResult.getEntity());
+
+ // Check if the principal already has catalog_role_manager
+ LoadGrantsResult principalGrantsResult =
+
metaStoreManager.loadGrantsToGrantee(getCurrentPolarisContext(), principal);
+
+ boolean alreadyHasCatalogRoleManager = false;
+ if (principalGrantsResult.isSuccess()) {
+ for (PolarisGrantRecord existingGrant :
principalGrantsResult.getGrantRecords()) {
+ if (existingGrant.getSecurableId() ==
catalogRoleManagerEntity.getId()
+ && existingGrant.getPrivilegeCode()
+ == PolarisPrivilege.PRINCIPAL_ROLE_USAGE.getCode()) {
+ alreadyHasCatalogRoleManager = true;
+ break;
+ }
+ }
+ }
+
+ // Only grant if not already granted
+ if (!alreadyHasCatalogRoleManager) {
+ metaStoreManager.grantUsageOnRoleToGrantee(
Review Comment:
handle grant failures? perhaps logging or error out?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
