pingtimeout opened a new pull request, #173:
URL: https://github.com/apache/polaris-tools/pull/173
This commit adds the ability to create principal, principal roles,
catalog roles and grant privileges to each entity created by the
`CreateTreeDataset` workload.
The number of RBAC entities created is configurable.
By default, RBAC entity creation is disabled. The following parameters
have been added to the benchmarks configuration file:
```
rbac.enabled = false
rbac.num-principals = 5
rbac.catalog-role-names = ["catalog_reader", "catalog_contributor"]
rbac.principal-role-names = ["data_engineer", "data_scientist"]
```
The first principal (P_0) is always assigned the `service_administrator`
role. Remaining principals are assigned specific principal roles in a
round robin fashion (e.g. data_engineer, data_scientist, depending on
the value of `principal-role-names`).
The policy assignment does not try to match any realistic deployment and
is only there to stress the RBAC subsystem. The grants per entity type
are as follows:
* For namespaces
* catalog_administrator: `NAMESPACE_FULL_METADATA`
* all other configured roles: `NAMESPACE_LIST`
* For tables
* catalog_administrator: `TABLE_FULL_METADATA`, `TABLE_READ_DATA`,
`TABLE_WRITE_DATA`
* half of the other configured roles: TABLE_LIST, `TABLE_READ_DATA`
* half of the other configured roles: TABLE_LIST, `TABLE_WRITE_DATA`
* For views
* catalog_administrator: `VIEW_FULL_METADATA`
* half of the other configured roles: `VIEW_LIST`,
`VIEW_WRITE_PROPERTIES`
* half of the other configured roles: `VIEW_LIST`,
`VIEW_WRITE_PROPERTIES`
This is an attempt at reproducing
https://github.com/apache/polaris/issues/3685.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
