vignesh-manel opened a new pull request, #3852: URL: https://github.com/apache/polaris/pull/3852
Duplicate of https://github.com/apache/polaris/pull/3761 which got closed accidentally while rebasing Implements automatic principal role listing for `catalog_admin` users via a new system-managed `catalog_role_manager` role. Fixes #363 ## Implementation - `catalog_role_manager` created at bootstrap with `PRINCIPAL_ROLE_LIST` privilege (read-only) - Automatically granted to principals when they receive `catalog_admin` on any catalog - Automatically revoked when all `catalog_admin` grants are removed ## Limitations - A new system role is introduced just to grant PRINCIPAL_ROLE_LIST for catalog_admin - Principal must be assigned to principal role before granting `catalog_admin`. If assigned after, revoke and re-grant `catalog_admin` to trigger auto-grant. - No backfill for existing `catalog_admin` grants (requires manual grant or re-grant) CC: @collado-mike ## Checklist - [x] ๐ก๏ธ Don't disclose security issues! (contact [email protected]) - [x] ๐ Clearly explained why the changes are needed, or linked related issues: Fixes # - [x] ๐งช Added/updated tests with good coverage, or manually tested (and explained how) - [x] ๐ก Added comments for complex logic - [ ] ๐งพ Updated `CHANGELOG.md` (if needed) - [ ] ๐ Updated documentation in `site/content/in-dev/unreleased` (if needed) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
