Skip to content

Commit 5e4a6f0

Browse files
HonahXHonahX
authored
Add CATALOG_MANAGE_METADATA to super privilege set of policy attachment privileges (#1643)
1 parent a106f4e commit 5e4a6f0

File tree

2 files changed

+22
-8
lines changed

2 files changed

+22
-8
lines changed

polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -507,20 +507,28 @@ public class PolarisAuthorizerImpl implements PolarisAuthorizer {
507507
POLICY_FULL_METADATA,
508508
CATALOG_MANAGE_METADATA,
509509
CATALOG_MANAGE_CONTENT));
510-
SUPER_PRIVILEGES.putAll(POLICY_ATTACH, List.of(POLICY_ATTACH, CATALOG_MANAGE_CONTENT));
511-
SUPER_PRIVILEGES.putAll(POLICY_DETACH, List.of(POLICY_DETACH, CATALOG_MANAGE_CONTENT));
512510
SUPER_PRIVILEGES.putAll(
513-
CATALOG_ATTACH_POLICY, List.of(CATALOG_ATTACH_POLICY, CATALOG_MANAGE_CONTENT));
511+
POLICY_ATTACH, List.of(POLICY_ATTACH, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
514512
SUPER_PRIVILEGES.putAll(
515-
NAMESPACE_ATTACH_POLICY, List.of(NAMESPACE_ATTACH_POLICY, CATALOG_MANAGE_CONTENT));
513+
POLICY_DETACH, List.of(POLICY_DETACH, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
516514
SUPER_PRIVILEGES.putAll(
517-
TABLE_ATTACH_POLICY, List.of(TABLE_ATTACH_POLICY, CATALOG_MANAGE_CONTENT));
515+
CATALOG_ATTACH_POLICY,
516+
List.of(CATALOG_ATTACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
518517
SUPER_PRIVILEGES.putAll(
519-
CATALOG_DETACH_POLICY, List.of(CATALOG_DETACH_POLICY, CATALOG_MANAGE_CONTENT));
518+
NAMESPACE_ATTACH_POLICY,
519+
List.of(NAMESPACE_ATTACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
520520
SUPER_PRIVILEGES.putAll(
521-
NAMESPACE_DETACH_POLICY, List.of(NAMESPACE_DETACH_POLICY, CATALOG_MANAGE_CONTENT));
521+
TABLE_ATTACH_POLICY,
522+
List.of(TABLE_ATTACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
522523
SUPER_PRIVILEGES.putAll(
523-
TABLE_DETACH_POLICY, List.of(TABLE_DETACH_POLICY, CATALOG_MANAGE_CONTENT));
524+
CATALOG_DETACH_POLICY,
525+
List.of(CATALOG_DETACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
526+
SUPER_PRIVILEGES.putAll(
527+
NAMESPACE_DETACH_POLICY,
528+
List.of(NAMESPACE_DETACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
529+
SUPER_PRIVILEGES.putAll(
530+
TABLE_DETACH_POLICY,
531+
List.of(TABLE_DETACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
524532
}
525533

526534
private final PolarisConfigurationStore featureConfig;

quarkus/service/src/test/java/org/apache/polaris/service/quarkus/catalog/PolicyCatalogHandlerAuthzTest.java

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -359,6 +359,7 @@ public void testAttachPolicyToCatalogSufficientPrivileges() {
359359
doTestSufficientPrivilegeSets(
360360
List.of(
361361
Set.of(PolarisPrivilege.POLICY_ATTACH, PolarisPrivilege.CATALOG_ATTACH_POLICY),
362+
Set.of(PolarisPrivilege.CATALOG_MANAGE_METADATA),
362363
Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)),
363364
() -> newWrapper(Set.of(PRINCIPAL_ROLE1)).attachPolicy(POLICY_NS1_1, attachPolicyRequest),
364365
() -> newWrapper(Set.of(PRINCIPAL_ROLE2)).detachPolicy(POLICY_NS1_1, detachPolicyRequest),
@@ -405,6 +406,7 @@ public void testAttachPolicyToNamespaceSufficientPrivileges() {
405406
doTestSufficientPrivilegeSets(
406407
List.of(
407408
Set.of(PolarisPrivilege.POLICY_ATTACH, PolarisPrivilege.NAMESPACE_ATTACH_POLICY),
409+
Set.of(PolarisPrivilege.CATALOG_MANAGE_METADATA),
408410
Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)),
409411
() -> newWrapper(Set.of(PRINCIPAL_ROLE1)).attachPolicy(POLICY_NS1_1, attachPolicyRequest),
410412
() -> newWrapper(Set.of(PRINCIPAL_ROLE2)).detachPolicy(POLICY_NS1_1, detachPolicyRequest));
@@ -453,6 +455,7 @@ public void testAttachPolicyToTableSufficientPrivileges() {
453455
doTestSufficientPrivilegeSets(
454456
List.of(
455457
Set.of(PolarisPrivilege.POLICY_ATTACH, PolarisPrivilege.TABLE_ATTACH_POLICY),
458+
Set.of(PolarisPrivilege.CATALOG_MANAGE_METADATA),
456459
Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)),
457460
() -> newWrapper(Set.of(PRINCIPAL_ROLE1)).attachPolicy(POLICY_NS1_1, attachPolicyRequest),
458461
() -> newWrapper(Set.of(PRINCIPAL_ROLE2)).detachPolicy(POLICY_NS1_1, detachPolicyRequest));
@@ -507,6 +510,7 @@ public void testDetachPolicyFromCatalogSufficientPrivileges() {
507510
doTestSufficientPrivilegeSets(
508511
List.of(
509512
Set.of(PolarisPrivilege.POLICY_DETACH, PolarisPrivilege.CATALOG_DETACH_POLICY),
513+
Set.of(PolarisPrivilege.CATALOG_MANAGE_METADATA),
510514
Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)),
511515
() -> newWrapper(Set.of(PRINCIPAL_ROLE1)).detachPolicy(POLICY_NS1_1, detachPolicyRequest),
512516
() ->
@@ -589,6 +593,7 @@ public void testDetachPolicyFromNamespaceSufficientPrivileges() {
589593
doTestSufficientPrivilegeSets(
590594
List.of(
591595
Set.of(PolarisPrivilege.POLICY_DETACH, PolarisPrivilege.NAMESPACE_DETACH_POLICY),
596+
Set.of(PolarisPrivilege.CATALOG_MANAGE_METADATA),
592597
Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)),
593598
() -> newWrapper(Set.of(PRINCIPAL_ROLE1)).detachPolicy(POLICY_NS1_1, detachPolicyRequest),
594599
() ->
@@ -674,6 +679,7 @@ public void testDetachPolicyFromTableSufficientPrivileges() {
674679
doTestSufficientPrivilegeSets(
675680
List.of(
676681
Set.of(PolarisPrivilege.POLICY_DETACH, PolarisPrivilege.TABLE_DETACH_POLICY),
682+
Set.of(PolarisPrivilege.CATALOG_MANAGE_METADATA),
677683
Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)),
678684
() -> newWrapper(Set.of(PRINCIPAL_ROLE1)).detachPolicy(POLICY_NS1_1, detachPolicyRequest),
679685
() ->

0 commit comments

Comments
 (0)