diff --git a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java index 2658539491..d9aff50bc7 100644 --- a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java +++ b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java @@ -507,20 +507,28 @@ public class PolarisAuthorizerImpl implements PolarisAuthorizer { POLICY_FULL_METADATA, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT)); - SUPER_PRIVILEGES.putAll(POLICY_ATTACH, List.of(POLICY_ATTACH, CATALOG_MANAGE_CONTENT)); - SUPER_PRIVILEGES.putAll(POLICY_DETACH, List.of(POLICY_DETACH, CATALOG_MANAGE_CONTENT)); SUPER_PRIVILEGES.putAll( - CATALOG_ATTACH_POLICY, List.of(CATALOG_ATTACH_POLICY, CATALOG_MANAGE_CONTENT)); + POLICY_ATTACH, List.of(POLICY_ATTACH, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT)); SUPER_PRIVILEGES.putAll( - NAMESPACE_ATTACH_POLICY, List.of(NAMESPACE_ATTACH_POLICY, CATALOG_MANAGE_CONTENT)); + POLICY_DETACH, List.of(POLICY_DETACH, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT)); SUPER_PRIVILEGES.putAll( - TABLE_ATTACH_POLICY, List.of(TABLE_ATTACH_POLICY, CATALOG_MANAGE_CONTENT)); + CATALOG_ATTACH_POLICY, + List.of(CATALOG_ATTACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT)); SUPER_PRIVILEGES.putAll( - CATALOG_DETACH_POLICY, List.of(CATALOG_DETACH_POLICY, CATALOG_MANAGE_CONTENT)); + NAMESPACE_ATTACH_POLICY, + List.of(NAMESPACE_ATTACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT)); SUPER_PRIVILEGES.putAll( - NAMESPACE_DETACH_POLICY, List.of(NAMESPACE_DETACH_POLICY, CATALOG_MANAGE_CONTENT)); + TABLE_ATTACH_POLICY, + List.of(TABLE_ATTACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT)); SUPER_PRIVILEGES.putAll( - TABLE_DETACH_POLICY, List.of(TABLE_DETACH_POLICY, CATALOG_MANAGE_CONTENT)); + CATALOG_DETACH_POLICY, + List.of(CATALOG_DETACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT)); + SUPER_PRIVILEGES.putAll( + NAMESPACE_DETACH_POLICY, + List.of(NAMESPACE_DETACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT)); + SUPER_PRIVILEGES.putAll( + TABLE_DETACH_POLICY, + List.of(TABLE_DETACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT)); } private final PolarisConfigurationStore featureConfig; diff --git a/quarkus/service/src/test/java/org/apache/polaris/service/quarkus/catalog/PolicyCatalogHandlerAuthzTest.java b/quarkus/service/src/test/java/org/apache/polaris/service/quarkus/catalog/PolicyCatalogHandlerAuthzTest.java index e4505ebe51..46b5bee7ff 100644 --- a/quarkus/service/src/test/java/org/apache/polaris/service/quarkus/catalog/PolicyCatalogHandlerAuthzTest.java +++ b/quarkus/service/src/test/java/org/apache/polaris/service/quarkus/catalog/PolicyCatalogHandlerAuthzTest.java @@ -359,6 +359,7 @@ public void testAttachPolicyToCatalogSufficientPrivileges() { doTestSufficientPrivilegeSets( List.of( Set.of(PolarisPrivilege.POLICY_ATTACH, PolarisPrivilege.CATALOG_ATTACH_POLICY), + Set.of(PolarisPrivilege.CATALOG_MANAGE_METADATA), Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)), () -> newWrapper(Set.of(PRINCIPAL_ROLE1)).attachPolicy(POLICY_NS1_1, attachPolicyRequest), () -> newWrapper(Set.of(PRINCIPAL_ROLE2)).detachPolicy(POLICY_NS1_1, detachPolicyRequest), @@ -405,6 +406,7 @@ public void testAttachPolicyToNamespaceSufficientPrivileges() { doTestSufficientPrivilegeSets( List.of( Set.of(PolarisPrivilege.POLICY_ATTACH, PolarisPrivilege.NAMESPACE_ATTACH_POLICY), + Set.of(PolarisPrivilege.CATALOG_MANAGE_METADATA), Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)), () -> newWrapper(Set.of(PRINCIPAL_ROLE1)).attachPolicy(POLICY_NS1_1, attachPolicyRequest), () -> newWrapper(Set.of(PRINCIPAL_ROLE2)).detachPolicy(POLICY_NS1_1, detachPolicyRequest)); @@ -453,6 +455,7 @@ public void testAttachPolicyToTableSufficientPrivileges() { doTestSufficientPrivilegeSets( List.of( Set.of(PolarisPrivilege.POLICY_ATTACH, PolarisPrivilege.TABLE_ATTACH_POLICY), + Set.of(PolarisPrivilege.CATALOG_MANAGE_METADATA), Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)), () -> newWrapper(Set.of(PRINCIPAL_ROLE1)).attachPolicy(POLICY_NS1_1, attachPolicyRequest), () -> newWrapper(Set.of(PRINCIPAL_ROLE2)).detachPolicy(POLICY_NS1_1, detachPolicyRequest)); @@ -507,6 +510,7 @@ public void testDetachPolicyFromCatalogSufficientPrivileges() { doTestSufficientPrivilegeSets( List.of( Set.of(PolarisPrivilege.POLICY_DETACH, PolarisPrivilege.CATALOG_DETACH_POLICY), + Set.of(PolarisPrivilege.CATALOG_MANAGE_METADATA), Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)), () -> newWrapper(Set.of(PRINCIPAL_ROLE1)).detachPolicy(POLICY_NS1_1, detachPolicyRequest), () -> @@ -589,6 +593,7 @@ public void testDetachPolicyFromNamespaceSufficientPrivileges() { doTestSufficientPrivilegeSets( List.of( Set.of(PolarisPrivilege.POLICY_DETACH, PolarisPrivilege.NAMESPACE_DETACH_POLICY), + Set.of(PolarisPrivilege.CATALOG_MANAGE_METADATA), Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)), () -> newWrapper(Set.of(PRINCIPAL_ROLE1)).detachPolicy(POLICY_NS1_1, detachPolicyRequest), () -> @@ -674,6 +679,7 @@ public void testDetachPolicyFromTableSufficientPrivileges() { doTestSufficientPrivilegeSets( List.of( Set.of(PolarisPrivilege.POLICY_DETACH, PolarisPrivilege.TABLE_DETACH_POLICY), + Set.of(PolarisPrivilege.CATALOG_MANAGE_METADATA), Set.of(PolarisPrivilege.CATALOG_MANAGE_CONTENT)), () -> newWrapper(Set.of(PRINCIPAL_ROLE1)).detachPolicy(POLICY_NS1_1, detachPolicyRequest), () ->