diff --git a/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java b/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java index 9adf88fd08..9c9074dba7 100644 --- a/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java +++ b/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java @@ -154,9 +154,6 @@ public class PolarisAdminService { private final ServiceIdentityProvider serviceIdentityProvider; private final ReservedProperties reservedProperties; - // Initialized in the authorize methods. - private PolarisResolutionManifest resolutionManifest = null; - @Inject public PolarisAdminService( @Nonnull PolarisDiagnostics diagnostics, @@ -203,29 +200,43 @@ private PolarisResolutionManifest newResolutionManifest(@Nullable String catalog return resolutionManifestFactory.createResolutionManifest(securityContext, catalogName); } - private Optional currentCatalog() { - return Optional.ofNullable(resolutionManifest.getResolvedCatalogEntity()); + private static PrincipalEntity getPrincipalByName( + PolarisResolutionManifest resolutionManifest, String principalName) { + return Optional.ofNullable( + resolutionManifest.getResolvedTopLevelEntity( + principalName, PolarisEntityType.PRINCIPAL)) + .map(PolarisResolvedPathWrapper::getRawLeafEntity) + .map(PrincipalEntity::of) + .orElseThrow(() -> new NotFoundException("Principal %s not found", principalName)); } - private Optional findPrincipalByName(String name) { + private static PrincipalRoleEntity getPrincipalRoleByName( + PolarisResolutionManifest resolutionManifest, String principalRoleName) { return Optional.ofNullable( - resolutionManifest.getResolvedTopLevelEntity(name, PolarisEntityType.PRINCIPAL)) - .map(path -> PrincipalEntity.of(path.getRawLeafEntity())); + resolutionManifest.getResolvedTopLevelEntity( + principalRoleName, PolarisEntityType.PRINCIPAL_ROLE)) + .map(PolarisResolvedPathWrapper::getRawLeafEntity) + .map(PrincipalRoleEntity::of) + .orElseThrow(() -> new NotFoundException("PrincipalRole %s not found", principalRoleName)); } - private Optional findPrincipalRoleByName(String name) { - return Optional.ofNullable( - resolutionManifest.getResolvedTopLevelEntity(name, PolarisEntityType.PRINCIPAL_ROLE)) - .map(path -> PrincipalRoleEntity.of(path.getRawLeafEntity())); + private static CatalogEntity getCatalogByName( + PolarisResolutionManifest resolutionManifest, String catalogName) { + return Optional.ofNullable(resolutionManifest.getResolvedCatalogEntity()) + .filter(c -> c.getName().equals(catalogName)) + .orElseThrow(() -> new NotFoundException("Catalog %s not found", catalogName)); } - private Optional findCatalogRoleByName(String catalogName, String name) { - return Optional.ofNullable(resolutionManifest.getResolvedPath(name)) - .map(path -> CatalogRoleEntity.of(path.getRawLeafEntity())); + private static CatalogRoleEntity getCatalogRoleByName( + PolarisResolutionManifest resolutionManifest, String catalogRoleName) { + return Optional.ofNullable(resolutionManifest.getResolvedPath(catalogRoleName)) + .map(PolarisResolvedPathWrapper::getRawLeafEntity) + .map(CatalogRoleEntity::of) + .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); } private void authorizeBasicRootOperationOrThrow(PolarisAuthorizableOperation op) { - resolutionManifest = newResolutionManifest(null); + PolarisResolutionManifest resolutionManifest = newResolutionManifest(null); resolutionManifest.resolveAll(); PolarisResolvedPathWrapper rootContainerWrapper = resolutionManifest.getResolvedRootContainerEntityAsPath(); @@ -237,20 +248,20 @@ private void authorizeBasicRootOperationOrThrow(PolarisAuthorizableOperation op) null /* secondary */); } - private void authorizeBasicTopLevelEntityOperationOrThrow( + private PolarisResolutionManifest authorizeBasicTopLevelEntityOperationOrThrow( PolarisAuthorizableOperation op, String topLevelEntityName, PolarisEntityType entityType) { String referenceCatalogName = entityType == PolarisEntityType.CATALOG ? topLevelEntityName : null; - authorizeBasicTopLevelEntityOperationOrThrow( + return authorizeBasicTopLevelEntityOperationOrThrow( op, topLevelEntityName, entityType, referenceCatalogName); } - private void authorizeBasicTopLevelEntityOperationOrThrow( + private PolarisResolutionManifest authorizeBasicTopLevelEntityOperationOrThrow( PolarisAuthorizableOperation op, String topLevelEntityName, PolarisEntityType entityType, @Nullable String referenceCatalogName) { - resolutionManifest = newResolutionManifest(referenceCatalogName); + PolarisResolutionManifest resolutionManifest = newResolutionManifest(referenceCatalogName); resolutionManifest.addTopLevelName(topLevelEntityName, entityType, false /* isOptional */); ResolverStatus status = resolutionManifest.resolveAll(); if (status.getStatus() == ResolverStatus.StatusEnum.ENTITY_COULD_NOT_BE_RESOLVED) { @@ -266,14 +277,15 @@ private void authorizeBasicTopLevelEntityOperationOrThrow( .atDebug() .addKeyValue("principalName", topLevelEntityName) .log("Allowing rotate own credentials"); - return; + } else { + authorizer.authorizeOrThrow( + polarisPrincipal, + resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), + op, + topLevelEntityWrapper, + null /* secondary */); } - authorizer.authorizeOrThrow( - polarisPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - topLevelEntityWrapper, - null /* secondary */); + return resolutionManifest; } /** @@ -299,9 +311,9 @@ private static boolean isSelfOperation(PolarisAuthorizableOperation op) { return op.equals(PolarisAuthorizableOperation.ROTATE_CREDENTIALS); } - private void authorizeBasicCatalogRoleOperationOrThrow( + private PolarisResolutionManifest authorizeBasicCatalogRoleOperationOrThrow( PolarisAuthorizableOperation op, String catalogName, String catalogRoleName) { - resolutionManifest = newResolutionManifest(catalogName); + PolarisResolutionManifest resolutionManifest = newResolutionManifest(catalogName); resolutionManifest.addPath( new ResolverPath(List.of(catalogRoleName), PolarisEntityType.CATALOG_ROLE), catalogRoleName); @@ -316,11 +328,12 @@ private void authorizeBasicCatalogRoleOperationOrThrow( op, target, null /* secondary */); + return resolutionManifest; } - private void authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow( + private PolarisResolutionManifest authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow( PolarisAuthorizableOperation op, String principalRoleName) { - resolutionManifest = newResolutionManifest(null); + PolarisResolutionManifest resolutionManifest = newResolutionManifest(null); resolutionManifest.addTopLevelName( principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, false /* isOptional */); ResolverStatus status = resolutionManifest.resolveAll(); @@ -343,11 +356,12 @@ private void authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow( op, rootContainerWrapper, principalRoleWrapper); + return resolutionManifest; } - private void authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow( + private PolarisResolutionManifest authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow( PolarisAuthorizableOperation op, String principalRoleName, String principalName) { - resolutionManifest = newResolutionManifest(null); + PolarisResolutionManifest resolutionManifest = newResolutionManifest(null); resolutionManifest.addTopLevelName( principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, false /* isOptional */); resolutionManifest.addTopLevelName( @@ -372,14 +386,15 @@ private void authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow( op, principalRoleWrapper, principalWrapper); + return resolutionManifest; } - private void authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow( + private PolarisResolutionManifest authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow( PolarisAuthorizableOperation op, String catalogName, String catalogRoleName, String principalRoleName) { - resolutionManifest = newResolutionManifest(catalogName); + PolarisResolutionManifest resolutionManifest = newResolutionManifest(catalogName); resolutionManifest.addPath( new ResolverPath(List.of(catalogRoleName), PolarisEntityType.CATALOG_ROLE), catalogRoleName); @@ -409,11 +424,12 @@ private void authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow( op, catalogRoleWrapper, principalRoleWrapper); + return resolutionManifest; } - private void authorizeGrantOnCatalogOperationOrThrow( + private PolarisResolutionManifest authorizeGrantOnCatalogOperationOrThrow( PolarisAuthorizableOperation op, String catalogName, String catalogRoleName) { - resolutionManifest = newResolutionManifest(catalogName); + PolarisResolutionManifest resolutionManifest = newResolutionManifest(catalogName); resolutionManifest.addTopLevelName( catalogName, PolarisEntityType.CATALOG, false /* isOptional */); resolutionManifest.addPath( @@ -437,14 +453,15 @@ private void authorizeGrantOnCatalogOperationOrThrow( op, catalogWrapper, catalogRoleWrapper); + return resolutionManifest; } - private void authorizeGrantOnNamespaceOperationOrThrow( + private PolarisResolutionManifest authorizeGrantOnNamespaceOperationOrThrow( PolarisAuthorizableOperation op, String catalogName, Namespace namespace, String catalogRoleName) { - resolutionManifest = newResolutionManifest(catalogName); + PolarisResolutionManifest resolutionManifest = newResolutionManifest(catalogName); resolutionManifest.addPassthroughPath( new ResolverPath(Arrays.asList(namespace.levels()), PolarisEntityType.NAMESPACE), namespace); @@ -475,15 +492,16 @@ private void authorizeGrantOnNamespaceOperationOrThrow( op, namespaceWrapper, catalogRoleWrapper); + return resolutionManifest; } - private void authorizeGrantOnTableLikeOperationOrThrow( + private PolarisResolutionManifest authorizeGrantOnTableLikeOperationOrThrow( PolarisAuthorizableOperation op, String catalogName, List subTypes, TableIdentifier identifier, String catalogRoleName) { - resolutionManifest = newResolutionManifest(catalogName); + PolarisResolutionManifest resolutionManifest = newResolutionManifest(catalogName); resolutionManifest.addPassthroughPath( new ResolverPath( Arrays.asList(identifier.namespace().levels()), PolarisEntityType.NAMESPACE), @@ -507,10 +525,7 @@ private void authorizeGrantOnTableLikeOperationOrThrow( } } - CatalogEntity catalogEntity = - CatalogEntity.of( - currentCatalog() - .orElseThrow(() -> new NotFoundException("Catalog %s not found", catalogName))); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); PolarisResolvedPathWrapper tableLikeWrapper = resolutionManifest.getResolvedPath( identifier, PolarisEntityType.TABLE_LIKE, PolarisEntitySubType.ANY_SUBTYPE, true); @@ -533,14 +548,15 @@ private void authorizeGrantOnTableLikeOperationOrThrow( op, tableLikeWrapper, catalogRoleWrapper); + return resolutionManifest; } - private void authorizeGrantOnPolicyOperationOrThrow( + private PolarisResolutionManifest authorizeGrantOnPolicyOperationOrThrow( PolarisAuthorizableOperation op, String catalogName, PolicyIdentifier identifier, String catalogRoleName) { - resolutionManifest = newResolutionManifest(catalogName); + PolarisResolutionManifest resolutionManifest = newResolutionManifest(catalogName); resolutionManifest.addPath( new ResolverPath( PolarisCatalogHelpers.identifierToList(identifier.getNamespace(), identifier.getName()), @@ -570,6 +586,7 @@ private void authorizeGrantOnPolicyOperationOrThrow( op, policyWrapper, catalogRoleWrapper); + return resolutionManifest; } /** Get all locations where data for a `CatalogEntity` may be stored */ @@ -803,10 +820,10 @@ public PolarisEntity createCatalog(CreateCatalogRequest catalogRequest) { public void deleteCatalog(String name) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.DELETE_CATALOG; - authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.CATALOG); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.CATALOG); - PolarisEntity entity = - currentCatalog().orElseThrow(() -> new NotFoundException("Catalog %s not found", name)); + CatalogEntity entity = getCatalogByName(resolutionManifest, name); // TODO: Handle return value in case of concurrent modification boolean cleanup = realmConfig.getConfig(FeatureConfiguration.CLEANUP_ON_CATALOG_DROP); DropEntityResult dropEntityResult = @@ -829,9 +846,10 @@ public void deleteCatalog(String name) { public @Nonnull CatalogEntity getCatalog(String name) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.GET_CATALOG; - authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.CATALOG); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.CATALOG); - return currentCatalog().orElseThrow(() -> new NotFoundException("Catalog %s not found", name)); + return getCatalogByName(resolutionManifest, name); } /** @@ -887,10 +905,10 @@ private void validateUpdateCatalogDiffOrThrow( public @Nonnull CatalogEntity updateCatalog(String name, UpdateCatalogRequest updateRequest) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.UPDATE_CATALOG; - authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.CATALOG); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.CATALOG); - CatalogEntity currentCatalogEntity = - currentCatalog().orElseThrow(() -> new NotFoundException("Catalog %s not found", name)); + CatalogEntity currentCatalogEntity = getCatalogByName(resolutionManifest, name); if (currentCatalogEntity.getEntityVersion() != updateRequest.getCurrentEntityVersion()) { throw new CommitConflictException( @@ -1001,11 +1019,10 @@ public PrincipalWithCredentials createPrincipal(PrincipalEntity entity) { public void deletePrincipal(String name) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.DELETE_PRINCIPAL; - authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.PRINCIPAL); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.PRINCIPAL); - PolarisEntity entity = - findPrincipalByName(name) - .orElseThrow(() -> new NotFoundException("Principal %s not found", name)); + PrincipalEntity entity = getPrincipalByName(resolutionManifest, name); // TODO: Handle return value in case of concurrent modification DropEntityResult dropEntityResult = metaStoreManager.dropEntityIfExists( @@ -1025,20 +1042,19 @@ public void deletePrincipal(String name) { public @Nonnull PrincipalEntity getPrincipal(String name) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.GET_PRINCIPAL; - authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.PRINCIPAL); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.PRINCIPAL); - return findPrincipalByName(name) - .orElseThrow(() -> new NotFoundException("Principal %s not found", name)); + return getPrincipalByName(resolutionManifest, name); } public @Nonnull PrincipalEntity updatePrincipal( String name, UpdatePrincipalRequest updateRequest) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.UPDATE_PRINCIPAL; - authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.PRINCIPAL); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.PRINCIPAL); - PrincipalEntity currentPrincipalEntity = - findPrincipalByName(name) - .orElseThrow(() -> new NotFoundException("Principal %s not found", name)); + PrincipalEntity currentPrincipalEntity = getPrincipalByName(resolutionManifest, name); if (FederatedEntities.isFederated(currentPrincipalEntity)) { throw new ValidationException( @@ -1072,10 +1088,11 @@ public void deletePrincipal(String name) { } private @Nonnull PrincipalWithCredentials resetCredentialsHelper( - String principalName, String customClientId, String customClientSecret) { - PrincipalEntity currentPrincipalEntity = - findPrincipalByName(principalName) - .orElseThrow(() -> new NotFoundException("Principal %s not found", principalName)); + PolarisResolutionManifest resolutionManifest, + String principalName, + String customClientId, + String customClientSecret) { + PrincipalEntity currentPrincipalEntity = getPrincipalByName(resolutionManifest, principalName); if (FederatedEntities.isFederated(currentPrincipalEntity)) { throw new ValidationException( @@ -1135,10 +1152,8 @@ public void deletePrincipal(String name) { } private @Nonnull PrincipalWithCredentials rotateOrResetCredentialsHelper( - String principalName, boolean shouldReset) { - PrincipalEntity currentPrincipalEntity = - findPrincipalByName(principalName) - .orElseThrow(() -> new NotFoundException("Principal %s not found", principalName)); + PolarisResolutionManifest resolutionManifest, String principalName, boolean shouldReset) { + PrincipalEntity currentPrincipalEntity = getPrincipalByName(resolutionManifest, principalName); if (FederatedEntities.isFederated(currentPrincipalEntity)) { throw new ValidationException( @@ -1182,9 +1197,11 @@ public void deletePrincipal(String name) { public @Nonnull PrincipalWithCredentials rotateCredentials(String principalName) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.ROTATE_CREDENTIALS; - authorizeBasicTopLevelEntityOperationOrThrow(op, principalName, PolarisEntityType.PRINCIPAL); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow( + op, principalName, PolarisEntityType.PRINCIPAL); - return rotateOrResetCredentialsHelper(principalName, false); + return rotateOrResetCredentialsHelper(resolutionManifest, principalName, false); } public @Nonnull PrincipalWithCredentials resetCredentials( @@ -1192,10 +1209,14 @@ public void deletePrincipal(String name) { FeatureConfiguration.enforceFeatureEnabledOrThrow( realmConfig, FeatureConfiguration.ENABLE_CREDENTIAL_RESET); PolarisAuthorizableOperation op = PolarisAuthorizableOperation.RESET_CREDENTIALS; - authorizeBasicTopLevelEntityOperationOrThrow(op, principalName, PolarisEntityType.PRINCIPAL); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow( + op, principalName, PolarisEntityType.PRINCIPAL); + var customClientId = resetPrincipalRequest.getClientId(); var customClientSecret = resetPrincipalRequest.getClientSecret(); - return resetCredentialsHelper(principalName, customClientId, customClientSecret); + return resetCredentialsHelper( + resolutionManifest, principalName, customClientId, customClientSecret); } public List listPrincipals() { @@ -1239,11 +1260,10 @@ public PolarisEntity createPrincipalRole(PolarisEntity entity) { public void deletePrincipalRole(String name) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.DELETE_PRINCIPAL_ROLE; - authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.PRINCIPAL_ROLE); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.PRINCIPAL_ROLE); - PolarisEntity entity = - findPrincipalRoleByName(name) - .orElseThrow(() -> new NotFoundException("PrincipalRole %s not found", name)); + PrincipalRoleEntity entity = getPrincipalRoleByName(resolutionManifest, name); // TODO: Handle return value in case of concurrent modification DropEntityResult dropEntityResult = metaStoreManager.dropEntityIfExists( @@ -1263,20 +1283,20 @@ public void deletePrincipalRole(String name) { public @Nonnull PrincipalRoleEntity getPrincipalRole(String name) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.GET_PRINCIPAL_ROLE; - authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.PRINCIPAL_ROLE); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.PRINCIPAL_ROLE); - return findPrincipalRoleByName(name) - .orElseThrow(() -> new NotFoundException("PrincipalRole %s not found", name)); + return getPrincipalRoleByName(resolutionManifest, name); } public @Nonnull PrincipalRoleEntity updatePrincipalRole( String name, UpdatePrincipalRoleRequest updateRequest) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.UPDATE_PRINCIPAL_ROLE; - authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.PRINCIPAL_ROLE); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow(op, name, PolarisEntityType.PRINCIPAL_ROLE); PrincipalRoleEntity currentPrincipalRoleEntity = - findPrincipalRoleByName(name) - .orElseThrow(() -> new NotFoundException("PrincipalRole %s not found", name)); + getPrincipalRoleByName(resolutionManifest, name); if (currentPrincipalRoleEntity.getEntityVersion() != updateRequest.getCurrentEntityVersion()) { throw new CommitConflictException( @@ -1324,13 +1344,12 @@ public List listPrincipalRoles() { public PolarisEntity createCatalogRole(String catalogName, PolarisEntity entity) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.CREATE_CATALOG_ROLE; - authorizeBasicTopLevelEntityOperationOrThrow(op, catalogName, PolarisEntityType.CATALOG); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow(op, catalogName, PolarisEntityType.CATALOG); checkArgument(entity.getId() == -1, "Entity to be created must have no ID assigned"); - PolarisEntity catalogEntity = - currentCatalog() - .orElseThrow(() -> new NotFoundException("Parent catalog %s not found", catalogName)); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); PolarisEntity returnedEntity = PolarisEntity.of( @@ -1353,7 +1372,8 @@ public PolarisEntity createCatalogRole(String catalogName, PolarisEntity entity) public void deleteCatalogRole(String catalogName, String name) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.DELETE_CATALOG_ROLE; - authorizeBasicCatalogRoleOperationOrThrow(op, catalogName, name); + PolarisResolutionManifest resolutionManifest = + authorizeBasicCatalogRoleOperationOrThrow(op, catalogName, name); PolarisResolvedPathWrapper resolvedCatalogRoleEntity = resolutionManifest.getResolvedPath(name); if (resolvedCatalogRoleEntity == null) { @@ -1382,23 +1402,20 @@ public void deleteCatalogRole(String catalogName, String name) { public @Nonnull CatalogRoleEntity getCatalogRole(String catalogName, String name) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.GET_CATALOG_ROLE; - authorizeBasicCatalogRoleOperationOrThrow(op, catalogName, name); + PolarisResolutionManifest resolutionManifest = + authorizeBasicCatalogRoleOperationOrThrow(op, catalogName, name); - return findCatalogRoleByName(catalogName, name) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", name)); + return getCatalogRoleByName(resolutionManifest, name); } public @Nonnull CatalogRoleEntity updateCatalogRole( String catalogName, String name, UpdateCatalogRoleRequest updateRequest) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.UPDATE_CATALOG_ROLE; - authorizeBasicCatalogRoleOperationOrThrow(op, catalogName, name); + PolarisResolutionManifest resolutionManifest = + authorizeBasicCatalogRoleOperationOrThrow(op, catalogName, name); - CatalogEntity catalogEntity = - currentCatalog() - .orElseThrow(() -> new NotFoundException("Catalog %s not found", catalogName)); - CatalogRoleEntity currentCatalogRoleEntity = - findCatalogRoleByName(catalogName, name) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", name)); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); + CatalogRoleEntity currentCatalogRoleEntity = getCatalogRoleByName(resolutionManifest, name); if (currentCatalogRoleEntity.getEntityVersion() != updateRequest.getCurrentEntityVersion()) { throw new CommitConflictException( @@ -1432,11 +1449,10 @@ public void deleteCatalogRole(String catalogName, String name) { public List listCatalogRoles(String catalogName) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.LIST_CATALOG_ROLES; - authorizeBasicTopLevelEntityOperationOrThrow(op, catalogName, PolarisEntityType.CATALOG); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow(op, catalogName, PolarisEntityType.CATALOG); - PolarisEntity catalogEntity = - currentCatalog() - .orElseThrow(() -> new NotFoundException("Parent catalog %s not found", catalogName)); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); List catalogPath = PolarisEntity.toCoreList(List.of(catalogEntity)); return metaStoreManager .loadEntitiesAll( @@ -1452,18 +1468,16 @@ public List listCatalogRoles(String catalogName) { public PrivilegeResult assignPrincipalRole(String principalName, String principalRoleName) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.ASSIGN_PRINCIPAL_ROLE; - authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow(op, principalRoleName, principalName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow( + op, principalRoleName, principalName); - PolarisEntity principalEntity = - findPrincipalByName(principalName) - .orElseThrow(() -> new NotFoundException("Principal %s not found", principalName)); + PrincipalEntity principalEntity = getPrincipalByName(resolutionManifest, principalName); if (FederatedEntities.isFederated(principalEntity)) { throw new ValidationException("Cannot assign a role to a federated principal"); } - PolarisEntity principalRoleEntity = - findPrincipalRoleByName(principalRoleName) - .orElseThrow( - () -> new NotFoundException("PrincipalRole %s not found", principalRoleName)); + PrincipalRoleEntity principalRoleEntity = + getPrincipalRoleByName(resolutionManifest, principalRoleName); if (FederatedEntities.isFederated(principalRoleEntity)) { throw new ValidationException("Cannot assign a federated role to a principal"); } @@ -1473,18 +1487,16 @@ public PrivilegeResult assignPrincipalRole(String principalName, String principa public PrivilegeResult revokePrincipalRole(String principalName, String principalRoleName) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.REVOKE_PRINCIPAL_ROLE; - authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow(op, principalRoleName, principalName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow( + op, principalRoleName, principalName); - PolarisEntity principalEntity = - findPrincipalByName(principalName) - .orElseThrow(() -> new NotFoundException("Principal %s not found", principalName)); + PrincipalEntity principalEntity = getPrincipalByName(resolutionManifest, principalName); if (FederatedEntities.isFederated(principalEntity)) { throw new ValidationException("Cannot revoke a role from a federated principal"); } - PolarisEntity principalRoleEntity = - findPrincipalRoleByName(principalRoleName) - .orElseThrow( - () -> new NotFoundException("PrincipalRole %s not found", principalRoleName)); + PrincipalRoleEntity principalRoleEntity = + getPrincipalRoleByName(resolutionManifest, principalRoleName); if (FederatedEntities.isFederated(principalRoleEntity)) { throw new ValidationException("Cannot revoke a federated role from a principal"); } @@ -1495,11 +1507,11 @@ public PrivilegeResult revokePrincipalRole(String principalName, String principa public List listPrincipalRolesAssigned(String principalName) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.LIST_PRINCIPAL_ROLES_ASSIGNED; - authorizeBasicTopLevelEntityOperationOrThrow(op, principalName, PolarisEntityType.PRINCIPAL); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow( + op, principalName, PolarisEntityType.PRINCIPAL); - PolarisEntity principalEntity = - findPrincipalByName(principalName) - .orElseThrow(() -> new NotFoundException("Principal %s not found", principalName)); + PrincipalEntity principalEntity = getPrincipalByName(resolutionManifest, principalName); LoadGrantsResult grantList = metaStoreManager.loadGrantsToGrantee(getCurrentPolarisContext(), principalEntity); return buildEntitiesFromGrantResults(grantList, false, PolarisEntityType.PRINCIPAL_ROLE, null); @@ -1509,19 +1521,14 @@ public PrivilegeResult assignCatalogRoleToPrincipalRole( String principalRoleName, String catalogName, String catalogRoleName) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.ASSIGN_CATALOG_ROLE_TO_PRINCIPAL_ROLE; - authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow( - op, catalogName, catalogRoleName, principalRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow( + op, catalogName, catalogRoleName, principalRoleName); - PolarisEntity principalRoleEntity = - findPrincipalRoleByName(principalRoleName) - .orElseThrow( - () -> new NotFoundException("PrincipalRole %s not found", principalRoleName)); - PolarisEntity catalogEntity = - currentCatalog() - .orElseThrow(() -> new NotFoundException("Parent catalog %s not found", catalogName)); - PolarisEntity catalogRoleEntity = - findCatalogRoleByName(catalogName, catalogRoleName) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); + PrincipalRoleEntity principalRoleEntity = + getPrincipalRoleByName(resolutionManifest, principalRoleName); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); + CatalogRoleEntity catalogRoleEntity = getCatalogRoleByName(resolutionManifest, catalogRoleName); return metaStoreManager.grantUsageOnRoleToGrantee( getCurrentPolarisContext(), catalogEntity, catalogRoleEntity, principalRoleEntity); @@ -1531,19 +1538,14 @@ public PrivilegeResult revokeCatalogRoleFromPrincipalRole( String principalRoleName, String catalogName, String catalogRoleName) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.REVOKE_CATALOG_ROLE_FROM_PRINCIPAL_ROLE; - authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow( - op, catalogName, catalogRoleName, principalRoleName); - - PolarisEntity principalRoleEntity = - findPrincipalRoleByName(principalRoleName) - .orElseThrow( - () -> new NotFoundException("PrincipalRole %s not found", principalRoleName)); - PolarisEntity catalogEntity = - currentCatalog() - .orElseThrow(() -> new NotFoundException("Parent catalog %s not found", catalogName)); - PolarisEntity catalogRoleEntity = - findCatalogRoleByName(catalogName, catalogRoleName) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow( + op, catalogName, catalogRoleName, principalRoleName); + + PrincipalRoleEntity principalRoleEntity = + getPrincipalRoleByName(resolutionManifest, principalRoleName); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); + CatalogRoleEntity catalogRoleEntity = getCatalogRoleByName(resolutionManifest, catalogRoleName); return metaStoreManager.revokeUsageOnRoleFromGrantee( getCurrentPolarisContext(), catalogEntity, catalogRoleEntity, principalRoleEntity); } @@ -1552,13 +1554,12 @@ public List listAssigneePrincipalsForPrincipalRole(String princip PolarisAuthorizableOperation op = PolarisAuthorizableOperation.LIST_ASSIGNEE_PRINCIPALS_FOR_PRINCIPAL_ROLE; - authorizeBasicTopLevelEntityOperationOrThrow( - op, principalRoleName, PolarisEntityType.PRINCIPAL_ROLE); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow( + op, principalRoleName, PolarisEntityType.PRINCIPAL_ROLE); - PolarisEntity principalRoleEntity = - findPrincipalRoleByName(principalRoleName) - .orElseThrow( - () -> new NotFoundException("PrincipalRole %s not found", principalRoleName)); + PrincipalRoleEntity principalRoleEntity = + getPrincipalRoleByName(resolutionManifest, principalRoleName); LoadGrantsResult grantList = metaStoreManager.loadGrantsOnSecurable(getCurrentPolarisContext(), principalRoleEntity); return buildEntitiesFromGrantResults(grantList, true, PolarisEntityType.PRINCIPAL, null); @@ -1601,16 +1602,13 @@ public List listCatalogRolesForPrincipalRole( String principalRoleName, String catalogName) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.LIST_CATALOG_ROLES_FOR_PRINCIPAL_ROLE; - authorizeBasicTopLevelEntityOperationOrThrow( - op, principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, catalogName); - - PolarisEntity catalogEntity = - currentCatalog() - .orElseThrow(() -> new NotFoundException("Parent catalog %s not found", catalogName)); - PolarisEntity principalRoleEntity = - findPrincipalRoleByName(principalRoleName) - .orElseThrow( - () -> new NotFoundException("PrincipalRole %s not found", principalRoleName)); + PolarisResolutionManifest resolutionManifest = + authorizeBasicTopLevelEntityOperationOrThrow( + op, principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, catalogName); + + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); + PrincipalRoleEntity principalRoleEntity = + getPrincipalRoleByName(resolutionManifest, principalRoleName); LoadGrantsResult grantList = metaStoreManager.loadGrantsToGrantee(getCurrentPolarisContext(), principalRoleEntity); return buildEntitiesFromGrantResults( @@ -1624,14 +1622,13 @@ public List listCatalogRolesForPrincipalRole( public PrivilegeResult grantPrivilegeOnRootContainerToPrincipalRole( String principalRoleName, PolarisPrivilege privilege) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.ADD_ROOT_GRANT_TO_PRINCIPAL_ROLE; - authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow(op, principalRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow(op, principalRoleName); PolarisEntity rootContainerEntity = resolutionManifest.getResolvedRootContainerEntityAsPath().getRawLeafEntity(); - PolarisEntity principalRoleEntity = - findPrincipalRoleByName(principalRoleName) - .orElseThrow( - () -> new NotFoundException("PrincipalRole %s not found", principalRoleName)); + PrincipalRoleEntity principalRoleEntity = + getPrincipalRoleByName(resolutionManifest, principalRoleName); return metaStoreManager.grantPrivilegeOnSecurableToRole( getCurrentPolarisContext(), principalRoleEntity, null, rootContainerEntity, privilege); @@ -1642,14 +1639,13 @@ public PrivilegeResult revokePrivilegeOnRootContainerFromPrincipalRole( String principalRoleName, PolarisPrivilege privilege) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.REVOKE_ROOT_GRANT_FROM_PRINCIPAL_ROLE; - authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow(op, principalRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow(op, principalRoleName); PolarisEntity rootContainerEntity = resolutionManifest.getResolvedRootContainerEntityAsPath().getRawLeafEntity(); - PolarisEntity principalRoleEntity = - findPrincipalRoleByName(principalRoleName) - .orElseThrow( - () -> new NotFoundException("PrincipalRole %s not found", principalRoleName)); + PrincipalRoleEntity principalRoleEntity = + getPrincipalRoleByName(resolutionManifest, principalRoleName); return metaStoreManager.revokePrivilegeOnSecurableFromRole( getCurrentPolarisContext(), principalRoleEntity, null, rootContainerEntity, privilege); @@ -1664,14 +1660,11 @@ public PrivilegeResult grantPrivilegeOnCatalogToRole( PolarisAuthorizableOperation op = PolarisAuthorizableOperation.ADD_CATALOG_GRANT_TO_CATALOG_ROLE; - authorizeGrantOnCatalogOperationOrThrow(op, catalogName, catalogRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnCatalogOperationOrThrow(op, catalogName, catalogRoleName); - PolarisEntity catalogEntity = - currentCatalog() - .orElseThrow(() -> new NotFoundException("Parent catalog %s not found", catalogName)); - PolarisEntity catalogRoleEntity = - findCatalogRoleByName(catalogName, catalogRoleName) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); + CatalogRoleEntity catalogRoleEntity = getCatalogRoleByName(resolutionManifest, catalogRoleName); return metaStoreManager.grantPrivilegeOnSecurableToRole( getCurrentPolarisContext(), @@ -1686,14 +1679,11 @@ public PrivilegeResult revokePrivilegeOnCatalogFromRole( String catalogName, String catalogRoleName, PolarisPrivilege privilege) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.REVOKE_CATALOG_GRANT_FROM_CATALOG_ROLE; - authorizeGrantOnCatalogOperationOrThrow(op, catalogName, catalogRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnCatalogOperationOrThrow(op, catalogName, catalogRoleName); - PolarisEntity catalogEntity = - currentCatalog() - .orElseThrow(() -> new NotFoundException("Parent catalog %s not found", catalogName)); - PolarisEntity catalogRoleEntity = - findCatalogRoleByName(catalogName, catalogRoleName) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); + CatalogRoleEntity catalogRoleEntity = getCatalogRoleByName(resolutionManifest, catalogRoleName); return metaStoreManager.revokePrivilegeOnSecurableFromRole( getCurrentPolarisContext(), @@ -1708,14 +1698,11 @@ public PrivilegeResult grantPrivilegeOnNamespaceToRole( String catalogName, String catalogRoleName, Namespace namespace, PolarisPrivilege privilege) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.ADD_NAMESPACE_GRANT_TO_CATALOG_ROLE; - authorizeGrantOnNamespaceOperationOrThrow(op, catalogName, namespace, catalogRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnNamespaceOperationOrThrow(op, catalogName, namespace, catalogRoleName); - CatalogEntity catalogEntity = - currentCatalog() - .orElseThrow(() -> new NotFoundException("Parent catalog %s not found", catalogName)); - PolarisEntity catalogRoleEntity = - findCatalogRoleByName(catalogName, catalogRoleName) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); + CatalogRoleEntity catalogRoleEntity = getCatalogRoleByName(resolutionManifest, catalogRoleName); PolarisResolvedPathWrapper resolvedPathWrapper = resolutionManifest.getResolvedPath(namespace); if (resolvedPathWrapper == null @@ -1728,7 +1715,8 @@ public PrivilegeResult grantPrivilegeOnNamespaceToRole( catalogEntity); if (resolutionManifest.getIsPassthroughFacade() && rbacForFederatedCatalogsEnabled) { resolvedPathWrapper = - createSyntheticNamespaceEntities(catalogEntity, namespace, resolvedPathWrapper); + createSyntheticNamespaceEntities( + resolutionManifest, catalogEntity, namespace, resolvedPathWrapper); if (resolvedPathWrapper == null || !resolvedPathWrapper.isFullyResolvedNamespace(catalogName, namespace)) { // TODO: update the exception thrown as we refine the possible retry scenarios @@ -1757,11 +1745,10 @@ public PrivilegeResult revokePrivilegeOnNamespaceFromRole( String catalogName, String catalogRoleName, Namespace namespace, PolarisPrivilege privilege) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.REVOKE_NAMESPACE_GRANT_FROM_CATALOG_ROLE; - authorizeGrantOnNamespaceOperationOrThrow(op, catalogName, namespace, catalogRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnNamespaceOperationOrThrow(op, catalogName, namespace, catalogRoleName); - PolarisEntity catalogRoleEntity = - findCatalogRoleByName(catalogName, catalogRoleName) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); + CatalogRoleEntity catalogRoleEntity = getCatalogRoleByName(resolutionManifest, catalogRoleName); PolarisResolvedPathWrapper resolvedPathWrapper = resolutionManifest.getResolvedPath(namespace); if (resolvedPathWrapper == null @@ -1788,7 +1775,10 @@ public PrivilegeResult revokePrivilegeOnNamespaceFromRole( * @return the fully resolved path wrapper. */ private PolarisResolvedPathWrapper createSyntheticNamespaceEntities( - CatalogEntity catalogEntity, Namespace namespace, PolarisResolvedPathWrapper existingPath) { + PolarisResolutionManifest resolutionManifest, + CatalogEntity catalogEntity, + Namespace namespace, + PolarisResolvedPathWrapper existingPath) { if (existingPath == null) { throw new IllegalStateException( @@ -1866,14 +1856,16 @@ public PrivilegeResult grantPrivilegeOnTableToRole( PolarisPrivilege privilege) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.ADD_TABLE_GRANT_TO_CATALOG_ROLE; - authorizeGrantOnTableLikeOperationOrThrow( - op, - catalogName, - List.of(PolarisEntitySubType.GENERIC_TABLE, PolarisEntitySubType.ICEBERG_TABLE), - identifier, - catalogRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnTableLikeOperationOrThrow( + op, + catalogName, + List.of(PolarisEntitySubType.GENERIC_TABLE, PolarisEntitySubType.ICEBERG_TABLE), + identifier, + catalogRoleName); return grantPrivilegeOnTableLikeToRole( + resolutionManifest, catalogName, catalogRoleName, identifier, @@ -1889,14 +1881,16 @@ public PrivilegeResult revokePrivilegeOnTableFromRole( PolarisAuthorizableOperation op = PolarisAuthorizableOperation.REVOKE_TABLE_GRANT_FROM_CATALOG_ROLE; - authorizeGrantOnTableLikeOperationOrThrow( - op, - catalogName, - List.of(PolarisEntitySubType.GENERIC_TABLE, PolarisEntitySubType.ICEBERG_TABLE), - identifier, - catalogRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnTableLikeOperationOrThrow( + op, + catalogName, + List.of(PolarisEntitySubType.GENERIC_TABLE, PolarisEntitySubType.ICEBERG_TABLE), + identifier, + catalogRoleName); return revokePrivilegeOnTableLikeFromRole( + resolutionManifest, catalogName, catalogRoleName, identifier, @@ -1911,10 +1905,16 @@ public PrivilegeResult grantPrivilegeOnViewToRole( PolarisPrivilege privilege) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.ADD_VIEW_GRANT_TO_CATALOG_ROLE; - authorizeGrantOnTableLikeOperationOrThrow( - op, catalogName, List.of(PolarisEntitySubType.ICEBERG_VIEW), identifier, catalogRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnTableLikeOperationOrThrow( + op, + catalogName, + List.of(PolarisEntitySubType.ICEBERG_VIEW), + identifier, + catalogRoleName); return grantPrivilegeOnTableLikeToRole( + resolutionManifest, catalogName, catalogRoleName, identifier, @@ -1930,10 +1930,16 @@ public PrivilegeResult revokePrivilegeOnViewFromRole( PolarisAuthorizableOperation op = PolarisAuthorizableOperation.REVOKE_VIEW_GRANT_FROM_CATALOG_ROLE; - authorizeGrantOnTableLikeOperationOrThrow( - op, catalogName, List.of(PolarisEntitySubType.ICEBERG_VIEW), identifier, catalogRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnTableLikeOperationOrThrow( + op, + catalogName, + List.of(PolarisEntitySubType.ICEBERG_VIEW), + identifier, + catalogRoleName); return revokePrivilegeOnTableLikeFromRole( + resolutionManifest, catalogName, catalogRoleName, identifier, @@ -1948,9 +1954,11 @@ public PrivilegeResult grantPrivilegeOnPolicyToRole( PolarisPrivilege privilege) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.ADD_POLICY_GRANT_TO_CATALOG_ROLE; - authorizeGrantOnPolicyOperationOrThrow(op, catalogName, identifier, catalogRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnPolicyOperationOrThrow(op, catalogName, identifier, catalogRoleName); - return grantPrivilegeOnPolicyEntityToRole(catalogName, catalogRoleName, identifier, privilege); + return grantPrivilegeOnPolicyEntityToRole( + resolutionManifest, catalogName, catalogRoleName, identifier, privilege); } public PrivilegeResult revokePrivilegeOnPolicyFromRole( @@ -1961,24 +1969,21 @@ public PrivilegeResult revokePrivilegeOnPolicyFromRole( PolarisAuthorizableOperation op = PolarisAuthorizableOperation.REVOKE_POLICY_GRANT_FROM_CATALOG_ROLE; - authorizeGrantOnPolicyOperationOrThrow(op, catalogName, identifier, catalogRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeGrantOnPolicyOperationOrThrow(op, catalogName, identifier, catalogRoleName); return revokePrivilegeOnPolicyEntityFromRole( - catalogName, catalogRoleName, identifier, privilege); + resolutionManifest, catalogName, catalogRoleName, identifier, privilege); } public List listAssigneePrincipalRolesForCatalogRole( String catalogName, String catalogRoleName) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.LIST_ASSIGNEE_PRINCIPAL_ROLES_FOR_CATALOG_ROLE; - authorizeBasicCatalogRoleOperationOrThrow(op, catalogName, catalogRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeBasicCatalogRoleOperationOrThrow(op, catalogName, catalogRoleName); - if (currentCatalog().isEmpty()) { - throw new NotFoundException("Parent catalog %s not found", catalogName); - } - PolarisEntity catalogRoleEntity = - findCatalogRoleByName(catalogName, catalogRoleName) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); + CatalogRoleEntity catalogRoleEntity = getCatalogRoleByName(resolutionManifest, catalogRoleName); LoadGrantsResult grantList = metaStoreManager.loadGrantsOnSecurable(getCurrentPolarisContext(), catalogRoleEntity); return buildEntitiesFromGrantResults(grantList, true, PolarisEntityType.PRINCIPAL_ROLE, null); @@ -1990,11 +1995,10 @@ public List listAssigneePrincipalRolesForCatalogRole( */ public List listGrantsForCatalogRole(String catalogName, String catalogRoleName) { PolarisAuthorizableOperation op = PolarisAuthorizableOperation.LIST_GRANTS_FOR_CATALOG_ROLE; - authorizeBasicCatalogRoleOperationOrThrow(op, catalogName, catalogRoleName); + PolarisResolutionManifest resolutionManifest = + authorizeBasicCatalogRoleOperationOrThrow(op, catalogName, catalogRoleName); - PolarisEntity catalogRoleEntity = - findCatalogRoleByName(catalogName, catalogRoleName) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); + CatalogRoleEntity catalogRoleEntity = getCatalogRoleByName(resolutionManifest, catalogRoleName); LoadGrantsResult grantList = metaStoreManager.loadGrantsToGrantee(getCurrentPolarisContext(), catalogRoleEntity); List catalogGrants = new ArrayList<>(); @@ -2131,17 +2135,14 @@ public List listGrantsForCatalogRole(String catalogName, String c /** Adds a table-level or view-level grant on {@code identifier} to {@code catalogRoleName}. */ private PrivilegeResult grantPrivilegeOnTableLikeToRole( + PolarisResolutionManifest resolutionManifest, String catalogName, String catalogRoleName, TableIdentifier identifier, List subTypes, PolarisPrivilege privilege) { - CatalogEntity catalogEntity = - currentCatalog() - .orElseThrow(() -> new NotFoundException("Parent catalog %s not found", catalogName)); - PolarisEntity catalogRoleEntity = - findCatalogRoleByName(catalogName, catalogRoleName) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); + CatalogRoleEntity catalogRoleEntity = getCatalogRoleByName(resolutionManifest, catalogRoleName); PolarisResolvedPathWrapper resolvedPathWrapper = resolutionManifest.getResolvedPath( @@ -2157,7 +2158,7 @@ private PrivilegeResult grantPrivilegeOnTableLikeToRole( if (resolutionManifest.getIsPassthroughFacade() && rbacForFederatedCatalogsEnabled) { resolvedPathWrapper = createSyntheticTableLikeEntities( - catalogEntity, identifier, subTypes, resolvedPathWrapper); + resolutionManifest, catalogEntity, identifier, subTypes, resolvedPathWrapper); if (resolvedPathWrapper == null || !subTypes.contains(resolvedPathWrapper.getRawLeafEntity().getSubType())) { // TODO: update the exception thrown as we refine the possible retry scenarios @@ -2192,6 +2193,7 @@ private PrivilegeResult grantPrivilegeOnTableLikeToRole( * @return the resolved path wrapper */ private PolarisResolvedPathWrapper createSyntheticTableLikeEntities( + PolarisResolutionManifest resolutionManifest, CatalogEntity catalogEntity, TableIdentifier identifier, List subTypes, @@ -2200,7 +2202,8 @@ private PolarisResolvedPathWrapper createSyntheticTableLikeEntities( Namespace namespace = identifier.namespace(); PolarisResolvedPathWrapper resolvedNamespacePathWrapper = !namespace.isEmpty() - ? createSyntheticNamespaceEntities(catalogEntity, namespace, existingPathWrapper) + ? createSyntheticNamespaceEntities( + resolutionManifest, catalogEntity, namespace, existingPathWrapper) : existingPathWrapper; if (resolvedNamespacePathWrapper == null @@ -2256,17 +2259,14 @@ private PolarisResolvedPathWrapper createSyntheticTableLikeEntities( * Removes a table-level or view-level grant on {@code identifier} from {@code catalogRoleName}. */ private PrivilegeResult revokePrivilegeOnTableLikeFromRole( + PolarisResolutionManifest resolutionManifest, String catalogName, String catalogRoleName, TableIdentifier identifier, List subTypes, PolarisPrivilege privilege) { - if (currentCatalog().isEmpty()) { - throw new NotFoundException("Parent catalog %s not found", catalogName); - } - PolarisEntity catalogRoleEntity = - findCatalogRoleByName(catalogName, catalogRoleName) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); + CatalogRoleEntity catalogRoleEntity = getCatalogRoleByName(resolutionManifest, catalogRoleName); PolarisResolvedPathWrapper resolvedPathWrapper = resolutionManifest.getResolvedPath( @@ -2275,69 +2275,60 @@ private PrivilegeResult revokePrivilegeOnTableLikeFromRole( || !subTypes.contains(resolvedPathWrapper.getRawLeafEntity().getSubType())) { CatalogHandler.throwNotFoundExceptionForTableLikeEntity(identifier, subTypes); } - List catalogPath = resolvedPathWrapper.getRawParentPath(); PolarisEntity tableLikeEntity = resolvedPathWrapper.getRawLeafEntity(); return metaStoreManager.revokePrivilegeOnSecurableFromRole( getCurrentPolarisContext(), catalogRoleEntity, - PolarisEntity.toCoreList(catalogPath), + PolarisEntity.toCoreList(List.of(catalogEntity)), tableLikeEntity, privilege); } private PrivilegeResult grantPrivilegeOnPolicyEntityToRole( + PolarisResolutionManifest resolutionManifest, String catalogName, String catalogRoleName, PolicyIdentifier identifier, PolarisPrivilege privilege) { - if (currentCatalog().isEmpty()) { - throw new NotFoundException("Parent catalog %s not found", catalogName); - } - PolarisEntity catalogRoleEntity = - findCatalogRoleByName(catalogName, catalogRoleName) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); + CatalogRoleEntity catalogRoleEntity = getCatalogRoleByName(resolutionManifest, catalogRoleName); PolarisResolvedPathWrapper resolvedPathWrapper = resolutionManifest.getResolvedPath(identifier); if (resolvedPathWrapper == null) { throw new NoSuchPolicyException(String.format("Policy not exists: %s", identifier)); } - List catalogPath = resolvedPathWrapper.getRawParentPath(); PolarisEntity policyEntity = resolvedPathWrapper.getRawLeafEntity(); return metaStoreManager.grantPrivilegeOnSecurableToRole( getCurrentPolarisContext(), catalogRoleEntity, - PolarisEntity.toCoreList(catalogPath), + PolarisEntity.toCoreList(List.of(catalogEntity)), policyEntity, privilege); } private PrivilegeResult revokePrivilegeOnPolicyEntityFromRole( + PolarisResolutionManifest resolutionManifest, String catalogName, String catalogRoleName, PolicyIdentifier identifier, PolarisPrivilege privilege) { - if (currentCatalog().isEmpty()) { - throw new NotFoundException("Parent catalog %s not found", catalogName); - } - PolarisEntity catalogRoleEntity = - findCatalogRoleByName(catalogName, catalogRoleName) - .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", catalogRoleName)); + CatalogEntity catalogEntity = getCatalogByName(resolutionManifest, catalogName); + CatalogRoleEntity catalogRoleEntity = getCatalogRoleByName(resolutionManifest, catalogRoleName); PolarisResolvedPathWrapper resolvedPathWrapper = resolutionManifest.getResolvedPath(identifier); if (resolvedPathWrapper == null) { throw new NoSuchPolicyException(String.format("Policy not exists: %s", identifier)); } - List catalogPath = resolvedPathWrapper.getRawParentPath(); PolarisEntity policyEntity = resolvedPathWrapper.getRawLeafEntity(); return metaStoreManager.revokePrivilegeOnSecurableFromRole( getCurrentPolarisContext(), catalogRoleEntity, - PolarisEntity.toCoreList(catalogPath), + PolarisEntity.toCoreList(List.of(catalogEntity)), policyEntity, privilege); }