feat: add CATALOG_READ_DATA privilege for data analyst read-only catalog access#3927
Conversation
…log access Introduces a new catalog-level privilege CATALOG_READ_DATA (code 103) that grants read-only access to all data and navigational metadata within a specific catalog. This is intended for data analyst principals who need broad read access across an entire catalog without any write or administrative capabilities. CATALOG_READ_DATA subsumes the following privileges when granted on a catalog: - NAMESPACE_LIST and NAMESPACE_READ_PROPERTIES (catalog navigation) - TABLE_LIST, TABLE_READ_PROPERTIES, and TABLE_READ_DATA (table access) - VIEW_LIST and VIEW_READ_PROPERTIES (view access) It is itself subsumed by CATALOG_MANAGE_CONTENT (the existing full-access catalog privilege), preserving the existing privilege hierarchy. Changes: - PolarisPrivilege.java: add CATALOG_READ_DATA enum constant (code 103) - PolarisAuthorizerImpl.java: register subsumption rules in SUPER_PRIVILEGES - polaris-management-service.yml: add CATALOG_READ_DATA to CatalogPrivilege enum - PolarisPrivilegeTest.java: update code-to-privilege mapping test Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
dimas-b
left a comment
dimas-b
left a comment
There was a problem hiding this comment.
Thanks for your contribution, @Praneeth-Sagar-13 !
The changes LGTM 👍
Still, given this PR affects the Polaris RBAC model, I believe it would be wise for the sake of community awareness to have a "[DISCUSS]" thread for it on the dev ML before merging.
Would you be comfortable starting this email thread (you may want to subscribe to dev too)?
|
I feel ok with this change. +1 on the ML discussion. Also @dennishuo may have an opinion |
|
Started a [DISCUSS] thread :https://lists.apache.org/thread/p6fjxh7y65s2mdywc330gor6yrj2vngz |
github-project-automation
bot
moved this from PRs In Progress
to Ready to merge
in Basic Kanban Board
|
@Praneeth-Sagar-13 : Please run |
| * #TABLE_LIST}, {@link #TABLE_READ_PROPERTIES}, {@link #TABLE_READ_DATA}, {@link #VIEW_LIST}, and | ||
| * {@link #VIEW_READ_PROPERTIES}. | ||
| */ | ||
| CATALOG_READ_DATA(103, PolarisEntityType.CATALOG), |
There was a problem hiding this comment.
The privilege is good to have, otherwise, user have to grant/invoke 7+ privileges for the same purpose.
The name CATALOG_READ_DATA implies data-only access (reading table contents), but it actually subsumes metadata-plane privileges too like TABLE_READ_PROPERTIES, NAMESPACE_READ_PROPERTIES, VIEW_READ_PROPERTIES, and the *_LIST privileges. I am wondering if we can give a more descriptive name, like CATALOG_READ or CATALOG_READ_ALL.
A related question: why doesn't it subsume CATALOG_READ_PROPERTIES?
6 participants
Introduces a new catalog-level privilege CATALOG_READ_DATA (code 103) that grants read-only access to all data and navigational metadata within a specific catalog. This is intended for data analyst principals who need broad read access across an entire catalog without any write or administrative capabilities.
CATALOG_READ_DATA subsumes the following privileges when granted on a catalog:
It is itself subsumed by CATALOG_MANAGE_CONTENT (the existing full-access catalog privilege), preserving the existing privilege hierarchy.
Changes:
Checklist
CHANGELOG.md(if needed)site/content/in-dev/unreleased(if needed)