Skip to content

fix(catalog): Fix authorize generic table drop against the table over namespace#4758

Closed
ArnavBalyan wants to merge 1 commit into
apache:mainfrom
ArnavBalyan:arnavb/generic-table-drop-authz
Closed

fix(catalog): Fix authorize generic table drop against the table over namespace#4758
ArnavBalyan wants to merge 1 commit into
apache:mainfrom
ArnavBalyan:arnavb/generic-table-drop-authz

Conversation

@ArnavBalyan

@ArnavBalyan ArnavBalyan commented Jun 14, 2026

Copy link
Copy Markdown
Member
  • DropGenericTable authorizes via the create under namespace, so the authz target is the parent namespace, not the table.
  • Table drop grant on generic table is ignored and the drop is wrongly denied.
  • Use the correct table level check instead of the namespace.
  • Add ut

Checklist

  • 🛡️ Don't disclose security issues! (contact security@apache.org)
  • 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
  • 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
  • 💡 Added comments for complex logic
  • 🧾 Updated CHANGELOG.md (if needed)
  • 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

Copilot AI review requested due to automatic review settings June 14, 2026 17:35
@github-project-automation github-project-automation Bot moved this to PRs In Progress in Basic Kanban Board Jun 14, 2026
@ArnavBalyan

Copy link
Copy Markdown
Member Author

cc @dimas-b @jbonofre thanks! :)

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates generic table drop authorization to allow table-scoped grants and adds a regression test ensuring a table-level TABLE_DROP privilege permits dropping a generic table.

Changes:

  • Switch dropGenericTable authorization from a namespace-scoped check to a basic table-like (table-scoped) authorization check.
  • Add a unit test validating that a table-scoped TABLE_DROP grant allows dropping a generic table.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
runtime/service/src/main/java/org/apache/polaris/service/catalog/generic/GenericTableCatalogHandler.java Adjusts authorization call for dropping generic tables to support table-scoped grants.
runtime/service/src/test/java/org/apache/polaris/service/catalog/generic/PolarisGenericTableCatalogHandlerAuthzTest.java Adds a regression test for table-scoped TABLE_DROP behavior on generic table drops.

Comment on lines +131 to +138
@Test
void dropGenericTableHonorsTableScopedGrant() {
assertSuccess(
adminService.grantPrivilegeOnTableToRole(
CATALOG_NAME, CATALOG_ROLE1, TABLE_NS1_1_GENERIC, PolarisPrivilege.TABLE_DROP));

newWrapper(Set.of(PRINCIPAL_ROLE1)).dropGenericTable(TABLE_NS1_1_GENERIC);
}
Comment on lines +133 to +135
assertSuccess(
adminService.grantPrivilegeOnTableToRole(
CATALOG_NAME, CATALOG_ROLE1, TABLE_NS1_1_GENERIC, PolarisPrivilege.TABLE_DROP));

@dimas-b dimas-b left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is this different from #4779 ?

@ArnavBalyan

Copy link
Copy Markdown
Member Author

How is this different from #4779 ?

Looks like they are fixing the same issue, I'm not sure which one was raised sooner

@dimas-b

dimas-b commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Since #4779 already has some approvals, I propose to go with that PR.

@ArnavBalyan : Appreciate your contribution, in any case!

@ArnavBalyan

Copy link
Copy Markdown
Member Author

Thanks of course :)

@github-project-automation github-project-automation Bot moved this from PRs In Progress to Done in Basic Kanban Board Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants