[Policy Store | Management Spec] Add policy privileges to spec and update admin service impl

[HonahX]

This PR adds new policy related privileges to polaris-management-api.yml and update PolarisAdminService to allow granting new privileges

[eric-maynard]

LGTM! At some point, we should update the relevant docs

[flyrain]

It's interesting we have this limits here, not only new entity like Policy, but also for table/view, etc. This becomes a an extra Polaris limit. Should we lift it somehow? I could see a corner case that users migrate a table with a long name will fail. Not a blocker for this PR though. cc @eric-maynard @dennishuo @collado-mike for more context.

[sfc-gh-jojiang]

Yeah, I follow the existing pattern to include these limits for the new schema. May be we can do this in a follow-up to remove all the limits if they are not needed?

[flyrain]

Definitely, we can deal with it in a follow-up.

[gh-yzou]

@HonahX shall we also contain a pattern definition here? for example

pattern: '^(?!\s*[s|S][y|Y][s|S][t|T][e|E][m|M]\$).*$'

[HonahX]

Good point, I checked the yaml and seems the pattern is defined for catalogRole, principal, catalogName. For namespace and table there is pattern

    NamespaceGrant:
      allOf:
        - $ref: '#/components/schemas/GrantResource'
        - type: object
          properties:
            namespace:
              type: array
              items:
                type: string
            privilege:
              $ref: '#/components/schemas/NamespacePrivilege'
          required:
            - namespace
            - privilege

    TableGrant:
      allOf:
        - $ref: '#/components/schemas/GrantResource'
        - type: object
          properties:
            namespace:
              type: array
              items:
                type: string
            tableName:
              type: string
              minLength: 1
              maxLength: 256
            privilege:
              $ref: '#/components/schemas/TablePrivilege'
          required:
            - namespace
            - tableName
            - privilege

I think this pattern is mainly to prevent granting privileges to system defined roles/principals. If we have similar use case for namespace, table, policy, we can add that in the future. WDYT?

[singhpk234]

[not-blocker] is it possible to add some comments on what each of them mean ?

[eric-maynard]

+1 but we should probably do this separately, since the existing ones need comments too

[HonahX]

+1 on doing this in a follow-up. Also do you think if a pointer to the site "Access Control" section would be an option to consider, so that we will have a single source of truth for the privileges' meaning.

[singhpk234]

should we not undo the grants at catalog level to not effect subsequent test ?

[HonahX]

The integration test has a

@AfterEach
  public void cleanUp() {
    client.cleanUp(adminCredentials);
  }

to drop the catalog role and the catalog so everything happens in the current test won't affect the subsequent ones.

[singhpk234]

optional : should we add an nested namespace test as well, this could just be running this in a loop, wdyt ? just testing the resolution.

[HonahX]

Good suggestion! I think it may be a good test to add in PolicyCatalogHandlerAuthzTest where it test the actual authorization/inheritance resolution. This test is used to ensure the correct PolarisPrivilege is granted, the listGrants itself does not resolve the inheritance. I will add related ones later.

[gh-yzou]

question, why do we need CATALOG_MANAGE_ACCESS for PolicyPrivilege?

[collado-mike]

+1 this shouldn't be here

[eric-maynard]

Isn't this essentially just function is a super-privilege? I see it only TablePrivileges too, for example, even though it's not in the docs.

[HonahX]

Yeah, I added it here to be consistent with TablePrivileges, ViewPrivileges, and NamespacePrivileges. My understanding of the usage here would be allowing privilege management on a specific policy entity.

[gh-yzou]

i am always confused by the FULL_METADATA, but policy doesn't have a metadata concept, that simply refers to full access capability, right? would POLICY_FULL_ACCESS make more sense?

[eric-maynard]

Isn't that the same as for namespaces? We call that NAMESPACE_FULL_METADATA.

[HonahX]

Naming is not an easy task. For me both _FULL_METADATA and _FULL_ACCESS makes sense, but since in polaris we use _FULL_METADATA frequently: CATALOG_FULL_METADATA, NAMESPACE_FULL_METADATA, ... I think POLICY_FULL_METADATA can be more consistent with Polaris' naming convention. WDYT?

[gh-yzou]

@HonahX shall we also contain a pattern definition here? for example

pattern: '^(?!\s*[s|S][y|Y][s|S][t|T][e|E][m|M]\$).*$'

[gh-yzou]

Shall we do those in separate PR? so that we can separate the change of API spec and backend implementaiton?

[HonahX]

Maybe the current way makes it a little bit harder to review. I include both in the same PR to ensure we have test to cover that all the names and grants added to the spec is correct. Given that there has been lots of review going on, would you be okay to keep it in one for this time?

[gh-yzou]

is taht implementation mostly the same as authorizeGrantOnNamespaceOperationOrThrow, how about let's merge thoe two functions, let the function take a EntityType, and an entity name. The only thing you need to take care here is probably the error message, and i think we can do a simple enum.

[collado-mike]

It's mostly like authorizeGrantOnTableLikeOperationOrThrow, but it deals with a PolicyIdentifier instead of a TableIdentifier.

[gh-yzou]

Oh, i am actually referring to the namespaces, but all those function seems very similar. I think we can either internally handle this part according to the type, or just let the caller pass this argument List entityNames.

[gh-yzou]

i see other places don't need the subtype argument, is there a reason that we need that for Policy?

[HonahX]

I double-checked and find that getResolvedPath only verify the subtypes so it does not help for policy. I will remove that.

[gh-yzou]

Similar as above, i think we can have a common function that is used for both NameSpace and Policy

[gh-yzou]

I am actually little bit confused for this privilege, is that a privilege neds to be granted for roles? does it needs to be configured in the spec somewhere also?

[HonahX]

This along with

• NAMESPACE_MANAGED_GRANTS_ON_SECURABLE
• TABLE_MANAGED_GRANTS_ON_SECURABLE
• VIEW_MANAGED_GRANTS_ON_SECURABLE
• CATALOG_MANAGED_GRANTS_ON_SECURABLE

forms the CATALOG_MANAGE_ACCESS. We currently do not allow granting these sub-privileges through management APIs. I just follow the pattern to ensure consistency and flexibility to make the privilege granting more fine-grained in the future if needed.