in polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java [143:520]
static {
SUPER_PRIVILEGES.putAll(SERVICE_MANAGE_ACCESS, List.of(SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(CATALOG_MANAGE_ACCESS, List.of(CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(CATALOG_ROLE_USAGE, List.of(CATALOG_ROLE_USAGE));
SUPER_PRIVILEGES.putAll(PRINCIPAL_ROLE_USAGE, List.of(PRINCIPAL_ROLE_USAGE));
// Namespace, Table, View privileges
SUPER_PRIVILEGES.putAll(
NAMESPACE_CREATE,
List.of(
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
NAMESPACE_CREATE,
NAMESPACE_FULL_METADATA));
SUPER_PRIVILEGES.putAll(
TABLE_CREATE,
List.of(
CATALOG_MANAGE_CONTENT, CATALOG_MANAGE_METADATA, TABLE_CREATE, TABLE_FULL_METADATA));
SUPER_PRIVILEGES.putAll(
VIEW_CREATE,
List.of(CATALOG_MANAGE_CONTENT, CATALOG_MANAGE_METADATA, VIEW_CREATE, VIEW_FULL_METADATA));
SUPER_PRIVILEGES.putAll(
NAMESPACE_DROP,
List.of(
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
NAMESPACE_DROP,
NAMESPACE_FULL_METADATA));
SUPER_PRIVILEGES.putAll(
TABLE_DROP,
List.of(CATALOG_MANAGE_CONTENT, CATALOG_MANAGE_METADATA, TABLE_DROP, TABLE_FULL_METADATA));
SUPER_PRIVILEGES.putAll(
VIEW_DROP,
List.of(CATALOG_MANAGE_CONTENT, CATALOG_MANAGE_METADATA, VIEW_DROP, VIEW_FULL_METADATA));
SUPER_PRIVILEGES.putAll(
NAMESPACE_LIST,
List.of(
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
NAMESPACE_CREATE,
NAMESPACE_FULL_METADATA,
NAMESPACE_LIST,
NAMESPACE_READ_PROPERTIES,
NAMESPACE_WRITE_PROPERTIES));
SUPER_PRIVILEGES.putAll(
TABLE_LIST,
List.of(
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
TABLE_CREATE,
TABLE_FULL_METADATA,
TABLE_LIST,
TABLE_READ_DATA,
TABLE_READ_PROPERTIES,
TABLE_WRITE_DATA,
TABLE_WRITE_PROPERTIES));
SUPER_PRIVILEGES.putAll(
VIEW_LIST,
List.of(
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
VIEW_CREATE,
VIEW_FULL_METADATA,
VIEW_LIST,
VIEW_READ_PROPERTIES,
VIEW_WRITE_PROPERTIES));
SUPER_PRIVILEGES.putAll(
NAMESPACE_READ_PROPERTIES,
List.of(
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
NAMESPACE_FULL_METADATA,
NAMESPACE_READ_PROPERTIES,
NAMESPACE_WRITE_PROPERTIES));
SUPER_PRIVILEGES.putAll(
TABLE_READ_PROPERTIES,
List.of(
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
TABLE_FULL_METADATA,
TABLE_READ_DATA,
TABLE_READ_PROPERTIES,
TABLE_WRITE_DATA,
TABLE_WRITE_PROPERTIES));
SUPER_PRIVILEGES.putAll(
VIEW_READ_PROPERTIES,
List.of(
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
VIEW_FULL_METADATA,
VIEW_READ_PROPERTIES,
VIEW_WRITE_PROPERTIES));
SUPER_PRIVILEGES.putAll(
NAMESPACE_WRITE_PROPERTIES,
List.of(
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
NAMESPACE_FULL_METADATA,
NAMESPACE_WRITE_PROPERTIES));
SUPER_PRIVILEGES.putAll(
TABLE_WRITE_PROPERTIES,
List.of(
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
TABLE_FULL_METADATA,
TABLE_WRITE_DATA,
TABLE_WRITE_PROPERTIES));
SUPER_PRIVILEGES.putAll(
VIEW_WRITE_PROPERTIES,
List.of(
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
VIEW_FULL_METADATA,
VIEW_WRITE_PROPERTIES));
SUPER_PRIVILEGES.putAll(
TABLE_READ_DATA, List.of(CATALOG_MANAGE_CONTENT, TABLE_READ_DATA, TABLE_WRITE_DATA));
SUPER_PRIVILEGES.putAll(TABLE_WRITE_DATA, List.of(CATALOG_MANAGE_CONTENT, TABLE_WRITE_DATA));
SUPER_PRIVILEGES.putAll(
NAMESPACE_FULL_METADATA,
List.of(CATALOG_MANAGE_CONTENT, CATALOG_MANAGE_METADATA, NAMESPACE_FULL_METADATA));
SUPER_PRIVILEGES.putAll(
TABLE_FULL_METADATA,
List.of(CATALOG_MANAGE_CONTENT, CATALOG_MANAGE_METADATA, TABLE_FULL_METADATA));
SUPER_PRIVILEGES.putAll(
VIEW_FULL_METADATA,
List.of(CATALOG_MANAGE_CONTENT, CATALOG_MANAGE_METADATA, VIEW_FULL_METADATA));
// Catalog privileges
SUPER_PRIVILEGES.putAll(
CATALOG_MANAGE_METADATA, List.of(CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(CATALOG_MANAGE_CONTENT, List.of(CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(
CATALOG_CREATE, List.of(CATALOG_CREATE, CATALOG_FULL_METADATA, SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_DROP, List.of(CATALOG_DROP, CATALOG_FULL_METADATA, SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_LIST,
List.of(
CATALOG_CREATE,
CATALOG_FULL_METADATA,
CATALOG_LIST,
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
CATALOG_READ_PROPERTIES,
CATALOG_WRITE_PROPERTIES,
SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_READ_PROPERTIES,
List.of(
CATALOG_FULL_METADATA,
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
CATALOG_READ_PROPERTIES,
CATALOG_WRITE_PROPERTIES,
SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_WRITE_PROPERTIES,
List.of(
CATALOG_FULL_METADATA,
CATALOG_MANAGE_CONTENT,
CATALOG_MANAGE_METADATA,
CATALOG_WRITE_PROPERTIES,
SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_FULL_METADATA, List.of(CATALOG_FULL_METADATA, SERVICE_MANAGE_ACCESS));
// _LIST_GRANTS
SUPER_PRIVILEGES.putAll(
PRINCIPAL_LIST_GRANTS,
List.of(
PRINCIPAL_LIST_GRANTS,
PRINCIPAL_MANAGE_GRANTS_ON_SECURABLE,
PRINCIPAL_MANAGE_GRANTS_FOR_GRANTEE,
SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_ROLE_LIST_GRANTS,
List.of(
PRINCIPAL_ROLE_LIST_GRANTS,
PRINCIPAL_ROLE_MANAGE_GRANTS_ON_SECURABLE,
PRINCIPAL_ROLE_MANAGE_GRANTS_FOR_GRANTEE,
SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_ROLE_LIST_GRANTS,
List.of(
CATALOG_ROLE_LIST_GRANTS,
CATALOG_ROLE_MANAGE_GRANTS_ON_SECURABLE,
CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE,
CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_LIST_GRANTS,
List.of(CATALOG_LIST_GRANTS, CATALOG_MANAGE_GRANTS_ON_SECURABLE, CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
NAMESPACE_LIST_GRANTS,
List.of(
NAMESPACE_LIST_GRANTS, NAMESPACE_MANAGE_GRANTS_ON_SECURABLE, CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
TABLE_LIST_GRANTS,
List.of(TABLE_LIST_GRANTS, TABLE_MANAGE_GRANTS_ON_SECURABLE, CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
VIEW_LIST_GRANTS,
List.of(VIEW_LIST_GRANTS, VIEW_MANAGE_GRANTS_ON_SECURABLE, CATALOG_MANAGE_ACCESS));
// _MANAGE_GRANTS_ON_SECURABLE for CATALOG, NAMESPACE, TABLE, VIEW
SUPER_PRIVILEGES.putAll(
CATALOG_MANAGE_GRANTS_ON_SECURABLE,
List.of(CATALOG_MANAGE_GRANTS_ON_SECURABLE, CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
NAMESPACE_MANAGE_GRANTS_ON_SECURABLE,
List.of(NAMESPACE_MANAGE_GRANTS_ON_SECURABLE, CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
TABLE_MANAGE_GRANTS_ON_SECURABLE,
List.of(TABLE_MANAGE_GRANTS_ON_SECURABLE, CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
VIEW_MANAGE_GRANTS_ON_SECURABLE,
List.of(VIEW_MANAGE_GRANTS_ON_SECURABLE, CATALOG_MANAGE_ACCESS));
// PRINCIPAL CRUDL
SUPER_PRIVILEGES.putAll(
PRINCIPAL_CREATE,
List.of(PRINCIPAL_CREATE, PRINCIPAL_FULL_METADATA, SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_DROP, List.of(PRINCIPAL_DROP, PRINCIPAL_FULL_METADATA, SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_LIST,
List.of(
PRINCIPAL_LIST,
PRINCIPAL_CREATE,
PRINCIPAL_READ_PROPERTIES,
PRINCIPAL_WRITE_PROPERTIES,
PRINCIPAL_FULL_METADATA,
SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_READ_PROPERTIES,
List.of(
PRINCIPAL_READ_PROPERTIES,
PRINCIPAL_WRITE_PROPERTIES,
PRINCIPAL_FULL_METADATA,
SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_WRITE_PROPERTIES,
List.of(PRINCIPAL_WRITE_PROPERTIES, PRINCIPAL_FULL_METADATA, SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_FULL_METADATA, List.of(PRINCIPAL_FULL_METADATA, SERVICE_MANAGE_ACCESS));
// PRINCIPAL MANAGE_GRANTS
SUPER_PRIVILEGES.putAll(
PRINCIPAL_MANAGE_GRANTS_ON_SECURABLE,
List.of(PRINCIPAL_MANAGE_GRANTS_ON_SECURABLE, SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_MANAGE_GRANTS_FOR_GRANTEE,
List.of(PRINCIPAL_MANAGE_GRANTS_FOR_GRANTEE, SERVICE_MANAGE_ACCESS));
// PRINCIPAL special privileges
SUPER_PRIVILEGES.putAll(PRINCIPAL_ROTATE_CREDENTIALS, List.of(PRINCIPAL_ROTATE_CREDENTIALS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_RESET_CREDENTIALS, List.of(PRINCIPAL_RESET_CREDENTIALS, SERVICE_MANAGE_ACCESS));
// PRINCIPAL_ROLE CRUDL
SUPER_PRIVILEGES.putAll(
PRINCIPAL_ROLE_CREATE,
List.of(PRINCIPAL_ROLE_CREATE, PRINCIPAL_ROLE_FULL_METADATA, SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_ROLE_DROP,
List.of(PRINCIPAL_ROLE_DROP, PRINCIPAL_ROLE_FULL_METADATA, SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_ROLE_LIST,
List.of(
PRINCIPAL_ROLE_LIST,
PRINCIPAL_ROLE_CREATE,
PRINCIPAL_ROLE_READ_PROPERTIES,
PRINCIPAL_ROLE_WRITE_PROPERTIES,
PRINCIPAL_ROLE_FULL_METADATA,
SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_ROLE_READ_PROPERTIES,
List.of(
PRINCIPAL_ROLE_READ_PROPERTIES,
PRINCIPAL_ROLE_WRITE_PROPERTIES,
PRINCIPAL_ROLE_FULL_METADATA,
SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_ROLE_WRITE_PROPERTIES,
List.of(
PRINCIPAL_ROLE_WRITE_PROPERTIES, PRINCIPAL_ROLE_FULL_METADATA, SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_ROLE_FULL_METADATA, List.of(PRINCIPAL_ROLE_FULL_METADATA, SERVICE_MANAGE_ACCESS));
// PRINCIPAL_ROLE_ROLE MANAGE_GRANTS
SUPER_PRIVILEGES.putAll(
PRINCIPAL_ROLE_MANAGE_GRANTS_ON_SECURABLE,
List.of(PRINCIPAL_ROLE_MANAGE_GRANTS_ON_SECURABLE, SERVICE_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
PRINCIPAL_ROLE_MANAGE_GRANTS_FOR_GRANTEE,
List.of(PRINCIPAL_ROLE_MANAGE_GRANTS_FOR_GRANTEE, SERVICE_MANAGE_ACCESS));
// CATALOG_ROLE CRUDL
SUPER_PRIVILEGES.putAll(
CATALOG_ROLE_CREATE,
List.of(CATALOG_ROLE_CREATE, CATALOG_ROLE_FULL_METADATA, CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_ROLE_DROP,
List.of(CATALOG_ROLE_DROP, CATALOG_ROLE_FULL_METADATA, CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_ROLE_LIST,
List.of(
CATALOG_ROLE_LIST,
CATALOG_ROLE_CREATE,
CATALOG_ROLE_READ_PROPERTIES,
CATALOG_ROLE_WRITE_PROPERTIES,
CATALOG_ROLE_FULL_METADATA,
CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_ROLE_READ_PROPERTIES,
List.of(
CATALOG_ROLE_READ_PROPERTIES,
CATALOG_ROLE_WRITE_PROPERTIES,
CATALOG_ROLE_FULL_METADATA,
CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_ROLE_WRITE_PROPERTIES,
List.of(CATALOG_ROLE_WRITE_PROPERTIES, CATALOG_ROLE_FULL_METADATA, CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_ROLE_FULL_METADATA, List.of(CATALOG_ROLE_FULL_METADATA, CATALOG_MANAGE_ACCESS));
// CATALOG_ROLE_ROLE MANAGE_GRANTS
SUPER_PRIVILEGES.putAll(
CATALOG_ROLE_MANAGE_GRANTS_ON_SECURABLE,
List.of(CATALOG_ROLE_MANAGE_GRANTS_ON_SECURABLE, CATALOG_MANAGE_ACCESS));
SUPER_PRIVILEGES.putAll(
CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE,
List.of(CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE, CATALOG_MANAGE_ACCESS));
// Policy privileges
SUPER_PRIVILEGES.putAll(
POLICY_CREATE,
List.of(
POLICY_CREATE, POLICY_FULL_METADATA, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(
POLICY_WRITE,
List.of(
POLICY_WRITE, POLICY_FULL_METADATA, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(
POLICY_DROP,
List.of(
POLICY_DROP, POLICY_FULL_METADATA, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(
POLICY_READ,
List.of(
POLICY_READ,
POLICY_WRITE,
POLICY_FULL_METADATA,
CATALOG_MANAGE_METADATA,
CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(
POLICY_LIST,
List.of(
POLICY_LIST,
POLICY_CREATE,
POLICY_READ,
POLICY_WRITE,
POLICY_FULL_METADATA,
CATALOG_MANAGE_METADATA,
CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(POLICY_ATTACH, List.of(POLICY_ATTACH, CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(POLICY_DETACH, List.of(POLICY_DETACH, CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(
CATALOG_ATTACH_POLICY, List.of(CATALOG_ATTACH_POLICY, CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(
NAMESPACE_ATTACH_POLICY, List.of(NAMESPACE_ATTACH_POLICY, CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(
TABLE_ATTACH_POLICY, List.of(TABLE_ATTACH_POLICY, CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(
CATALOG_DETACH_POLICY, List.of(CATALOG_DETACH_POLICY, CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(
NAMESPACE_DETACH_POLICY, List.of(NAMESPACE_DETACH_POLICY, CATALOG_MANAGE_CONTENT));
SUPER_PRIVILEGES.putAll(
TABLE_DETACH_POLICY, List.of(TABLE_DETACH_POLICY, CATALOG_MANAGE_CONTENT));
}