horizonzy opened a new issue, #509:
URL: https://github.com/apache/polaris/issues/509
### Is this a possible security vulnerability?
- [X] This is NOT a possible security vulnerability
### Describe the bug
I have granted the catalog role with `NAMESPACE_CREATE` privilege, but the
log shows the user didn't have the privilege.
```
DEBUG [2024-12-05 14:01:00,700 - 521510] [pool-3-thread-8 - POST
/api/catalog/v1/quickstart_catalog/namespaces] []
o.a.p.s.c.a.IcebergRestCatalogApi: Invoking CatalogApi with params
operation="createNamespace" prefix="quickstart_catalog"
createNamespaceRequest="CreateNamespaceRequest{namespace=public, properties={}}"
DEBUG [2024-12-05 14:01:00,700 - 521510] [pool-3-thread-8 - POST
/api/catalog/v1/quickstart_catalog/namespaces] []
o.a.p.s.c.RealmEntityManagerFactory: Looking up PolarisEntityManager for realm
default-realm
DEBUG [2024-12-05 14:01:00,700 - 521510] [pool-3-thread-8 - POST
/api/catalog/v1/quickstart_catalog/namespaces] []
o.a.p.c.a.PolarisAuthorizerImpl: Failed to satisfy privilege NAMESPACE_CREATE
for principalName quickstart_user on resolvedPath
resolvedPath:[entity:name=root_container;id=0;parentId=0;entityVersion=1;type=ROOT;subType=NULL_SUBTYPE;internalProperties={};grantRecordsAsGrantee:[];grantRecordsAsSecurable:[PolarisGrantRec{securableCatalogId=0,
securableId=0, granteeCatalogId=0, granteeId=2, privilegeCode=1}],
entity:name=quickstart_catalog;id=3;parentId=0;entityVersion=1;type=CATALOG;subType=NULL_SUBTYPE;internalProperties={catalogType=EXTERNAL,
storage_configuration_info={"@type":"AwsStorageConfigurationInfo","storageType":"S3","allowedLocations":["s3://aws-test-unity-catalog"],"roleARN":"arn:aws:iam::738562057640:role/test-polaris","fileIoImplClassName":"org.apache.iceberg.aws.s3.S3FileIO"},
remoteUrl=null};grantRecordsAsGrantee:[];grantRecordsAsSecurable:[PolarisGrantR
ec{securableCatalogId=0, securableId=3, granteeCatalogId=3, granteeId=4,
privilegeCode=2}, PolarisGrantRec{securableCatalogId=0, securableId=3,
granteeCatalogId=3, granteeId=4, privilegeCode=31},
PolarisGrantRec{securableCatalogId=0, securableId=3, granteeCatalogId=3,
granteeId=7, privilegeCode=5}]]
INFO [2024-12-05 14:01:00,700 - 521510] [pool-3-thread-8 - POST
/api/catalog/v1/quickstart_catalog/namespaces] []
o.a.p.s.e.IcebergExceptionMapper: Handling runtimeException Principal
'quickstart_user' with activated PrincipalRoles '[catalog]' and activated
grants via '[]' is not authorized for op CREATE_NAMESPACE
```
```
./polaris privileges list --catalog quickstart_catalog --catalog-role
quickstart_catalog_role
{"type": "catalog", "privilege": "NAMESPACE_CREATE"}
```
### To Reproduce
_No response_
### Actual Behavior
_No response_
### Expected Behavior
_No response_
### Additional context
_No response_
### System information
the branch: master
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
