Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More readable 403s #396

Merged
merged 6 commits into from
Oct 25, 2024
Merged

More readable 403s #396

merged 6 commits into from
Oct 25, 2024

Conversation

eric-maynard
Copy link
Contributor

@eric-maynard eric-maynard commented Oct 22, 2024
edited
Loading

Description

Currently, when a request is rejected users see an error like this:

org.apache.iceberg.exceptions.ForbiddenException: Forbidden: Principal 'quickstart_user' with activated PrincipalRoles '[]' and activated ids '[6, 7]' is not authorized for op CREATE_NAMESPACE

With this change, users will see something more like the following:
org.apache.iceberg.exceptions.ForbiddenException: Forbidden: Principal 'quickstart_user' with activated PrincipalRoles '[]' and activated grants via '[quickstart_catalog_role, quickstart_user_role]' is not authorized for op CREATE_NAMESPACE

flyrain
flyrain approved these changes Oct 25, 2024
View reviewed changes
polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java
throw new ForbiddenException(
"Principal '%s' with activated PrincipalRoles '%s' and activated ids '%s' is not authorized for op %s",
"Principal '%s' with activated PrincipalRoles '%s' and activated grants via '%s' is not authorized for op %s",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: Not sure if this is clearer? grants via -> grant on

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what this message is trying to say is that you have grants through / via these roles. So you may have a grant on table X through your principal role A and catalog role B but you fail when you try to read table Y. This message will say ...and activated grants via [A, B]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess you also have grants on A and B but they are not privilege grants, they are role grants.

Copy link
Contributor

@flyrain flyrain Oct 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My bad. I thought they're table/namespace entities.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah no they are roles. But I am still not sure if this verbiage is totally correct, maybe you are right

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The via makes sense to me if they are roles.

@flyrain flyrain enabled auto-merge (squash) October 25, 2024 16:49
@flyrain flyrain merged commit 304d700 into apache:main Oct 25, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flyrain flyrain flyrain approved these changes

@ebyhr ebyhr ebyhr approved these changes

@jbonofre jbonofre Awaiting requested review from jbonofre jbonofre is a code owner

@ashvina ashvina Awaiting requested review from ashvina ashvina is a code owner

@RussellSpitzer RussellSpitzer Awaiting requested review from RussellSpitzer RussellSpitzer is a code owner

@snazy snazy Awaiting requested review from snazy snazy is a code owner

@vvcephei vvcephei Awaiting requested review from vvcephei vvcephei is a code owner

@takidau takidau Awaiting requested review from takidau takidau is a code owner

@jackye1995 jackye1995 Awaiting requested review from jackye1995 jackye1995 is a code owner

@collado-mike collado-mike Awaiting requested review from collado-mike collado-mike is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@eric-maynard @flyrain @ebyhr