Set up polaris permissions for credentials access + cleanup (#40)

* Cleanup - no need for setup-all.sh. All is done in create-tables.py
now. If we want we can have separate scripts, but Python feels more
suitable than bash, and already had catalog creation in there (bash had
a bug and wasn't actually creating the catalog).
* Add TABLE_READ_DATA priviliege to catalog admin, which is needed for
fetching credentials and reading tables. Also TABLE_WRITE_DATA just in
case.

Author: vustef

.github/workflows/test.yml

@@ -54,7 +54,7 @@ jobs:
           cargo build --release
 
       - name: Start Iceberg catalog and S3 storage with Docker Compose
-        run: docker compose -f ${{ github.workspace }}/docker/docker-compose.yml up -d minio setup_bucket polaris polaris-setup init table-creation
+        run: docker compose -f ${{ github.workspace }}/docker/docker-compose.yml up -d minio setup_bucket polaris init table-creation
 
       - name: Wait for table-creation container to complete
         run: |

docker/assets/polaris/setup-all.sh

@@ -86,37 +86,15 @@ services:
     working_dir: /app
     command: sh -c "pip install --no-cache-dir boto3 requests && python3 init-datasets.py"
 
-  polaris-setup:
-    image: alpine/curl:latest
-    container_name: polaris-setup
-    depends_on:
-      polaris:
-        condition: service_healthy
-      init:
-        condition: service_completed_successfully
-    networks:
-      iceberg_net:
-    environment:
-      - CLIENT_ID=root
-      - CLIENT_SECRET=s3cr3t
-    volumes:
-      - ./assets/polaris:/polaris
-    entrypoint: /bin/sh
-    command:
-      - -c
-      - >-
-        echo 'Setting up Polaris catalog...' &&
-        chmod +x /polaris/setup-all.sh &&
-        /polaris/setup-all.sh POLARIS &&
-        echo 'Polaris setup complete!'
-
   table-creation:
     image: python:3.11-slim
     container_name: table-creation
     networks:
       iceberg_net:
     depends_on:
-      polaris-setup:
+      polaris:
+        condition: service_healthy
+      init:
         condition: service_completed_successfully
     volumes:
       - ./scripts/create-tables.py:/app/create-tables.py

docker/docker-compose.yml

@@ -171,6 +171,90 @@ def ensure_catalog_exists(token):
         return False
 
 
+def grant_catalog_permissions(token):
+    """Grant TABLE_READ_DATA and TABLE_WRITE_DATA privileges to catalog_admin role."""
+    print(f"\nGranting data access privileges to catalog_admin role...")
+
+    try:
+        # Grant TABLE_READ_DATA
+        read_grant = {
+            "grant": {
+                "type": "catalog",
+                "privilege": "TABLE_READ_DATA"
+            }
+        }
+
+        print("  Granting TABLE_READ_DATA...")
+        response = requests.put(
+            f'{POLARIS_API}/catalogs/{CATALOG_NAME}/catalog-roles/catalog_admin/grants',
+            headers={
+                'Authorization': f'Bearer {token}',
+                'Content-Type': 'application/json',
+                'Polaris-Realm': 'POLARIS'
+            },
+            json=read_grant,
+            timeout=10
+        )
+
+        if response.status_code in [200, 201]:
+            print(f"  ✓ TABLE_READ_DATA privilege granted")
+        else:
+            print(f"  Warning: TABLE_READ_DATA grant returned status {response.status_code}")
+            print(f"  Response: {response.text}")
+
+        # Grant TABLE_WRITE_DATA
+        write_grant = {
+            "grant": {
+                "type": "catalog",
+                "privilege": "TABLE_WRITE_DATA"
+            }
+        }
+
+        print("  Granting TABLE_WRITE_DATA...")
+        response = requests.put(
+            f'{POLARIS_API}/catalogs/{CATALOG_NAME}/catalog-roles/catalog_admin/grants',
+            headers={
+                'Authorization': f'Bearer {token}',
+                'Content-Type': 'application/json',
+                'Polaris-Realm': 'POLARIS'
+            },
+            json=write_grant,
+            timeout=10
+        )
+
+        if response.status_code in [200, 201]:
+            print(f"  ✓ TABLE_WRITE_DATA privilege granted")
+        else:
+            print(f"  Warning: TABLE_WRITE_DATA grant returned status {response.status_code}")
+            print(f"  Response: {response.text}")
+
+        # Verify grants were applied
+        print("\n  Verifying grants...")
+        response = requests.get(
+            f'{POLARIS_API}/catalogs/{CATALOG_NAME}/catalog-roles/catalog_admin/grants',
+            headers={
+                'Authorization': f'Bearer {token}',
+                'Polaris-Realm': 'POLARIS'
+            },
+            timeout=10
+        )
+
+        if response.status_code == 200:
+            grants = response.json().get('grants', [])
+            print("  Current grants for catalog_admin:")
+            for grant in grants:
+                print(f"    - {grant.get('type')}: {grant.get('privilege')}")
+        else:
+            print(f"  Could not verify grants (status {response.status_code})")
+
+        return True
+
+    except Exception as e:
+        print(f"ERROR: Failed to grant permissions: {e}")
+        traceback.print_exc()
+        return False
+
+
 def create_namespace(token, namespace, max_retries=5):
     """Create a namespace if it doesn't exist.
     namespace should be a string, which can contain dots (e.g., 'tpch.sf01').
@@ -352,6 +436,11 @@ def main():
         print("ERROR: Failed to ensure catalog exists")
         sys.exit(1)
 
+    # Grant permissions to catalog_admin role
+    if not grant_catalog_permissions(token):
+        print("ERROR: Failed to grant catalog permissions")
+        sys.exit(1)
+
     # Create namespaces
     print("\n" + "=" * 60)
     print("Creating namespaces...")