Allow CatalogAdmin to list Principal Roles

[vignesh-manel]

Implements automatic principal role listing for catalog_admin users via a new system-managed catalog_role_manager role. Fixes #363

Implementation

• catalog_role_manager created at bootstrap with PRINCIPAL_ROLE_LIST privilege (read-only)
• Automatically granted to principals when they receive catalog_admin on any catalog
• Automatically revoked when all catalog_admin grants are removed

Limitations

• A new system role is introduced just to grant PRINCIPAL_ROLE_LIST for catalog_admin
• Principal must be assigned to principal role before granting catalog_admin. If assigned after, revoke and re-grant catalog_admin to trigger auto-grant.
• No backfill for existing catalog_admin grants (requires manual grant or re-grant)

CC: @collado-mike

Checklist

• 🛡️ Don't disclose security issues! (contact security@apache.org)
• 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
• 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
• 💡 Added comments for complex logic
• 🧾 Updated CHANGELOG.md (if needed)
• 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

[dimas-b]

Thanks for you contribution, @vignesh-manel !

Given that this is a major change to the Polaris RBAC system, I believe it deserves a discussion on the dev ML. Would you mind starting it there? Thx!

[flyingImer]

handle grant failures? perhaps logging or error out?

[vignesh-manel]

Thanks for you contribution, @vignesh-manel !

Given that this is a major change to the Polaris RBAC system, I believe it deserves a discussion on the dev ML. Would you mind starting it there? Thx!

@dimas-b I have sent a mail to dev ML. Thanks

[dimas-b]

Thanks, @vignesh-manel !

dev thread for reference: https://lists.apache.org/thread/ws0blghsv8jl9rbwpgfgcbzjs7d38242

[vignesh-manel]

This PR got closed accidentally while rebasing branches, and unable to reopen it. So created a new PR #3852 Apologies for the inconvenience