Allow CatalogAdmin to list Principal Roles

[vignesh-manel]

Duplicate of #3761 which got closed accidentally while rebasing

Implements automatic principal role listing for catalog_admin users via a new system-managed catalog_role_manager role. Fixes #363

Implementation

• catalog_role_manager created at bootstrap with PRINCIPAL_ROLE_LIST privilege (read-only)
• Automatically granted to principals when they receive catalog_admin on any catalog
• Automatically revoked when all catalog_admin grants are removed

Limitations

• A new system role is introduced just to grant PRINCIPAL_ROLE_LIST for catalog_admin
• Principal must be assigned to principal role before granting catalog_admin. If assigned after, revoke and re-grant catalog_admin to trigger auto-grant.
• No backfill for existing catalog_admin grants (requires manual grant or re-grant)

CC: @collado-mike

Checklist

• 🛡️ Don't disclose security issues! (contact security@apache.org)
• 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes #
• 🧪 Added/updated tests with good coverage, or manually tested (and explained how)
• 💡 Added comments for complex logic
• 🧾 Updated CHANGELOG.md (if needed)
• 📚 Updated documentation in site/content/in-dev/unreleased (if needed)

[dimas-b]

@vignesh-manel : please avoid opening multiple PRs for the same feature (cf. https://polaris.apache.org/community/contributing-guidelines/)

You should be able to take the commits from this PR, put them into your local vignesh-manel:main branch and force-push into #3761

Once that PR is merged, you'll be able to reuse main for a different purpose locally 😉

[vignesh-manel]

@vignesh-manel : please avoid opening multiple PRs for the same feature (cf. https://polaris.apache.org/community/contributing-guidelines/)

You should be able to take the commits from this PR, put them into your local vignesh-manel:main branch and force-push into #3761

Once that PR is merged, you'll be able to reuse main for a different purpose locally 😉

@dimas-b I had tried that, I had forced push the same commits to the main branch of my fork, even though they showed up in the fork, GitHub wasn't giving me the option to reopen the old PR. Seems to be an issue with GitHub isaacs/github#361 hence I created this new PR

[dimas-b]

@vignesh-manel : no worries, let's continue on this PR 👍

[dimas-b]

dev thread for reference: https://lists.apache.org/thread/ws0blghsv8jl9rbwpgfgcbzjs7d38242

[dimas-b]

@vignesh-manel : just heads up: I'm willing to facilitate the progress of this PR, but I do not have enough context for the internal Polaris RBAC system and its applications for an approval.

I hope @dennishuo, @collado-mike, @flyrain could provide feedback on the actual behaviour changes.

[flyingImer]

should it be protected from being droppable?

[flyingImer]

I see the catalog_role_manager is revoked only via revokeCatalogRoleFromPrincipalRole, but catalog_role_manager is granted to principal (not principal roles). Say when a principal is unassigned from a principal role (i.e., revoke principal role from principal API), catalog_role_manager granted to the principal would be never revoked.

I feel it should be cleaned up as well to avoid leaking PRINCIPAL_ROLE_LIST privilege

[flyingImer]

Similarly, when catalog drops, it should be cleaned up

[flyingImer]

we should have tests capturing them

[flyingImer]

2 cents: log something when nothing found. This should be helpful to capture the missing catalog_role_manager role, as currently it is created only during bootstrap IIUC, i.e., we don't have upgrade/backfill path for already bootstrapped realms. I'm fine with temporary gaps for upgrade and backfill, but strongly recommend at least to warn on role not found

[flyingImer]

2 cents: log something when nothing found

[flyingImer]

catalog role manager should be granted on catalog_admin grant to a role as well, i.e., inside assignPrincipalRole