refactor(query): clean up role management API surface

  - Merge 6 per-type list_*_ownerships methods into a single
    list_ownerships_by_type(OwnershipObject) to eliminate duplicated logic
    across RoleApi trait and RoleMgr implementation.

  - Simplify exists_role to call management layer get_role() directly,
    avoiding the unnecessary ErrorCode roundtrip through UnknownRole →
    or_unknown_role → Option.

  - Change return type of grant_privileges_to_role, revoke_privileges_from_role,
    grant_role_to_role, revoke_role_from_role from Result<Option<u64>> to
    Result<()>. The Option was always Some on success — no caller ever
    inspected the u64 or checked for None.

Author: TCeason

src/query/management/src/role/role_api.rs

@@ -40,12 +40,13 @@ pub trait RoleApi: Sync + Send {
 
     async fn list_ownerships(&self) -> Result<Vec<SeqV<OwnershipInfo>>, MetaError>;
 
-    async fn list_udf_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError>;
-    async fn list_stage_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError>;
-    async fn list_seq_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError>;
-    async fn list_procedure_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError>;
-    async fn list_connection_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError>;
-    async fn list_warehouse_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError>;
+    /// List ownerships filtered by type.
+    ///
+    /// The `obj` parameter is used as a dummy to determine the ownership type prefix.
+    async fn list_ownerships_by_type(
+        &self,
+        obj: OwnershipObject,
+    ) -> Result<Vec<OwnershipInfo>, MetaError>;
 
     /// General role update.
     ///

src/query/management/src/role/role_mgr.rs

@@ -301,102 +301,18 @@ impl RoleApi for RoleMgr {
 
     #[async_backtrace::framed]
     #[fastrace::trace]
-    async fn list_udf_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError> {
-        let obj = OwnershipObject::UDF {
-            name: "foo".to_string(),
-        };
-
-        let ident = TenantOwnershipObjectIdent::new(self.tenant.clone(), obj);
-        let dir_name = DirName::new(ident);
-        let values = self
-            .kv_api
-            .list_pb_values(ListOptions::unlimited(&dir_name))
-            .await?;
-        let udfs = values.try_collect().await?;
-        Ok(udfs)
-    }
-
-    #[async_backtrace::framed]
-    #[fastrace::trace]
-    async fn list_stage_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError> {
-        let obj = OwnershipObject::Stage {
-            name: "s1".to_string(),
-        };
-
-        let ident = TenantOwnershipObjectIdent::new(self.tenant.clone(), obj);
-        let dir_name = DirName::new(ident);
-        let values = self
-            .kv_api
-            .list_pb_values(ListOptions::unlimited(&dir_name))
-            .await?;
-        let stages = values.try_collect().await?;
-        Ok(stages)
-    }
-
-    #[async_backtrace::framed]
-    #[fastrace::trace]
-    async fn list_seq_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError> {
-        let obj = OwnershipObject::Sequence {
-            name: "seq1".to_string(),
-        };
-
-        let ident = TenantOwnershipObjectIdent::new(self.tenant.clone(), obj);
-        let dir_name = DirName::new(ident);
-        let values = self
-            .kv_api
-            .list_pb_values(ListOptions::unlimited(&dir_name))
-            .await?;
-        let seqs = values.try_collect().await?;
-        Ok(seqs)
-    }
-
-    #[async_backtrace::framed]
-    #[fastrace::trace]
-    async fn list_procedure_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError> {
-        let obj = OwnershipObject::Procedure { procedure_id: 1 };
-
-        let ident = TenantOwnershipObjectIdent::new(self.tenant.clone(), obj);
-        let dir_name = DirName::new(ident);
-        let values = self
-            .kv_api
-            .list_pb_values(ListOptions::unlimited(&dir_name))
-            .await?;
-        let seqs = values.try_collect().await?;
-        Ok(seqs)
-    }
-
-    #[async_backtrace::framed]
-    #[fastrace::trace]
-    async fn list_connection_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError> {
-        let obj = OwnershipObject::Connection {
-            name: "con".to_string(),
-        };
-
-        let ident = TenantOwnershipObjectIdent::new(self.tenant.clone(), obj);
-        let dir_name = DirName::new(ident);
-        let values = self
-            .kv_api
-            .list_pb_values(ListOptions::unlimited(&dir_name))
-            .await?;
-        let conns = values.try_collect().await?;
-        Ok(conns)
-    }
-
-    #[async_backtrace::framed]
-    #[fastrace::trace]
-    async fn list_warehouse_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError> {
-        let obj = OwnershipObject::Warehouse {
-            id: "w".to_string(),
-        };
-
+    async fn list_ownerships_by_type(
+        &self,
+        obj: OwnershipObject,
+    ) -> Result<Vec<OwnershipInfo>, MetaError> {
         let ident = TenantOwnershipObjectIdent::new(self.tenant.clone(), obj);
         let dir_name = DirName::new(ident);
         let values = self
             .kv_api
             .list_pb_values(ListOptions::unlimited(&dir_name))
             .await?;
-        let ws = values.try_collect().await?;
-        Ok(ws)
+        let items = values.try_collect().await?;
+        Ok(items)
     }
 
     /// General role update.

src/query/service/src/sessions/session_privilege_mgr.rs

@@ -387,53 +387,68 @@ impl SessionPrivilegeManager for SessionPrivilegeManagerImpl<'_> {
         let roles = self.get_all_effective_roles().await?;
         let roles_name: Vec<String> = roles.iter().map(|role| role.name.to_string()).collect();
 
-        let ownership_infos =
-            if roles_name.contains(&BUILTIN_ROLE_ACCOUNT_ADMIN.to_string()) || ignore_ownership {
-                vec![]
-            } else {
-                let user_api = UserApiProvider::instance();
-                let ownerships = match object {
-                    Object::All => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_ownerships()
-                        .await
-                        .map_err(meta_service_error)?
-                        .into_iter()
-                        .map(|item| item.data)
-                        .collect(),
-                    Object::UDF => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_udf_ownerships()
-                        .await?,
-                    Object::Stage => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_stage_ownerships()
-                        .await?,
-                    Object::Sequence => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_seq_ownerships()
-                        .await?,
-                    Object::Connection => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_connection_ownerships()
-                        .await?,
-                    Object::Warehouse => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_warehouse_ownerships()
-                        .await?,
-                    Object::Procedure => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_procedure_ownerships()
-                        .await?,
-                };
-                let mut ownership_infos = vec![];
-                for ownership in ownerships {
-                    if roles_name.contains(&ownership.role) {
-                        ownership_infos.push(ownership);
-                    }
+        let ownership_infos = if roles_name.contains(&BUILTIN_ROLE_ACCOUNT_ADMIN.to_string())
+            || ignore_ownership
+        {
+            vec![]
+        } else {
+            let user_api = UserApiProvider::instance();
+            let role_api = user_api.role_api(&self.session_ctx.get_current_tenant());
+            let ownerships = match object {
+                Object::All => role_api
+                    .list_ownerships()
+                    .await
+                    .map_err(meta_service_error)?
+                    .into_iter()
+                    .map(|item| item.data)
+                    .collect(),
+                Object::UDF => {
+                    role_api
+                        .list_ownerships_by_type(OwnershipObject::UDF {
+                            name: String::new(),
+                        })
+                        .await?
+                }
+                Object::Stage => {
+                    role_api
+                        .list_ownerships_by_type(OwnershipObject::Stage {
+                            name: String::new(),
+                        })
+                        .await?
+                }
+                Object::Sequence => {
+                    role_api
+                        .list_ownerships_by_type(OwnershipObject::Sequence {
+                            name: String::new(),
+                        })
+                        .await?
+                }
+                Object::Connection => {
+                    role_api
+                        .list_ownerships_by_type(OwnershipObject::Connection {
+                            name: String::new(),
+                        })
+                        .await?
+                }
+                Object::Warehouse => {
+                    role_api
+                        .list_ownerships_by_type(OwnershipObject::Warehouse { id: String::new() })
+                        .await?
+                }
+                Object::Procedure => {
+                    role_api
+                        .list_ownerships_by_type(OwnershipObject::Procedure { procedure_id: 0 })
+                        .await?
                 }
-                ownership_infos
             };
+            let mut ownership_infos = vec![];
+            for ownership in ownerships {
+                if roles_name.contains(&ownership.role) {
+                    ownership_infos.push(ownership);
+                }
+            }
+            ownership_infos
+        };
 
         Ok(GrantObjectVisibilityChecker::new(
             &self.get_current_user()?,

src/query/users/src/role_mgr.rs

@@ -15,7 +15,6 @@
 use std::collections::HashMap;
 
 use databend_common_exception::ErrorCode;
-use databend_common_exception::ErrorCodeResultExt;
 use databend_common_exception::Result;
 use databend_common_management::RoleApi;
 use databend_common_meta_app::principal::BUILTIN_ROLE_ACCOUNT_ADMIN;
@@ -108,10 +107,14 @@ impl UserApiProvider {
 
     #[async_backtrace::framed]
     pub async fn exists_role(&self, tenant: &Tenant, role: String) -> Result<bool> {
+        if self.builtin_roles().contains_key(&role) {
+            return Ok(true);
+        }
         Ok(self
-            .get_role(tenant, role)
+            .role_api(tenant)
+            .get_role(&role)
             .await
-            .or_unknown_role()?
+            .map_err(meta_service_error)?
             .is_some())
     }
 
@@ -230,17 +233,17 @@ impl UserApiProvider {
         role: &str,
         object: GrantObject,
         privileges: UserPrivilegeSet,
-    ) -> Result<Option<u64>> {
+    ) -> Result<()> {
         let client = self.role_api(tenant);
-        let res = client
+        client
             .update_role_with(role, |ri: &mut RoleInfo| {
                 ri.update_role_time();
                 ri.grants.grant_privileges(&object, privileges)
             })
             .await
             .map_err(meta_service_error)?
             .map_err(|e| ErrorCode::from(e).add_message_back("(while set role privileges)"))?;
-        Ok(Some(res))
+        Ok(())
     }
 
     #[async_backtrace::framed]
@@ -250,17 +253,17 @@ impl UserApiProvider {
         role: &str,
         object: GrantObject,
         privileges: UserPrivilegeSet,
-    ) -> Result<Option<u64>> {
+    ) -> Result<()> {
         let client = self.role_api(tenant);
-        let res = client
+        client
             .update_role_with(role, |ri: &mut RoleInfo| {
                 ri.update_role_time();
                 ri.grants.revoke_privileges(&object, privileges)
             })
             .await
             .map_err(meta_service_error)?
             .map_err(|e| ErrorCode::from(e).add_message_back("(while revoke role privileges)"))?;
-        Ok(Some(res))
+        Ok(())
     }
 
     // the grant_role can not have cycle with target_role.
@@ -270,7 +273,7 @@ impl UserApiProvider {
         tenant: &Tenant,
         target_role: &String,
         grant_role: String,
-    ) -> Result<Option<u64>> {
+    ) -> Result<()> {
         let related_roles = self
             .find_related_roles(tenant, &[grant_role.clone()])
             .await?;
@@ -283,15 +286,15 @@ impl UserApiProvider {
         }
 
         let client = self.role_api(tenant);
-        let res = client
+        client
             .update_role_with(target_role, |ri: &mut RoleInfo| {
                 ri.update_role_time();
                 ri.grants.grant_role(grant_role)
             })
             .await
             .map_err(meta_service_error)?
             .map_err(|e| ErrorCode::from(e).add_message_back("(while grant role to role)"))?;
-        Ok(Some(res))
+        Ok(())
     }
 
     #[async_backtrace::framed]
@@ -300,17 +303,17 @@ impl UserApiProvider {
         tenant: &Tenant,
         role: &str,
         revoke_role: &String,
-    ) -> Result<Option<u64>> {
+    ) -> Result<()> {
         let client = self.role_api(tenant);
-        let res = client
+        client
             .update_role_with(role, |ri: &mut RoleInfo| {
                 ri.update_role_time();
                 ri.grants.revoke_role(revoke_role)
             })
             .await
             .map_err(meta_service_error)?
             .map_err(|e| ErrorCode::from(e).add_message_back("(while revoke role from role)"))?;
-        Ok(Some(res))
+        Ok(())
     }
 
     // Drop a role by name