refactor(query): clean up role management API surface

TCeason · TCeason · commit 9093e6e85993 · 2026-02-12T10:42:52.000+08:00
- Merge 6 per-type list_*_ownerships methods into a single
    list_ownerships_by_type(OwnershipObject) to eliminate duplicated logic
    across RoleApi trait and RoleMgr implementation.

  - Simplify exists_role to call management layer get_role() directly,
    avoiding the unnecessary ErrorCode roundtrip through UnknownRole →
    or_unknown_role → Option.

  - Change return type of grant_privileges_to_role, revoke_privileges_from_role,
    grant_role_to_role, revoke_role_from_role from Result&lt;Option&lt;u64&gt;&gt; to
    Result&lt;()&gt;. The Option was always Some on success — no caller ever
    inspected the u64 or checked for None.
diff --git a/src/query/management/src/role/role_api.rs b/src/query/management/src/role/role_api.rs
@@ -40,12 +40,13 @@ pub trait RoleApi: Sync + Send {
 
     async fn list_ownerships(&self) -> Result<Vec<SeqV<OwnershipInfo>>, MetaError>;
 
-    async fn list_udf_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError>;
-    async fn list_stage_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError>;
-    async fn list_seq_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError>;
-    async fn list_procedure_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError>;
-    async fn list_connection_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError>;
-    async fn list_warehouse_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError>;
+    /// List ownerships filtered by type.
+    ///
+    /// The `obj` parameter is used as a dummy to determine the ownership type prefix.
+    async fn list_ownerships_by_type(
+        &self,
+        obj: OwnershipObject,
+    ) -> Result<Vec<OwnershipInfo>, MetaError>;
 
     /// General role update.
     ///
diff --git a/src/query/management/src/role/role_mgr.rs b/src/query/management/src/role/role_mgr.rs
@@ -301,102 +301,18 @@ impl RoleApi for RoleMgr {
 
     #[async_backtrace::framed]
     #[fastrace::trace]
-    async fn list_udf_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError> {
-        let obj = OwnershipObject::UDF {
-            name: "foo".to_string(),
-        };
-
-        let ident = TenantOwnershipObjectIdent::new(self.tenant.clone(), obj);
-        let dir_name = DirName::new(ident);
-        let values = self
-            .kv_api
-            .list_pb_values(ListOptions::unlimited(&dir_name))
-            .await?;
-        let udfs = values.try_collect().await?;
-        Ok(udfs)
-    }
-
-    #[async_backtrace::framed]
-    #[fastrace::trace]
-    async fn list_stage_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError> {
-        let obj = OwnershipObject::Stage {
-            name: "s1".to_string(),
-        };
-
-        let ident = TenantOwnershipObjectIdent::new(self.tenant.clone(), obj);
-        let dir_name = DirName::new(ident);
-        let values = self
-            .kv_api
-            .list_pb_values(ListOptions::unlimited(&dir_name))
-            .await?;
-        let stages = values.try_collect().await?;
-        Ok(stages)
-    }
-
-    #[async_backtrace::framed]
-    #[fastrace::trace]
-    async fn list_seq_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError> {
-        let obj = OwnershipObject::Sequence {
-            name: "seq1".to_string(),
-        };
-
-        let ident = TenantOwnershipObjectIdent::new(self.tenant.clone(), obj);
-        let dir_name = DirName::new(ident);
-        let values = self
-            .kv_api
-            .list_pb_values(ListOptions::unlimited(&dir_name))
-            .await?;
-        let seqs = values.try_collect().await?;
-        Ok(seqs)
-    }
-
-    #[async_backtrace::framed]
-    #[fastrace::trace]
-    async fn list_procedure_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError> {
-        let obj = OwnershipObject::Procedure { procedure_id: 1 };
-
-        let ident = TenantOwnershipObjectIdent::new(self.tenant.clone(), obj);
-        let dir_name = DirName::new(ident);
-        let values = self
-            .kv_api
-            .list_pb_values(ListOptions::unlimited(&dir_name))
-            .await?;
-        let seqs = values.try_collect().await?;
-        Ok(seqs)
-    }
-
-    #[async_backtrace::framed]
-    #[fastrace::trace]
-    async fn list_connection_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError> {
-        let obj = OwnershipObject::Connection {
-            name: "con".to_string(),
-        };
-
-        let ident = TenantOwnershipObjectIdent::new(self.tenant.clone(), obj);
-        let dir_name = DirName::new(ident);
-        let values = self
-            .kv_api
-            .list_pb_values(ListOptions::unlimited(&dir_name))
-            .await?;
-        let conns = values.try_collect().await?;
-        Ok(conns)
-    }
-
-    #[async_backtrace::framed]
-    #[fastrace::trace]
-    async fn list_warehouse_ownerships(&self) -> Result<Vec<OwnershipInfo>, MetaError> {
-        let obj = OwnershipObject::Warehouse {
-            id: "w".to_string(),
-        };
-
+    async fn list_ownerships_by_type(
+        &self,
+        obj: OwnershipObject,
+    ) -> Result<Vec<OwnershipInfo>, MetaError> {
         let ident = TenantOwnershipObjectIdent::new(self.tenant.clone(), obj);
         let dir_name = DirName::new(ident);
         let values = self
             .kv_api
             .list_pb_values(ListOptions::unlimited(&dir_name))
             .await?;
-        let ws = values.try_collect().await?;
-        Ok(ws)
+        let items = values.try_collect().await?;
+        Ok(items)
     }
 
     /// General role update.
diff --git a/src/query/service/src/sessions/session_privilege_mgr.rs b/src/query/service/src/sessions/session_privilege_mgr.rs
@@ -392,39 +392,47 @@ impl SessionPrivilegeManager for SessionPrivilegeManagerImpl<'_> {
                 vec![]
             } else {
                 let user_api = UserApiProvider::instance();
+                let role_api = user_api.role_api(&self.session_ctx.get_current_tenant());
                 let ownerships = match object {
-                    Object::All => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
+                    Object::All => role_api
                         .list_ownerships()
                         .await
                         .map_err(meta_service_error)?
                         .into_iter()
                         .map(|item| item.data)
                         .collect(),
-                    Object::UDF => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_udf_ownerships()
-                        .await?,
-                    Object::Stage => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_stage_ownerships()
-                        .await?,
-                    Object::Sequence => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_seq_ownerships()
-                        .await?,
-                    Object::Connection => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_connection_ownerships()
-                        .await?,
-                    Object::Warehouse => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_warehouse_ownerships()
-                        .await?,
-                    Object::Procedure => user_api
-                        .role_api(&self.session_ctx.get_current_tenant())
-                        .list_procedure_ownerships()
-                        .await?,
+                    Object::UDF => role_api
+                        .list_ownerships_by_type(OwnershipObject::UDF {
+                            name: String::new(),
+                        })
+                        .await
+                        .map_err(meta_service_error)?,
+                    Object::Stage => role_api
+                        .list_ownerships_by_type(OwnershipObject::Stage {
+                            name: String::new(),
+                        })
+                        .await
+                        .map_err(meta_service_error)?,
+                    Object::Sequence => role_api
+                        .list_ownerships_by_type(OwnershipObject::Sequence {
+                            name: String::new(),
+                        })
+                        .await
+                        .map_err(meta_service_error)?,
+                    Object::Connection => role_api
+                        .list_ownerships_by_type(OwnershipObject::Connection {
+                            name: String::new(),
+                        })
+                        .await
+                        .map_err(meta_service_error)?,
+                    Object::Warehouse => role_api
+                        .list_ownerships_by_type(OwnershipObject::Warehouse { id: String::new() })
+                        .await
+                        .map_err(meta_service_error)?,
+                    Object::Procedure => role_api
+                        .list_ownerships_by_type(OwnershipObject::Procedure { procedure_id: 0 })
+                        .await
+                        .map_err(meta_service_error)?,
                 };
                 let mut ownership_infos = vec![];
                 for ownership in ownerships {
diff --git a/src/query/users/src/role_mgr.rs b/src/query/users/src/role_mgr.rs
@@ -15,7 +15,6 @@
 use std::collections::HashMap;
 
 use databend_common_exception::ErrorCode;
-use databend_common_exception::ErrorCodeResultExt;
 use databend_common_exception::Result;
 use databend_common_management::RoleApi;
 use databend_common_meta_app::principal::BUILTIN_ROLE_ACCOUNT_ADMIN;
@@ -108,10 +107,14 @@ impl UserApiProvider {
 
     #[async_backtrace::framed]
     pub async fn exists_role(&self, tenant: &Tenant, role: String) -> Result<bool> {
+        if self.builtin_roles().contains_key(&role) {
+            return Ok(true);
+        }
         Ok(self
-            .get_role(tenant, role)
+            .role_api(tenant)
+            .get_role(&role)
             .await
-            .or_unknown_role()?
+            .map_err(meta_service_error)?
             .is_some())
     }
 
@@ -230,17 +233,17 @@ impl UserApiProvider {
         role: &str,
         object: GrantObject,
         privileges: UserPrivilegeSet,
-    ) -> Result<Option<u64>> {
+    ) -> Result<()> {
         let client = self.role_api(tenant);
-        let res = client
+        client
             .update_role_with(role, |ri: &mut RoleInfo| {
                 ri.update_role_time();
                 ri.grants.grant_privileges(&object, privileges)
             })
             .await
             .map_err(meta_service_error)?
             .map_err(|e| ErrorCode::from(e).add_message_back("(while set role privileges)"))?;
-        Ok(Some(res))
+        Ok(())
     }
 
     #[async_backtrace::framed]
@@ -250,17 +253,17 @@ impl UserApiProvider {
         role: &str,
         object: GrantObject,
         privileges: UserPrivilegeSet,
-    ) -> Result<Option<u64>> {
+    ) -> Result<()> {
         let client = self.role_api(tenant);
-        let res = client
+        client
             .update_role_with(role, |ri: &mut RoleInfo| {
                 ri.update_role_time();
                 ri.grants.revoke_privileges(&object, privileges)
             })
             .await
             .map_err(meta_service_error)?
             .map_err(|e| ErrorCode::from(e).add_message_back("(while revoke role privileges)"))?;
-        Ok(Some(res))
+        Ok(())
     }
 
     // the grant_role can not have cycle with target_role.
@@ -270,7 +273,7 @@ impl UserApiProvider {
         tenant: &Tenant,
         target_role: &String,
         grant_role: String,
-    ) -> Result<Option<u64>> {
+    ) -> Result<()> {
         let related_roles = self
             .find_related_roles(tenant, &[grant_role.clone()])
             .await?;
@@ -283,15 +286,15 @@ impl UserApiProvider {
         }
 
         let client = self.role_api(tenant);
-        let res = client
+        client
             .update_role_with(target_role, |ri: &mut RoleInfo| {
                 ri.update_role_time();
                 ri.grants.grant_role(grant_role)
             })
             .await
             .map_err(meta_service_error)?
             .map_err(|e| ErrorCode::from(e).add_message_back("(while grant role to role)"))?;
-        Ok(Some(res))
+        Ok(())
     }
 
     #[async_backtrace::framed]
@@ -300,17 +303,17 @@ impl UserApiProvider {
         tenant: &Tenant,
         role: &str,
         revoke_role: &String,
-    ) -> Result<Option<u64>> {
+    ) -> Result<()> {
         let client = self.role_api(tenant);
-        let res = client
+        client
             .update_role_with(role, |ri: &mut RoleInfo| {
                 ri.update_role_time();
                 ri.grants.revoke_role(revoke_role)
             })
             .await
             .map_err(meta_service_error)?
             .map_err(|e| ErrorCode::from(e).add_message_back("(while revoke role from role)"))?;
-        Ok(Some(res))
+        Ok(())
     }
 
     // Drop a role by name
