scalar-labs · komamitsu · Nov 6, 2025 · Oct 24, 2025 · Oct 24, 2025 · Oct 28, 2025
diff --git a/core/src/main/java/com/scalar/db/api/AuthAdmin.java b/core/src/main/java/com/scalar/db/api/AuthAdmin.java
@@ -175,12 +175,279 @@ default Set<Privilege> getPrivileges(String username, String namespaceName)
     throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
   }
 
+  /**
+   * Creates a role with the given role name.
+   *
+   * @param roleName the role name
+   * @throws IllegalArgumentException if the role already exists
+   * @throws ExecutionException if the operation fails
+   */
+  default void createRole(String roleName) throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Drops a role with the given role name.
+   *
+   * @param roleName the role name
+   * @throws IllegalArgumentException if the role does not exist
+   * @throws ExecutionException if the operation fails
+   */
+  default void dropRole(String roleName) throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Retrieves a list of {@link RoleDetail}s.
+   *
+   * @return a list of {@link RoleDetail}s
+   * @throws ExecutionException if the operation fails
+   */
+  default List<RoleDetail> getRoles() throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Retrieves a list of {@link UserRoleDetail}s for the given user.
+   *
+   * @param username the username
+   * @return a list of {@link UserRoleDetail}s for the given user
+   * @throws ExecutionException if the operation fails
+   */
+  default List<UserRoleDetail> getRolesForUser(String username) throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Grants a role to a user.
+   *
+   * @param username the username
+   * @param roleName the role name
+   * @param withAdminOption if true, the user can grant the role to other users or roles
+   * @throws IllegalArgumentException if the user does not exist or the role does not exist
+   * @throws ExecutionException if the operation fails
+   */
+  default void grantRoleToUser(String username, String roleName, boolean withAdminOption)
+      throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Revokes a role from a user.
+   *
+   * @param username the username
+   * @param roleName the role name
+   * @throws IllegalArgumentException if the user does not exist or the role does not exist
+   * @throws ExecutionException if the operation fails
+   */
+  default void revokeRoleFromUser(String username, String roleName) throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Revokes admin option from a user for a role.
+   *
+   * @param username the username
+   * @param roleName the role name
+   * @throws IllegalArgumentException if the user does not exist or the role does not exist
+   * @throws ExecutionException if the operation fails
+   */
+  default void revokeAdminOptionFromUser(String username, String roleName)
+      throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Retrieves a list of {@link UserRole}s for the given role.
+   *
+   * @param roleName the role name
+   * @return a list of {@link UserRole}s for the given role
+   * @throws ExecutionException if the operation fails
+   */
+  default List<UserRole> getUsersForRole(String roleName) throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Grants a member role to a role. Users or roles that have the role will inherit all privileges
+   * from the member role.
+   *
+   * @param roleName the role name
+   * @param memberRoleName the member role name to be granted to the role
+   * @param withAdminOption if true, users or roles that have the role can grant the member role to
+   *     other users or roles
+   * @throws IllegalArgumentException if the role does not exist or the member role does not exist
+   * @throws ExecutionException if the operation fails
+   */
+  default void grantRoleToRole(String roleName, String memberRoleName, boolean withAdminOption)
+      throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Revokes a role from another role.
+   *
+   * @param roleName the role name
+   * @param memberRoleName the member role name
+   * @throws IllegalArgumentException if the role does not exist or the member role does not exist
+   * @throws ExecutionException if the operation fails
+   */
+  default void revokeRoleFromRole(String roleName, String memberRoleName)
+      throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Revokes admin option from a role for another role.
+   *
+   * @param roleName the role name
+   * @param memberRoleName the member role name
+   * @throws IllegalArgumentException if the role does not exist or the member role does not exist
+   * @throws ExecutionException if the operation fails
+   */
+  default void revokeAdminOptionFromRole(String roleName, String memberRoleName)
+      throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Retrieves privileges for the given role and namespace.
+   *
+   * @param roleName the role name
+   * @param namespaceName the namespace name
+   * @return a set of privileges for the given role and namespace
+   * @throws ExecutionException if the operation fails
+   */
+  default Set<Privilege> getRolePrivileges(String roleName, String namespaceName)
+      throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Retrieves privileges for the given role, namespace, and table.
+   *
+   * @param roleName the role name
+   * @param namespaceName the namespace name
+   * @param tableName the table name
+   * @return a set of privileges for the given role, namespace, and table
+   * @throws ExecutionException if the operation fails
+   */
+  default Set<Privilege> getRolePrivileges(String roleName, String namespaceName, String tableName)
+      throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Grants privileges to a role for all tables in the given namespace.
+   *
+   * @param roleName the role name
+   * @param namespaceName the namespace name
+   * @param privileges the privileges
+   * @throws IllegalArgumentException if the role does not exist or the namespace does not exist
+   * @throws ExecutionException if the operation fails
+   */
+  default void grantPrivilegeToRole(String roleName, String namespaceName, Privilege... privileges)
+      throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Grants privileges to a role for the given table.
+   *
+   * @param roleName the role name
+   * @param namespaceName the namespace name of the table
+   * @param tableName the table name
+   * @param privileges the privileges
+   * @throws IllegalArgumentException if the role does not exist or the table does not exist
+   * @throws ExecutionException if the operation fails
+   */
+  default void grantPrivilegeToRole(
+      String roleName, String namespaceName, String tableName, Privilege... privileges)
+      throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Revokes privileges from a role for all tables in the given namespace.
+   *
+   * @param roleName the role name
+   * @param namespaceName the namespace name
+   * @param privileges the privileges
+   * @throws IllegalArgumentException if the role does not exist or the namespace does not exist
+   * @throws ExecutionException if the operation fails
+   */
+  default void revokePrivilegeFromRole(
+      String roleName, String namespaceName, Privilege... privileges) throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
+  /**
+   * Revokes privileges from a role for the given table.
+   *
+   * @param roleName the role name
+   * @param namespaceName the namespace name of the table
+   * @param tableName the table name
+   * @param privileges the privileges
+   * @throws IllegalArgumentException if the role does not exist or the table does not exist
+   * @throws ExecutionException if the operation fails
+   */
+  default void revokePrivilegeFromRole(
+      String roleName, String namespaceName, String tableName, Privilege... privileges)
+      throws ExecutionException {
+    throw new UnsupportedOperationException(CoreError.AUTH_NOT_ENABLED.buildMessage());
+  }
+
   interface User {
     String getName();
 
     boolean isSuperuser();
   }
 
+  /** Represents a role. */
+  interface Role {
+    String getName();
+  }
+
+  /** Represents a role with its hierarchy information. */
+  interface RoleDetail {
+    Role getRole();
+
+    List<RoleHierarchy> getRoleHierarchies();
+  }
+
+  /**
+   * Represents a role detail for a specific user, including whether the user has admin option for
+   * this role.
+   */
+  interface UserRoleDetail extends RoleDetail {
+    /**
+     * Returns whether the user has admin option for this role. This is distinct from the admin
+     * option in role hierarchies, which applies to role-to-role grants.
+     */
+    boolean hasAdminOptionOnUser();
+  }
+
+  /** Represents a user-role assignment. */
+  interface UserRole {
+    String getUsername();
+
+    String getRoleName();
+
+    boolean hasAdminOption();
+  }
+
+  /** Represents a role hierarchy (role-to-role assignment). */
+  interface RoleHierarchy {
+    /** Returns the role name. */
+    String getRoleName();
+
+    /** Returns the member role name granted to the role. */
+    String getMemberRoleName();
+
+    /** Returns whether admin option is granted for this hierarchy. */
+    boolean hasAdminOption();
+  }
+
   /** The user options. */
   enum UserOption {
     /** If specified, the user is created as a superuser. */

diff --git a/core/src/main/java/com/scalar/db/common/DecoratedDistributedTransactionAdmin.java b/core/src/main/java/com/scalar/db/common/DecoratedDistributedTransactionAdmin.java
@@ -383,6 +383,105 @@ public Set<Privilege> getPrivileges(String username, String namespaceName, Strin
     return distributedTransactionAdmin.getPrivileges(username, namespaceName, tableName);
   }
 
+  @Override
+  public void createRole(String roleName) throws ExecutionException {
+    distributedTransactionAdmin.createRole(roleName);
+  }
+
+  @Override
+  public void dropRole(String roleName) throws ExecutionException {
+    distributedTransactionAdmin.dropRole(roleName);
+  }
+
+  @Override
+  public List<RoleDetail> getRoles() throws ExecutionException {
+    return distributedTransactionAdmin.getRoles();
+  }
+
+  @Override
+  public List<UserRoleDetail> getRolesForUser(String username) throws ExecutionException {
+    return distributedTransactionAdmin.getRolesForUser(username);
+  }
+
+  @Override
+  public void grantRoleToUser(String username, String roleName, boolean withAdminOption)
+      throws ExecutionException {
+    distributedTransactionAdmin.grantRoleToUser(username, roleName, withAdminOption);
+  }
+
+  @Override
+  public void revokeRoleFromUser(String username, String roleName) throws ExecutionException {
+    distributedTransactionAdmin.revokeRoleFromUser(username, roleName);
+  }
+
+  @Override
+  public void revokeAdminOptionFromUser(String username, String roleName)
+      throws ExecutionException {
+    distributedTransactionAdmin.revokeAdminOptionFromUser(username, roleName);
+  }
+
+  @Override
+  public List<UserRole> getUsersForRole(String roleName) throws ExecutionException {
+    return distributedTransactionAdmin.getUsersForRole(roleName);
+  }
+
+  @Override
+  public void grantRoleToRole(String roleName, String memberRoleName, boolean withAdminOption)
+      throws ExecutionException {
+    distributedTransactionAdmin.grantRoleToRole(roleName, memberRoleName, withAdminOption);
+  }
+
+  @Override
+  public void revokeRoleFromRole(String roleName, String memberRoleName) throws ExecutionException {
+    distributedTransactionAdmin.revokeRoleFromRole(roleName, memberRoleName);
+  }
+
+  @Override
+  public void revokeAdminOptionFromRole(String roleName, String memberRoleName)
+      throws ExecutionException {
+    distributedTransactionAdmin.revokeAdminOptionFromRole(roleName, memberRoleName);
+  }
+
+  @Override
+  public Set<Privilege> getRolePrivileges(String roleName, String namespaceName)
+      throws ExecutionException {
+    return distributedTransactionAdmin.getRolePrivileges(roleName, namespaceName);
+  }
+
+  @Override
+  public Set<Privilege> getRolePrivileges(String roleName, String namespaceName, String tableName)
+      throws ExecutionException {
+    return distributedTransactionAdmin.getRolePrivileges(roleName, namespaceName, tableName);
+  }
+
+  @Override
+  public void grantPrivilegeToRole(String roleName, String namespaceName, Privilege... privileges)
+      throws ExecutionException {
+    distributedTransactionAdmin.grantPrivilegeToRole(roleName, namespaceName, privileges);
+  }
+
+  @Override
+  public void grantPrivilegeToRole(
+      String roleName, String namespaceName, String tableName, Privilege... privileges)
+      throws ExecutionException {
+    distributedTransactionAdmin.grantPrivilegeToRole(
+        roleName, namespaceName, tableName, privileges);
+  }
+
+  @Override
+  public void revokePrivilegeFromRole(
+      String roleName, String namespaceName, Privilege... privileges) throws ExecutionException {
+    distributedTransactionAdmin.revokePrivilegeFromRole(roleName, namespaceName, privileges);
+  }
+
+  @Override
+  public void revokePrivilegeFromRole(
+      String roleName, String namespaceName, String tableName, Privilege... privileges)
+      throws ExecutionException {
+    distributedTransactionAdmin.revokePrivilegeFromRole(
+        roleName, namespaceName, tableName, privileges);
+  }
+
   @Override
   public void createPolicy(String policyName, @Nullable String dataTagColumnName)
       throws ExecutionException {