Skip to content

[BugFix] Fix GRANT on ALL VIEWS/MVs failing for external catalogs#71295

Open
VijayShekhawat7 wants to merge 1 commit intoStarRocks:mainfrom
VijayShekhawat7:fix/grant-views-external-catalog
Open

[BugFix] Fix GRANT on ALL VIEWS/MVs failing for external catalogs#71295
VijayShekhawat7 wants to merge 1 commit intoStarRocks:mainfrom
VijayShekhawat7:fix/grant-views-external-catalog

Conversation

@VijayShekhawat7
Copy link
Copy Markdown

@VijayShekhawat7 VijayShekhawat7 commented Apr 4, 2026
edited
Loading

Why I'm doing:

GRANT ALL ON ALL VIEWS IN DATABASE fails with cannot find db: <db_name> when
the current session is connected to an external catalog (e.g., Iceberg via REST).
The equivalent GRANT ALL ON ALL TABLES IN DATABASE works correctly.

This happens because ViewPEntryObject and MaterializedViewPEntryObject resolve
databases exclusively through the local (internal) metastore, while
TablePEntryObject already has catalog-aware resolution that supports external
catalogs.

What I'm doing:

Mirror the catalog-aware resolution pattern from TablePEntryObject into
ViewPEntryObject and MaterializedViewPEntryObject:

  • AuthorizationAnalyzer.analyzeTokens: Prepend session.getCurrentCatalog()
    for VIEW and MATERIALIZED_VIEW object types (matching existing TABLE
    behavior) in both the ALL and non-ALL grant paths.
  • ViewPEntryObject.generate: Accept 3-element token lists [catalog, db, view],
    resolve catalog ID via CatalogMgr, use DbPEntryObject.getDatabaseUUID() for
    external catalogs (returns DB name directly without local metastore lookup), and
    return view names directly as UUIDs for external catalogs.
  • MaterializedViewPEntryObject.generate: Same fix as ViewPEntryObject.

Fixes #71211

What type of PR is this:

  • BugFix
  • Feature
  • Enhancement
  • Refactor
  • UT
  • Doc
  • Tool

Does this PR entail a change in behavior?

  • Yes, this PR will result in a change in behavior.
  • No, this PR will not result in a change in behavior.

If yes, please specify the type of change:

  • Interface/UI changes: syntax, type conversion, expression evaluation, display information
  • Parameter changes: default values, similar parameters but with different default values
  • Policy changes: use new policy to replace old one, functionality automatically enabled
  • Feature removed
  • Miscellaneous: upgrade & downgrade compatibility, etc.

Checklist:

  • I have added test cases for my bug fix or my new feature
  • This pr needs user documentation (for new or modified features or behaviors)
    • I have added documentation for my new feature or new function
    • This pr needs auto generate documentation
  • This is a backport pr

Bugfix cherry-pick branch check:

  • I have checked the version labels which the pr will be auto-backported to the target branch
    • 4.1
    • 4.0
    • 3.5
    • 3.4

@VijayShekhawat7 VijayShekhawat7 requested a review from a team as a code owner April 4, 2026 13:32
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Apr 4, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@VijayShekhawat7 VijayShekhawat7 force-pushed the fix/grant-views-external-catalog branch from 2a9903b to f8388d3 Compare April 4, 2026 13:36
@github-actions github-actions bot added the 4.1 label Apr 4, 2026
@VijayShekhawat7 VijayShekhawat7 mentioned this pull request Apr 4, 2026
Open
@VijayShekhawat7 VijayShekhawat7 force-pushed the fix/grant-views-external-catalog branch from a87e993 to f4b556b Compare April 4, 2026 15:23
@VijayShekhawat7
[BugFix] Fix GRANT on ALL VIEWS/MVs failing for external catalogs
9c6a62e 
ViewPEntryObject and MaterializedViewPEntryObject resolved databases
exclusively through the local (internal) metastore, causing "cannot
find db" errors when granting on views or materialized views in
external catalogs such as Iceberg.

The analyzer also did not prepend the current catalog name for VIEW
and MATERIALIZED_VIEW object types, unlike TABLE which already did.

Mirror the catalog-aware resolution pattern from TablePEntryObject:
- Accept 3-element token lists [catalog, db, object]
- Resolve catalog ID via CatalogMgr
- Use DbPEntryObject.getDatabaseUUID() which returns the DB name
  directly for external catalogs without local metastore lookup
- Return view/MV name directly as UUID for external catalogs
- Handle ResourceMappingCatalog edge case (same as TablePEntryObject)
- Add Preconditions guard and StarRocksConnectorException catch
  for consistency with TablePEntryObject.getTableUUID()

Update initPrivilegeCollectionAllObjects to pass 3 tokens (["*","*","*"])
for VIEW and MATERIALIZED_VIEW so built-in roles (root, db_admin)
receive ALL_CATALOGS_ID and correctly match external catalog objects.

Add test cases for GRANT/REVOKE on ALL VIEWS, ALL MATERIALIZED VIEWS,
and ALL TABLES in external catalog databases, internal catalog views,
specific view grant on external catalog, and invalid catalog handling.

Fixes StarRocks#71211

Signed-off-by: Vijay Shekhawat <vijayshekhawat1995@gmail.com>
Made-with: Cursor
@VijayShekhawat7 VijayShekhawat7 force-pushed the fix/grant-views-external-catalog branch from f4b556b to 9c6a62e Compare April 4, 2026 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@VijayShekhawat7 VijayShekhawat7

Labels

4.1 behavior_changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GRANT fails for ALL VIEWS in Iceberg catalog (4.1rc1)

2 participants

@VijayShekhawat7 @CLAassistant