Fix REST responses for failed Admin operations (#2291)

* Fix REST responses for failed Admin operations

the `boolean` return values of many methods in `PolarisAdminService`
were often simply not getting used at all, thus the REST api returned
success in those cases even though the `PrivilegeResult` was marked
as failed.
due to this fix a silently failing test now needs to be adjusted.

we return the `PrivilegeResult` instead of a `boolean` to give the
client at least some indication of what has gone wrong on the server
side.

note that some of the other operations were throwing Expcetions already,
which are already reported back correctly to the client.

* review: use http 400 BAD_REQUEST

Author: XN137

integration-tests/src/main/java/org/apache/polaris/service/it/test/PolarisManagementServiceIntegrationTest.java

@@ -126,7 +126,9 @@ public static void setup(PolarisApiEndpoints endpoints, ClientCredentials creden
 
   @AfterAll
   public static void close() throws Exception {
-    client.close();
+    if (client != null) {
+      client.close();
+    }
   }
 
   @AfterEach
@@ -1723,7 +1725,7 @@ public void testCatalogAdminGrantAndRevokeCatalogRoles() {
             .managementApi(catalogAdminToken)
             .request(
                 "v1/principal-roles/"
-                    + principalRoleName
+                    + principalRoleName2
                     + "/catalog-roles/"
                     + catalogName
                     + "/"
@@ -1738,14 +1740,32 @@ public void testCatalogAdminGrantAndRevokeCatalogRoles() {
         managementApi
             .request(
                 "v1/principal-roles/"
-                    + principalRoleName
+                    + principalRoleName2
                     + "/catalog-roles/"
                     + catalogName
                     + "/"
                     + catalogRoleName)
             .delete()) {
       assertThat(response).returns(Response.Status.NO_CONTENT.getStatusCode(), Response::getStatus);
     }
+
+    // trigger an internal error by using "principalRoleName" instead of "principalRoleName2"
+    try (Response response =
+        managementApi
+            .request(
+                "v1/principal-roles/"
+                    + principalRoleName
+                    + "/catalog-roles/"
+                    + catalogName
+                    + "/"
+                    + catalogRoleName)
+            .delete()) {
+      assertThat(response)
+          .returns(Response.Status.BAD_REQUEST.getStatusCode(), Response::getStatus);
+      assertThat(response.hasEntity()).isTrue();
+      ErrorResponse errorResponse = response.readEntity(ErrorResponse.class);
+      assertThat(errorResponse.message()).contains("Operation failed: GRANT_NOT_FOUND");
+    }
   }
 
   @Test

runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java

@@ -20,13 +20,15 @@
 
 import jakarta.enterprise.context.RequestScoped;
 import jakarta.inject.Inject;
+import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.SecurityContext;
 import java.util.List;
 import java.util.Locale;
 import org.apache.iceberg.catalog.Namespace;
 import org.apache.iceberg.catalog.TableIdentifier;
 import org.apache.iceberg.exceptions.NotAuthorizedException;
+import org.apache.iceberg.rest.responses.ErrorResponse;
 import org.apache.polaris.core.admin.model.AddGrantRequest;
 import org.apache.polaris.core.admin.model.AuthenticationParameters;
 import org.apache.polaris.core.admin.model.Catalog;
@@ -71,6 +73,8 @@
 import org.apache.polaris.core.entity.PrincipalRoleEntity;
 import org.apache.polaris.core.persistence.MetaStoreManagerFactory;
 import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
+import org.apache.polaris.core.persistence.dao.entity.BaseResult;
+import org.apache.polaris.core.persistence.dao.entity.PrivilegeResult;
 import org.apache.polaris.core.persistence.resolver.ResolutionManifestFactory;
 import org.apache.polaris.core.secrets.UserSecretsManager;
 import org.apache.polaris.core.secrets.UserSecretsManagerFactory;
@@ -134,6 +138,22 @@ private PolarisAdminService newAdminService(
         reservedProperties);
   }
 
+  private static Response toResponse(BaseResult result, Response.Status successStatus) {
+    if (!result.isSuccess()) {
+      ErrorResponse icebergErrorResponse =
+          ErrorResponse.builder()
+              .responseCode(Response.Status.BAD_REQUEST.getStatusCode())
+              .withType(result.getReturnStatus().toString())
+              .withMessage("Operation failed: " + result.getReturnStatus().toString())
+              .build();
+      return Response.status(Response.Status.BAD_REQUEST)
+          .type(MediaType.APPLICATION_JSON_TYPE)
+          .entity(icebergErrorResponse)
+          .build();
+    }
+    return Response.status(successStatus).build();
+  }
+
   /** From PolarisCatalogsApiService */
   @Override
   public Response createCatalog(
@@ -457,8 +477,9 @@ public Response assignPrincipalRole(
         request.getPrincipalRole().getName(),
         principalName);
     PolarisAdminService adminService = newAdminService(realmContext, securityContext);
-    adminService.assignPrincipalRole(principalName, request.getPrincipalRole().getName());
-    return Response.status(Response.Status.CREATED).build();
+    PrivilegeResult result =
+        adminService.assignPrincipalRole(principalName, request.getPrincipalRole().getName());
+    return toResponse(result, Response.Status.CREATED);
   }
 
   /** From PolarisPrincipalsApiService */
@@ -470,8 +491,8 @@ public Response revokePrincipalRole(
       SecurityContext securityContext) {
     LOGGER.info("Revoking principalRole {} from principal {}", principalRoleName, principalName);
     PolarisAdminService adminService = newAdminService(realmContext, securityContext);
-    adminService.revokePrincipalRole(principalName, principalRoleName);
-    return Response.status(Response.Status.NO_CONTENT).build();
+    PrivilegeResult result = adminService.revokePrincipalRole(principalName, principalRoleName);
+    return toResponse(result, Response.Status.NO_CONTENT);
   }
 
   /** From PolarisPrincipalsApiService */
@@ -503,9 +524,10 @@ public Response assignCatalogRoleToPrincipalRole(
         catalogName,
         principalRoleName);
     PolarisAdminService adminService = newAdminService(realmContext, securityContext);
-    adminService.assignCatalogRoleToPrincipalRole(
-        principalRoleName, catalogName, request.getCatalogRole().getName());
-    return Response.status(Response.Status.CREATED).build();
+    PrivilegeResult result =
+        adminService.assignCatalogRoleToPrincipalRole(
+            principalRoleName, catalogName, request.getCatalogRole().getName());
+    return toResponse(result, Response.Status.CREATED);
   }
 
   /** From PolarisPrincipalRolesApiService */
@@ -522,9 +544,10 @@ public Response revokeCatalogRoleFromPrincipalRole(
         catalogName,
         principalRoleName);
     PolarisAdminService adminService = newAdminService(realmContext, securityContext);
-    adminService.revokeCatalogRoleFromPrincipalRole(
-        principalRoleName, catalogName, catalogRoleName);
-    return Response.status(Response.Status.NO_CONTENT).build();
+    PrivilegeResult result =
+        adminService.revokeCatalogRoleFromPrincipalRole(
+            principalRoleName, catalogName, catalogRoleName);
+    return toResponse(result, Response.Status.NO_CONTENT);
   }
 
   /** From PolarisPrincipalRolesApiService */
@@ -574,6 +597,7 @@ public Response addGrantToCatalogRole(
         catalogRoleName,
         catalogName);
     PolarisAdminService adminService = newAdminService(realmContext, securityContext);
+    PrivilegeResult result;
     switch (grantRequest.getGrant()) {
       // The per-securable-type Privilege enums must be exact String match for a subset of all
       // PolarisPrivilege values.
@@ -583,11 +607,12 @@ public Response addGrantToCatalogRole(
               PolarisPrivilege.valueOf(viewGrant.getPrivilege().toString());
           String viewName = viewGrant.getViewName();
           String[] namespaceParts = viewGrant.getNamespace().toArray(new String[0]);
-          adminService.grantPrivilegeOnViewToRole(
-              catalogName,
-              catalogRoleName,
-              TableIdentifier.of(Namespace.of(namespaceParts), viewName),
-              privilege);
+          result =
+              adminService.grantPrivilegeOnViewToRole(
+                  catalogName,
+                  catalogRoleName,
+                  TableIdentifier.of(Namespace.of(namespaceParts), viewName),
+                  privilege);
           break;
         }
       case TableGrant tableGrant:
@@ -596,27 +621,30 @@ public Response addGrantToCatalogRole(
               PolarisPrivilege.valueOf(tableGrant.getPrivilege().toString());
           String tableName = tableGrant.getTableName();
           String[] namespaceParts = tableGrant.getNamespace().toArray(new String[0]);
-          adminService.grantPrivilegeOnTableToRole(
-              catalogName,
-              catalogRoleName,
-              TableIdentifier.of(Namespace.of(namespaceParts), tableName),
-              privilege);
+          result =
+              adminService.grantPrivilegeOnTableToRole(
+                  catalogName,
+                  catalogRoleName,
+                  TableIdentifier.of(Namespace.of(namespaceParts), tableName),
+                  privilege);
           break;
         }
       case NamespaceGrant namespaceGrant:
         {
           PolarisPrivilege privilege =
               PolarisPrivilege.valueOf(namespaceGrant.getPrivilege().toString());
           String[] namespaceParts = namespaceGrant.getNamespace().toArray(new String[0]);
-          adminService.grantPrivilegeOnNamespaceToRole(
-              catalogName, catalogRoleName, Namespace.of(namespaceParts), privilege);
+          result =
+              adminService.grantPrivilegeOnNamespaceToRole(
+                  catalogName, catalogRoleName, Namespace.of(namespaceParts), privilege);
           break;
         }
       case CatalogGrant catalogGrant:
         {
           PolarisPrivilege privilege =
               PolarisPrivilege.valueOf(catalogGrant.getPrivilege().toString());
-          adminService.grantPrivilegeOnCatalogToRole(catalogName, catalogRoleName, privilege);
+          result =
+              adminService.grantPrivilegeOnCatalogToRole(catalogName, catalogRoleName, privilege);
           break;
         }
       case PolicyGrant policyGrant:
@@ -625,11 +653,12 @@ public Response addGrantToCatalogRole(
               PolarisPrivilege.valueOf(policyGrant.getPrivilege().toString());
           String policyName = policyGrant.getPolicyName();
           String[] namespaceParts = policyGrant.getNamespace().toArray(new String[0]);
-          adminService.grantPrivilegeOnPolicyToRole(
-              catalogName,
-              catalogRoleName,
-              new PolicyIdentifier(Namespace.of(namespaceParts), policyName),
-              privilege);
+          result =
+              adminService.grantPrivilegeOnPolicyToRole(
+                  catalogName,
+                  catalogRoleName,
+                  new PolicyIdentifier(Namespace.of(namespaceParts), policyName),
+                  privilege);
           break;
         }
       default:
@@ -640,7 +669,7 @@ public Response addGrantToCatalogRole(
             .log("Don't know how to handle privilege grant: {}", grantRequest);
         return Response.status(Response.Status.BAD_REQUEST).build();
     }
-    return Response.status(Response.Status.CREATED).build();
+    return toResponse(result, Response.Status.CREATED);
   }
 
   /** From PolarisCatalogsApiService */
@@ -663,6 +692,7 @@ public Response revokeGrantFromCatalogRole(
     }
 
     PolarisAdminService adminService = newAdminService(realmContext, securityContext);
+    PrivilegeResult result;
     switch (grantRequest.getGrant()) {
       // The per-securable-type Privilege enums must be exact String match for a subset of all
       // PolarisPrivilege values.
@@ -672,11 +702,12 @@ public Response revokeGrantFromCatalogRole(
               PolarisPrivilege.valueOf(viewGrant.getPrivilege().toString());
           String viewName = viewGrant.getViewName();
           String[] namespaceParts = viewGrant.getNamespace().toArray(new String[0]);
-          adminService.revokePrivilegeOnViewFromRole(
-              catalogName,
-              catalogRoleName,
-              TableIdentifier.of(Namespace.of(namespaceParts), viewName),
-              privilege);
+          result =
+              adminService.revokePrivilegeOnViewFromRole(
+                  catalogName,
+                  catalogRoleName,
+                  TableIdentifier.of(Namespace.of(namespaceParts), viewName),
+                  privilege);
           break;
         }
       case TableGrant tableGrant:
@@ -685,27 +716,31 @@ public Response revokeGrantFromCatalogRole(
               PolarisPrivilege.valueOf(tableGrant.getPrivilege().toString());
           String tableName = tableGrant.getTableName();
           String[] namespaceParts = tableGrant.getNamespace().toArray(new String[0]);
-          adminService.revokePrivilegeOnTableFromRole(
-              catalogName,
-              catalogRoleName,
-              TableIdentifier.of(Namespace.of(namespaceParts), tableName),
-              privilege);
+          result =
+              adminService.revokePrivilegeOnTableFromRole(
+                  catalogName,
+                  catalogRoleName,
+                  TableIdentifier.of(Namespace.of(namespaceParts), tableName),
+                  privilege);
           break;
         }
       case NamespaceGrant namespaceGrant:
         {
           PolarisPrivilege privilege =
               PolarisPrivilege.valueOf(namespaceGrant.getPrivilege().toString());
           String[] namespaceParts = namespaceGrant.getNamespace().toArray(new String[0]);
-          adminService.revokePrivilegeOnNamespaceFromRole(
-              catalogName, catalogRoleName, Namespace.of(namespaceParts), privilege);
+          result =
+              adminService.revokePrivilegeOnNamespaceFromRole(
+                  catalogName, catalogRoleName, Namespace.of(namespaceParts), privilege);
           break;
         }
       case CatalogGrant catalogGrant:
         {
           PolarisPrivilege privilege =
               PolarisPrivilege.valueOf(catalogGrant.getPrivilege().toString());
-          adminService.revokePrivilegeOnCatalogFromRole(catalogName, catalogRoleName, privilege);
+          result =
+              adminService.revokePrivilegeOnCatalogFromRole(
+                  catalogName, catalogRoleName, privilege);
           break;
         }
       case PolicyGrant policyGrant:
@@ -714,11 +749,12 @@ public Response revokeGrantFromCatalogRole(
               PolarisPrivilege.valueOf(policyGrant.getPrivilege().toString());
           String policyName = policyGrant.getPolicyName();
           String[] namespaceParts = policyGrant.getNamespace().toArray(new String[0]);
-          adminService.revokePrivilegeOnPolicyFromRole(
-              catalogName,
-              catalogRoleName,
-              new PolicyIdentifier(Namespace.of(namespaceParts), policyName),
-              privilege);
+          result =
+              adminService.revokePrivilegeOnPolicyFromRole(
+                  catalogName,
+                  catalogRoleName,
+                  new PolicyIdentifier(Namespace.of(namespaceParts), policyName),
+                  privilege);
           break;
         }
       default:
@@ -729,7 +765,7 @@ public Response revokeGrantFromCatalogRole(
             .log("Don't know how to handle privilege revocation: {}", grantRequest);
         return Response.status(Response.Status.BAD_REQUEST).build();
     }
-    return Response.status(Response.Status.CREATED).build();
+    return toResponse(result, Response.Status.CREATED);
   }
 
   /** From PolarisCatalogsApiService */