Fix REST responses for failed Admin operations

Author: XN137

runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java

@@ -71,6 +71,8 @@
 import org.apache.polaris.core.entity.PrincipalRoleEntity;
 import org.apache.polaris.core.persistence.MetaStoreManagerFactory;
 import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
+import org.apache.polaris.core.persistence.dao.entity.BaseResult;
+import org.apache.polaris.core.persistence.dao.entity.PrivilegeResult;
 import org.apache.polaris.core.persistence.resolver.ResolutionManifestFactory;
 import org.apache.polaris.core.secrets.UserSecretsManager;
 import org.apache.polaris.core.secrets.UserSecretsManagerFactory;
@@ -134,6 +136,13 @@ private PolarisAdminService newAdminService(
         reservedProperties);
   }
 
+  private static Response toResponse(BaseResult result, Response.Status successStatus) {
+    if (!result.isSuccess()) {
+      return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
+    }
+    return Response.status(successStatus).build();
+  }
+
   /** From PolarisCatalogsApiService */
   @Override
   public Response createCatalog(
@@ -457,8 +466,9 @@ public Response assignPrincipalRole(
         request.getPrincipalRole().getName(),
         principalName);
     PolarisAdminService adminService = newAdminService(realmContext, securityContext);
-    adminService.assignPrincipalRole(principalName, request.getPrincipalRole().getName());
-    return Response.status(Response.Status.CREATED).build();
+    PrivilegeResult result =
+        adminService.assignPrincipalRole(principalName, request.getPrincipalRole().getName());
+    return toResponse(result, Response.Status.CREATED);
   }
 
   /** From PolarisPrincipalsApiService */
@@ -470,8 +480,8 @@ public Response revokePrincipalRole(
       SecurityContext securityContext) {
     LOGGER.info("Revoking principalRole {} from principal {}", principalRoleName, principalName);
     PolarisAdminService adminService = newAdminService(realmContext, securityContext);
-    adminService.revokePrincipalRole(principalName, principalRoleName);
-    return Response.status(Response.Status.NO_CONTENT).build();
+    PrivilegeResult result = adminService.revokePrincipalRole(principalName, principalRoleName);
+    return toResponse(result, Response.Status.NO_CONTENT);
   }
 
   /** From PolarisPrincipalsApiService */
@@ -503,9 +513,10 @@ public Response assignCatalogRoleToPrincipalRole(
         catalogName,
         principalRoleName);
     PolarisAdminService adminService = newAdminService(realmContext, securityContext);
-    adminService.assignCatalogRoleToPrincipalRole(
-        principalRoleName, catalogName, request.getCatalogRole().getName());
-    return Response.status(Response.Status.CREATED).build();
+    PrivilegeResult result =
+        adminService.assignCatalogRoleToPrincipalRole(
+            principalRoleName, catalogName, request.getCatalogRole().getName());
+    return toResponse(result, Response.Status.CREATED);
   }
 
   /** From PolarisPrincipalRolesApiService */
@@ -522,9 +533,10 @@ public Response revokeCatalogRoleFromPrincipalRole(
         catalogName,
         principalRoleName);
     PolarisAdminService adminService = newAdminService(realmContext, securityContext);
-    adminService.revokeCatalogRoleFromPrincipalRole(
-        principalRoleName, catalogName, catalogRoleName);
-    return Response.status(Response.Status.NO_CONTENT).build();
+    PrivilegeResult result =
+        adminService.revokeCatalogRoleFromPrincipalRole(
+            principalRoleName, catalogName, catalogRoleName);
+    return toResponse(result, Response.Status.NO_CONTENT);
   }
 
   /** From PolarisPrincipalRolesApiService */
@@ -574,6 +586,7 @@ public Response addGrantToCatalogRole(
         catalogRoleName,
         catalogName);
     PolarisAdminService adminService = newAdminService(realmContext, securityContext);
+    PrivilegeResult result;
     switch (grantRequest.getGrant()) {
       // The per-securable-type Privilege enums must be exact String match for a subset of all
       // PolarisPrivilege values.
@@ -583,11 +596,12 @@ public Response addGrantToCatalogRole(
               PolarisPrivilege.valueOf(viewGrant.getPrivilege().toString());
           String viewName = viewGrant.getViewName();
           String[] namespaceParts = viewGrant.getNamespace().toArray(new String[0]);
-          adminService.grantPrivilegeOnViewToRole(
-              catalogName,
-              catalogRoleName,
-              TableIdentifier.of(Namespace.of(namespaceParts), viewName),
-              privilege);
+          result =
+              adminService.grantPrivilegeOnViewToRole(
+                  catalogName,
+                  catalogRoleName,
+                  TableIdentifier.of(Namespace.of(namespaceParts), viewName),
+                  privilege);
           break;
         }
       case TableGrant tableGrant:
@@ -596,27 +610,30 @@ public Response addGrantToCatalogRole(
               PolarisPrivilege.valueOf(tableGrant.getPrivilege().toString());
           String tableName = tableGrant.getTableName();
           String[] namespaceParts = tableGrant.getNamespace().toArray(new String[0]);
-          adminService.grantPrivilegeOnTableToRole(
-              catalogName,
-              catalogRoleName,
-              TableIdentifier.of(Namespace.of(namespaceParts), tableName),
-              privilege);
+          result =
+              adminService.grantPrivilegeOnTableToRole(
+                  catalogName,
+                  catalogRoleName,
+                  TableIdentifier.of(Namespace.of(namespaceParts), tableName),
+                  privilege);
           break;
         }
       case NamespaceGrant namespaceGrant:
         {
           PolarisPrivilege privilege =
               PolarisPrivilege.valueOf(namespaceGrant.getPrivilege().toString());
           String[] namespaceParts = namespaceGrant.getNamespace().toArray(new String[0]);
-          adminService.grantPrivilegeOnNamespaceToRole(
-              catalogName, catalogRoleName, Namespace.of(namespaceParts), privilege);
+          result =
+              adminService.grantPrivilegeOnNamespaceToRole(
+                  catalogName, catalogRoleName, Namespace.of(namespaceParts), privilege);
           break;
         }
       case CatalogGrant catalogGrant:
         {
           PolarisPrivilege privilege =
               PolarisPrivilege.valueOf(catalogGrant.getPrivilege().toString());
-          adminService.grantPrivilegeOnCatalogToRole(catalogName, catalogRoleName, privilege);
+          result =
+              adminService.grantPrivilegeOnCatalogToRole(catalogName, catalogRoleName, privilege);
           break;
         }
       case PolicyGrant policyGrant:
@@ -625,11 +642,12 @@ public Response addGrantToCatalogRole(
               PolarisPrivilege.valueOf(policyGrant.getPrivilege().toString());
           String policyName = policyGrant.getPolicyName();
           String[] namespaceParts = policyGrant.getNamespace().toArray(new String[0]);
-          adminService.grantPrivilegeOnPolicyToRole(
-              catalogName,
-              catalogRoleName,
-              new PolicyIdentifier(Namespace.of(namespaceParts), policyName),
-              privilege);
+          result =
+              adminService.grantPrivilegeOnPolicyToRole(
+                  catalogName,
+                  catalogRoleName,
+                  new PolicyIdentifier(Namespace.of(namespaceParts), policyName),
+                  privilege);
           break;
         }
       default:
@@ -640,7 +658,7 @@ public Response addGrantToCatalogRole(
             .log("Don't know how to handle privilege grant: {}", grantRequest);
         return Response.status(Response.Status.BAD_REQUEST).build();
     }
-    return Response.status(Response.Status.CREATED).build();
+    return toResponse(result, Response.Status.CREATED);
   }
 
   /** From PolarisCatalogsApiService */
@@ -663,6 +681,7 @@ public Response revokeGrantFromCatalogRole(
     }
 
     PolarisAdminService adminService = newAdminService(realmContext, securityContext);
+    PrivilegeResult result;
     switch (grantRequest.getGrant()) {
       // The per-securable-type Privilege enums must be exact String match for a subset of all
       // PolarisPrivilege values.
@@ -672,11 +691,12 @@ public Response revokeGrantFromCatalogRole(
               PolarisPrivilege.valueOf(viewGrant.getPrivilege().toString());
           String viewName = viewGrant.getViewName();
           String[] namespaceParts = viewGrant.getNamespace().toArray(new String[0]);
-          adminService.revokePrivilegeOnViewFromRole(
-              catalogName,
-              catalogRoleName,
-              TableIdentifier.of(Namespace.of(namespaceParts), viewName),
-              privilege);
+          result =
+              adminService.revokePrivilegeOnViewFromRole(
+                  catalogName,
+                  catalogRoleName,
+                  TableIdentifier.of(Namespace.of(namespaceParts), viewName),
+                  privilege);
           break;
         }
       case TableGrant tableGrant:
@@ -685,27 +705,31 @@ public Response revokeGrantFromCatalogRole(
               PolarisPrivilege.valueOf(tableGrant.getPrivilege().toString());
           String tableName = tableGrant.getTableName();
           String[] namespaceParts = tableGrant.getNamespace().toArray(new String[0]);
-          adminService.revokePrivilegeOnTableFromRole(
-              catalogName,
-              catalogRoleName,
-              TableIdentifier.of(Namespace.of(namespaceParts), tableName),
-              privilege);
+          result =
+              adminService.revokePrivilegeOnTableFromRole(
+                  catalogName,
+                  catalogRoleName,
+                  TableIdentifier.of(Namespace.of(namespaceParts), tableName),
+                  privilege);
           break;
         }
       case NamespaceGrant namespaceGrant:
         {
           PolarisPrivilege privilege =
               PolarisPrivilege.valueOf(namespaceGrant.getPrivilege().toString());
           String[] namespaceParts = namespaceGrant.getNamespace().toArray(new String[0]);
-          adminService.revokePrivilegeOnNamespaceFromRole(
-              catalogName, catalogRoleName, Namespace.of(namespaceParts), privilege);
+          result =
+              adminService.revokePrivilegeOnNamespaceFromRole(
+                  catalogName, catalogRoleName, Namespace.of(namespaceParts), privilege);
           break;
         }
       case CatalogGrant catalogGrant:
         {
           PolarisPrivilege privilege =
               PolarisPrivilege.valueOf(catalogGrant.getPrivilege().toString());
-          adminService.revokePrivilegeOnCatalogFromRole(catalogName, catalogRoleName, privilege);
+          result =
+              adminService.revokePrivilegeOnCatalogFromRole(
+                  catalogName, catalogRoleName, privilege);
           break;
         }
       case PolicyGrant policyGrant:
@@ -714,11 +738,12 @@ public Response revokeGrantFromCatalogRole(
               PolarisPrivilege.valueOf(policyGrant.getPrivilege().toString());
           String policyName = policyGrant.getPolicyName();
           String[] namespaceParts = policyGrant.getNamespace().toArray(new String[0]);
-          adminService.revokePrivilegeOnPolicyFromRole(
-              catalogName,
-              catalogRoleName,
-              new PolicyIdentifier(Namespace.of(namespaceParts), policyName),
-              privilege);
+          result =
+              adminService.revokePrivilegeOnPolicyFromRole(
+                  catalogName,
+                  catalogRoleName,
+                  new PolicyIdentifier(Namespace.of(namespaceParts), policyName),
+                  privilege);
           break;
         }
       default:
@@ -729,7 +754,7 @@ public Response revokeGrantFromCatalogRole(
             .log("Don't know how to handle privilege revocation: {}", grantRequest);
         return Response.status(Response.Status.BAD_REQUEST).build();
     }
-    return Response.status(Response.Status.CREATED).build();
+    return toResponse(result, Response.Status.CREATED);
   }
 
   /** From PolarisCatalogsApiService */