{"id":"a8260561-808f-4b9a-88ae-873c779692eb","task":"Configure RBAC in Apache Polaris using principals, principal roles, and catalog roles","domain":"polaris.apache.org","steps":["Create a principal via POST /api/management/v1/principals with a name and optional client-id/secret","Create a principal role via POST /api/management/v1/principal-roles","Assign the principal role to the principal via PUT /api/management/v1/principals/{principalName}/principal-roles","Create a catalog role via POST /api/management/v1/catalogs/{catalogName}/catalog-roles","Grant the catalog role to the principal role via PUT /api/management/v1/principal-roles/{principalRoleName}/catalog-roles/{catalogName}","Assign specific privileges to the catalog role via POST /api/management/v1/catalogs/{catalogName}/catalog-roles/{catalogRoleName}/grants"],"gotchas":["Polaris uses a two-tier role model: principal roles are assigned to principals, and catalog roles (which hold actual data privileges) are granted to principal roles — you cannot directly grant a catalog role to a principal","Privileges are scoped to a specific entity level (catalog, namespace, table); a privilege on a namespace does not automatically apply to the catalog level","Deleting a principal role does not automatically revoke its catalog role assignments; clean up grants explicitly to avoid orphaned access"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:23.292Z"},"url":"https://mcp.waymark.network/r/a8260561-808f-4b9a-88ae-873c779692eb"}