RANGER-4910: update Polaris service-def to remove resources principal-role and catalog-role

[mneethiraj]

What changes were proposed in this pull request?

• removed resources principal-role and catalog-role, and all permissions associated with them

How was this patch tested?

• verified that the updated service-def is loaded successfully in Ranger

[Copilot]

Pull request overview

Updates the embedded Apache Ranger service definition for the Polaris service type to remove the principal-role and catalog-role resource types (and associated permissions), simplifying the authorization surface for Polaris within Ranger.

Changes:

• Removed principal-role and catalog-role resources and their related access types.
• Removed several grant-management related access types and catalog-access-manage.
• Reorganized/renumbered itemId values for remaining resources/access types.

Comments suppressed due to low confidence (1)

agents-common/src/main/resources/service-defs/ranger-servicedef-polaris.json:90

• The PR renumbers existing resources[*].itemId values (e.g., table is now itemId 5). Ranger service-def updates match existing resource defs by itemId (not name) during update; changing itemIds can cause resources to be treated as deleted/recreated or make updates fail if policies reference the old defs. Consider keeping all existing itemIds stable and only removing the principal-role/catalog-role entries (leave remaining itemIds unchanged). See security-admin/src/main/java/org/apache/ranger/biz/ServiceDBStore.java:3308-3355 where resource defs are matched/removed by itemId.

    {
      "itemId":      5,
      "name":        "table",
      "label":       "Table",
      "description": "Table",
      "parent":      "namespace",

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.