This is an automated email from the ASF dual-hosted git repository.
collado pushed a commit to branch mcollado-hk2-di
in repository https://gitbox.apache.org/repos/asf/polaris.git
commit 8b212078f5dda57c695836af70fed10cc17b8199
Author: Michael Collado <collado.m...@gmail.com>
AuthorDate: Wed Nov 6 17:16:09 2024 -0800
Make PolarisAuthorizer work with PolarisGrantManager
---
.../polaris/core/auth/PolarisAuthorizer.java | 3 +
.../polaris/core/auth/PolarisAuthorizerImpl.java | 59 ++++++++++++++----
.../persistence/PolarisResolvedPathWrapper.java | 33 ++--------
.../resolver/PolarisResolutionManifest.java | 33 +++++-----
.../polaris/service/admin/PolarisAdminService.java | 12 +++-
.../service/catalog/BasePolarisCatalog.java | 13 ++--
.../catalog/PolarisCatalogHandlerWrapper.java | 71 ++++++----------------
.../service/admin/PolarisAuthzTestBase.java | 16 ++---
.../service/catalog/BasePolarisCatalogTest.java | 2 +-
.../catalog/BasePolarisCatalogViewTest.java | 2 +-
10 files changed, 122 insertions(+), 122 deletions(-)
diff --git
a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java
b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java
index 5224739d..0fbfb543 100644
---
a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java
+++
b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java
@@ -20,6 +20,7 @@ package org.apache.polaris.core.auth;
import java.util.List;
import java.util.Set;
+import org.apache.polaris.core.PolarisCallContext;
import org.apache.polaris.core.entity.PolarisBaseEntity;
import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
import org.jetbrains.annotations.NotNull;
@@ -29,6 +30,7 @@ import org.jetbrains.annotations.Nullable;
public interface PolarisAuthorizer {
void authorizeOrThrow(
+ @NotNull PolarisCallContext polarisCallContext,
@NotNull AuthenticatedPolarisPrincipal authenticatedPrincipal,
@NotNull Set<PolarisBaseEntity> activatedEntities,
@NotNull PolarisAuthorizableOperation authzOp,
@@ -36,6 +38,7 @@ public interface PolarisAuthorizer {
@Nullable PolarisResolvedPathWrapper secondary);
void authorizeOrThrow(
+ @NotNull PolarisCallContext polarisCallContext,
@NotNull AuthenticatedPolarisPrincipal authenticatedPrincipal,
@NotNull Set<PolarisBaseEntity> activatedEntities,
@NotNull PolarisAuthorizableOperation authzOp,
diff --git
a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java
b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java
index b6170232..e5e010d6 100644
---
a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java
+++
b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java
@@ -92,20 +92,21 @@ import com.google.common.base.Preconditions;
import com.google.common.collect.HashMultimap;
import com.google.common.collect.SetMultimap;
import jakarta.inject.Inject;
+import jakarta.inject.Provider;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.iceberg.exceptions.ForbiddenException;
+import org.apache.polaris.core.PolarisCallContext;
import org.apache.polaris.core.PolarisConfiguration;
import org.apache.polaris.core.PolarisConfigurationStore;
-import org.apache.polaris.core.context.CallContext;
import org.apache.polaris.core.entity.PolarisBaseEntity;
+import org.apache.polaris.core.entity.PolarisEntity;
import org.apache.polaris.core.entity.PolarisEntityConstants;
import org.apache.polaris.core.entity.PolarisEntityCore;
import org.apache.polaris.core.entity.PolarisGrantRecord;
import org.apache.polaris.core.entity.PolarisPrivilege;
import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
-import org.apache.polaris.core.persistence.ResolvedPolarisEntity;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
@@ -459,10 +460,13 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
List.of(CATALOG_ROLE_MANAGE_GRANTS_FOR_GRANTEE,
CATALOG_MANAGE_ACCESS));
}
+ private final Provider<PolarisGrantManager> grantManager;
private final PolarisConfigurationStore featureConfig;
@Inject
- public PolarisAuthorizerImpl(PolarisConfigurationStore featureConfig) {
+ public PolarisAuthorizerImpl(
+ Provider<PolarisGrantManager> grantManager, PolarisConfigurationStore
featureConfig) {
+ this.grantManager = grantManager;
this.featureConfig = featureConfig;
}
@@ -487,12 +491,14 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
@Override
public void authorizeOrThrow(
+ PolarisCallContext polarisCallContext,
@NotNull AuthenticatedPolarisPrincipal authenticatedPrincipal,
@NotNull Set<PolarisBaseEntity> activatedEntities,
@NotNull PolarisAuthorizableOperation authzOp,
@Nullable PolarisResolvedPathWrapper target,
@Nullable PolarisResolvedPathWrapper secondary) {
authorizeOrThrow(
+ polarisCallContext,
authenticatedPrincipal,
activatedEntities,
authzOp,
@@ -502,14 +508,16 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
@Override
public void authorizeOrThrow(
+ @NotNull PolarisCallContext polarisCallContext,
@NotNull AuthenticatedPolarisPrincipal authenticatedPrincipal,
@NotNull Set<PolarisBaseEntity> activatedEntities,
@NotNull PolarisAuthorizableOperation authzOp,
@Nullable List<PolarisResolvedPathWrapper> targets,
@Nullable List<PolarisResolvedPathWrapper> secondaries) {
+
boolean enforceCredentialRotationRequiredState =
featureConfig.getConfiguration(
- CallContext.getCurrentContext().getPolarisCallContext(),
+ polarisCallContext,
PolarisConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING);
if (enforceCredentialRotationRequiredState
&& authenticatedPrincipal
@@ -521,7 +529,12 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
"Principal '%s' is not authorized for op %s due to
PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE",
authenticatedPrincipal.getName(), authzOp);
} else if (!isAuthorized(
- authenticatedPrincipal, activatedEntities, authzOp, targets,
secondaries)) {
+ polarisCallContext,
+ authenticatedPrincipal,
+ activatedEntities,
+ authzOp,
+ targets,
+ secondaries)) {
throw new ForbiddenException(
"Principal '%s' with activated PrincipalRoles '%s' and activated
grants via '%s' is not authorized for op %s",
authenticatedPrincipal.getName(),
@@ -537,12 +550,14 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
* the operation.
*/
public boolean isAuthorized(
+ @NotNull PolarisCallContext polarisCallContext,
@NotNull AuthenticatedPolarisPrincipal authenticatedPolarisPrincipal,
@NotNull Set<PolarisBaseEntity> activatedEntities,
@NotNull PolarisAuthorizableOperation authzOp,
@Nullable PolarisResolvedPathWrapper target,
@Nullable PolarisResolvedPathWrapper secondary) {
return isAuthorized(
+ polarisCallContext,
authenticatedPolarisPrincipal,
activatedEntities,
authzOp,
@@ -551,6 +566,7 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
}
public boolean isAuthorized(
+ @NotNull PolarisCallContext polarisCallContext,
@NotNull AuthenticatedPolarisPrincipal authenticatedPolarisPrincipal,
@NotNull Set<PolarisBaseEntity> activatedEntities,
@NotNull PolarisAuthorizableOperation authzOp,
@@ -567,7 +583,11 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
privilegeOnTarget);
for (PolarisResolvedPathWrapper target : targets) {
if (!hasTransitivePrivilege(
- authenticatedPolarisPrincipal, entityIdSet, privilegeOnTarget,
target)) {
+ polarisCallContext,
+ authenticatedPolarisPrincipal,
+ entityIdSet,
+ privilegeOnTarget,
+ target)) {
// TODO: Collect missing privileges to report all at the end and/or
return to code
// that throws NotAuthorizedException for more useful messages.
return false;
@@ -582,7 +602,11 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
privilegeOnSecondary);
for (PolarisResolvedPathWrapper secondary : secondaries) {
if (!hasTransitivePrivilege(
- authenticatedPolarisPrincipal, entityIdSet, privilegeOnSecondary,
secondary)) {
+ polarisCallContext,
+ authenticatedPolarisPrincipal,
+ entityIdSet,
+ privilegeOnSecondary,
+ secondary)) {
return false;
}
}
@@ -600,6 +624,7 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
* errors/exceptions.
*/
public boolean hasTransitivePrivilege(
+ @NotNull PolarisCallContext polarisCallContext,
@NotNull AuthenticatedPolarisPrincipal authenticatedPolarisPrincipal,
Set<Long> activatedGranteeIds,
PolarisPrivilege desiredPrivilege,
@@ -607,12 +632,20 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
// Iterate starting at the parent, since the most common case should be to
manage grants as
// high up in the resource hierarchy as possible, so we expect earlier
termination.
- for (ResolvedPolarisEntity resolvedSecurableEntity :
resolvedPath.getResolvedFullPath()) {
- Preconditions.checkState(
- resolvedSecurableEntity.getGrantRecordsAsSecurable() != null,
- "Got null grantRecordsAsSecurable for resolvedSecurableEntity %s",
- resolvedSecurableEntity);
- for (PolarisGrantRecord grantRecord :
resolvedSecurableEntity.getGrantRecordsAsSecurable()) {
+ for (PolarisEntity resolvedSecurableEntity :
resolvedPath.getRawFullPath()) {
+ PolarisGrantManager.LoadGrantsResult securableGrants =
+ grantManager
+ .get()
+ .loadGrantsOnSecurable(
+ polarisCallContext,
+ resolvedSecurableEntity.getCatalogId(),
+ resolvedSecurableEntity.getId());
+ Preconditions.checkArgument(
+ securableGrants.isSuccess(),
+ "Unable to load grants on securable %s - %s",
+ resolvedSecurableEntity,
+ securableGrants.getExtraInformation());
+ for (PolarisGrantRecord grantRecord : securableGrants.getGrantRecords())
{
if (matchesOrIsSubsumedBy(
desiredPrivilege,
PolarisPrivilege.fromCode(grantRecord.getPrivilegeCode()))) {
// Found a potential candidate for satisfying our authz goal.
diff --git
a/polaris-core/src/main/java/org/apache/polaris/core/persistence/PolarisResolvedPathWrapper.java
b/polaris-core/src/main/java/org/apache/polaris/core/persistence/PolarisResolvedPathWrapper.java
index 6b09598c..2e539f89 100644
---
a/polaris-core/src/main/java/org/apache/polaris/core/persistence/PolarisResolvedPathWrapper.java
+++
b/polaris-core/src/main/java/org/apache/polaris/core/persistence/PolarisResolvedPathWrapper.java
@@ -19,7 +19,6 @@
package org.apache.polaris.core.persistence;
import java.util.List;
-import java.util.stream.Collectors;
import org.apache.polaris.core.entity.PolarisEntity;
/**
@@ -27,15 +26,15 @@ import org.apache.polaris.core.entity.PolarisEntity;
* and grant records.
*/
public class PolarisResolvedPathWrapper {
- private final List<ResolvedPolarisEntity> resolvedPath;
+ private final List<PolarisEntity> resolvedPath;
// TODO: Distinguish between whether parentPath had a null in the chain or
whether only
// the leaf element was null.
- public PolarisResolvedPathWrapper(List<ResolvedPolarisEntity> resolvedPath) {
+ public PolarisResolvedPathWrapper(List<PolarisEntity> resolvedPath) {
this.resolvedPath = resolvedPath;
}
- public ResolvedPolarisEntity getResolvedLeafEntity() {
+ public PolarisEntity getResolvedLeafEntity() {
if (resolvedPath == null || resolvedPath.isEmpty()) {
return null;
}
@@ -43,38 +42,18 @@ public class PolarisResolvedPathWrapper {
}
public PolarisEntity getRawLeafEntity() {
- ResolvedPolarisEntity resolvedEntity = getResolvedLeafEntity();
- if (resolvedEntity != null) {
- return resolvedEntity.getEntity();
- }
- return null;
- }
-
- public List<ResolvedPolarisEntity> getResolvedFullPath() {
- return resolvedPath;
+ return getResolvedLeafEntity();
}
public List<PolarisEntity> getRawFullPath() {
if (resolvedPath == null) {
return null;
}
- return
resolvedPath.stream().map(ResolvedPolarisEntity::getEntity).collect(Collectors.toList());
- }
-
- public List<ResolvedPolarisEntity> getResolvedParentPath() {
- if (resolvedPath == null) {
- return null;
- }
- return resolvedPath.subList(0, resolvedPath.size() - 1);
+ return resolvedPath;
}
public List<PolarisEntity> getRawParentPath() {
- if (resolvedPath == null) {
- return null;
- }
- return getResolvedParentPath().stream()
- .map(ResolvedPolarisEntity::getEntity)
- .collect(Collectors.toList());
+ return resolvedPath.subList(0, resolvedPath.size() - 1);
}
@Override
diff --git
a/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/PolarisResolutionManifest.java
b/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/PolarisResolutionManifest.java
index 629e282e..1fb9c37c 100644
---
a/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/PolarisResolutionManifest.java
+++
b/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/PolarisResolutionManifest.java
@@ -31,6 +31,7 @@ import org.apache.polaris.core.PolarisDiagnostics;
import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal;
import org.apache.polaris.core.context.CallContext;
import org.apache.polaris.core.entity.PolarisBaseEntity;
+import org.apache.polaris.core.entity.PolarisEntity;
import org.apache.polaris.core.entity.PolarisEntityConstants;
import org.apache.polaris.core.entity.PolarisEntitySubType;
import org.apache.polaris.core.entity.PolarisEntityType;
@@ -215,10 +216,11 @@ public class PolarisResolutionManifest implements
PolarisResolutionManifestCatal
}
}
- List<ResolvedPolarisEntity> resolvedEntities = new ArrayList<>();
+ List<PolarisEntity> resolvedEntities = new ArrayList<>();
resolvedEntities.add(
- new
ResolvedPolarisEntity(passthroughResolver.getResolvedReferenceCatalog()));
- resolvedPath.forEach(cacheEntry -> resolvedEntities.add(new
ResolvedPolarisEntity(cacheEntry)));
+
PolarisEntity.of(passthroughResolver.getResolvedReferenceCatalog().getEntity()));
+ resolvedPath.forEach(
+ cacheEntry ->
resolvedEntities.add(PolarisEntity.of(cacheEntry.getEntity())));
LOGGER.debug(
"Returning resolvedEntities from getPassthroughResolvedPath: {}",
resolvedEntities);
return new PolarisResolvedPathWrapper(resolvedEntities);
@@ -269,7 +271,7 @@ public class PolarisResolutionManifest implements
PolarisResolutionManifestCatal
this.simulatedResolvedRootContainerEntity =
simulatedResolvedRootContainerEntity;
}
- private ResolvedPolarisEntity getResolvedRootContainerEntity() {
+ private PolarisEntity getResolvedRootContainerEntity() {
if (primaryResolverStatus.getStatus() !=
ResolverStatus.StatusEnum.SUCCESS) {
return null;
}
@@ -278,9 +280,9 @@ public class PolarisResolutionManifest implements
PolarisResolutionManifestCatal
PolarisEntityType.ROOT,
PolarisEntityConstants.getRootContainerName());
if (resolvedCacheEntry == null) {
LOGGER.debug("Failed to find rootContainer, so using simulated
rootContainer instead.");
- return simulatedResolvedRootContainerEntity;
+ return simulatedResolvedRootContainerEntity.getEntity();
}
- return new ResolvedPolarisEntity(resolvedCacheEntry);
+ return PolarisEntity.of(resolvedCacheEntry.getEntity());
}
public PolarisResolvedPathWrapper getResolvedRootContainerEntityAsPath() {
@@ -304,10 +306,11 @@ public class PolarisResolutionManifest implements
PolarisResolutionManifestCatal
// getResolvedReferenceCatalogEntity().
return new PolarisResolvedPathWrapper(
List.of(
- getResolvedRootContainerEntity(), new
ResolvedPolarisEntity(resolvedCachedCatalog)));
+ getResolvedRootContainerEntity(),
+ PolarisEntity.of(resolvedCachedCatalog.getEntity())));
} else {
return new PolarisResolvedPathWrapper(
- List.of(new ResolvedPolarisEntity(resolvedCachedCatalog)));
+ List.of(PolarisEntity.of(resolvedCachedCatalog.getEntity())));
}
}
@@ -355,12 +358,14 @@ public class PolarisResolutionManifest implements
PolarisResolutionManifestCatal
}
}
- List<ResolvedPolarisEntity> resolvedEntities = new ArrayList<>();
+ List<PolarisEntity> resolvedEntities = new ArrayList<>();
if (prependRootContainer) {
resolvedEntities.add(getResolvedRootContainerEntity());
}
- resolvedEntities.add(new
ResolvedPolarisEntity(primaryResolver.getResolvedReferenceCatalog()));
- resolvedPath.forEach(cacheEntry -> resolvedEntities.add(new
ResolvedPolarisEntity(cacheEntry)));
+ resolvedEntities.add(
+
PolarisEntity.of(primaryResolver.getResolvedReferenceCatalog().getEntity()));
+ resolvedPath.forEach(
+ cacheEntry ->
resolvedEntities.add(PolarisEntity.of(cacheEntry.getEntity())));
return new PolarisResolvedPathWrapper(resolvedEntities);
}
@@ -403,10 +408,10 @@ public class PolarisResolutionManifest implements
PolarisResolutionManifestCatal
return null;
}
- ResolvedPolarisEntity resolvedRootContainerEntity =
getResolvedRootContainerEntity();
+ PolarisEntity resolvedRootContainerEntity =
getResolvedRootContainerEntity();
return resolvedRootContainerEntity == null
- ? new PolarisResolvedPathWrapper(List.of(new
ResolvedPolarisEntity(resolvedCacheEntry)))
+ ? new
PolarisResolvedPathWrapper(List.of(PolarisEntity.of(resolvedCacheEntry.getEntity())))
: new PolarisResolvedPathWrapper(
- List.of(resolvedRootContainerEntity, new
ResolvedPolarisEntity(resolvedCacheEntry)));
+ List.of(resolvedRootContainerEntity,
PolarisEntity.of(resolvedCacheEntry.getEntity())));
}
}
diff --git
a/polaris-service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java
b/polaris-service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java
index ba5113e9..a0960201 100644
---
a/polaris-service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java
+++
b/polaris-service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java
@@ -157,6 +157,7 @@ public class PolarisAdminService {
PolarisResolvedPathWrapper rootContainerWrapper =
resolutionManifest.getResolvedRootContainerEntityAsPath();
authorizer.authorizeOrThrow(
+ getCurrentPolarisContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedPrincipalRoleEntities(),
op,
@@ -191,7 +192,7 @@ public class PolarisAdminService {
// TODO: If we do add more "self" privilege operations for PRINCIPAL
targets this should
// be extracted into an EnumSet and/or pushed down into PolarisAuthorizer.
- if (topLevelEntityWrapper.getResolvedLeafEntity().getEntity().getId()
+ if (topLevelEntityWrapper.getResolvedLeafEntity().getId()
== authenticatedPrincipal.getPrincipalEntity().getId()
&& (op.equals(PolarisAuthorizableOperation.ROTATE_CREDENTIALS)
|| op.equals(PolarisAuthorizableOperation.RESET_CREDENTIALS))) {
@@ -202,6 +203,7 @@ public class PolarisAdminService {
return;
}
authorizer.authorizeOrThrow(
+ getCurrentPolarisContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -222,6 +224,7 @@ public class PolarisAdminService {
throw new NotFoundException("CatalogRole does not exist: %s",
catalogRoleName);
}
authorizer.authorizeOrThrow(
+ getCurrentPolarisContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -252,6 +255,7 @@ public class PolarisAdminService {
principalRoleName, PolarisEntityType.PRINCIPAL_ROLE);
authorizer.authorizeOrThrow(
+ getCurrentPolarisContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -288,6 +292,7 @@ public class PolarisAdminService {
principalRoleName, PolarisEntityType.PRINCIPAL_ROLE);
authorizer.authorizeOrThrow(
+ getCurrentPolarisContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -318,6 +323,7 @@ public class PolarisAdminService {
resolutionManifest.getResolvedTopLevelEntity(principalName,
PolarisEntityType.PRINCIPAL);
authorizer.authorizeOrThrow(
+ getCurrentPolarisContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -356,6 +362,7 @@ public class PolarisAdminService {
resolutionManifest.getResolvedPath(catalogRoleName, true);
authorizer.authorizeOrThrow(
+ getCurrentPolarisContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -385,6 +392,7 @@ public class PolarisAdminService {
PolarisResolvedPathWrapper catalogRoleWrapper =
resolutionManifest.getResolvedPath(catalogRoleName, true);
authorizer.authorizeOrThrow(
+ getCurrentPolarisContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -424,6 +432,7 @@ public class PolarisAdminService {
resolutionManifest.getResolvedPath(catalogRoleName, true);
authorizer.authorizeOrThrow(
+ getCurrentPolarisContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -468,6 +477,7 @@ public class PolarisAdminService {
resolutionManifest.getResolvedPath(catalogRoleName, true);
authorizer.authorizeOrThrow(
+ getCurrentPolarisContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
diff --git
a/polaris-service/src/main/java/org/apache/polaris/service/catalog/BasePolarisCatalog.java
b/polaris-service/src/main/java/org/apache/polaris/service/catalog/BasePolarisCatalog.java
index 4911b5cf..15a66ed8 100644
---
a/polaris-service/src/main/java/org/apache/polaris/service/catalog/BasePolarisCatalog.java
+++
b/polaris-service/src/main/java/org/apache/polaris/service/catalog/BasePolarisCatalog.java
@@ -658,11 +658,12 @@ public class BasePolarisCatalog extends
BaseMetastoreViewCatalog
new PolarisEntity.Builder(entity).setProperties(newProperties).build();
if (!callContext
- .getPolarisCallContext()
- .getConfigurationStore()
- .getConfiguration(
- callContext.getPolarisCallContext(),
- PolarisConfiguration.ALLOW_NAMESPACE_LOCATION_OVERLAP)) {
+ .getPolarisCallContext()
+ .getConfigurationStore()
+ .getConfiguration(
+ callContext.getPolarisCallContext(),
+ PolarisConfiguration.ALLOW_NAMESPACE_LOCATION_OVERLAP)
+ &&
properties.containsKey(PolarisEntityConstants.ENTITY_BASE_LOCATION)) {
LOGGER.debug("Validating no overlap with sibling tables or namespaces");
validateNoLocationOverlap(
NamespaceEntity.of(updatedEntity).getBaseLocation(),
@@ -1672,7 +1673,7 @@ public class BasePolarisCatalog extends
BaseMetastoreViewCatalog
toEntity =
new TableLikeEntity.Builder(TableLikeEntity.of(leafEntity))
.setTableIdentifier(to)
-
.setParentId(resolvedNewParentEntities.getResolvedLeafEntity().getEntity().getId())
+
.setParentId(resolvedNewParentEntities.getResolvedLeafEntity().getId())
.build();
} else {
// only the name of the entity is changed
diff --git
a/polaris-service/src/main/java/org/apache/polaris/service/catalog/PolarisCatalogHandlerWrapper.java
b/polaris-service/src/main/java/org/apache/polaris/service/catalog/PolarisCatalogHandlerWrapper.java
index 3d12f75a..d5794185 100644
---
a/polaris-service/src/main/java/org/apache/polaris/service/catalog/PolarisCatalogHandlerWrapper.java
+++
b/polaris-service/src/main/java/org/apache/polaris/service/catalog/PolarisCatalogHandlerWrapper.java
@@ -215,6 +215,7 @@ public class PolarisCatalogHandlerWrapper {
throw new NoSuchNamespaceException("Namespace does not exist: %s",
namespace);
}
authorizer.authorizeOrThrow(
+ callContext.getPolarisCallContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -248,6 +249,7 @@ public class PolarisCatalogHandlerWrapper {
throw new NoSuchNamespaceException("Namespace does not exist: %s",
parentNamespace);
}
authorizer.authorizeOrThrow(
+ callContext.getPolarisCallContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -285,6 +287,7 @@ public class PolarisCatalogHandlerWrapper {
throw new NoSuchNamespaceException("Namespace does not exist: %s",
namespace);
}
authorizer.authorizeOrThrow(
+ callContext.getPolarisCallContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -317,6 +320,7 @@ public class PolarisCatalogHandlerWrapper {
}
}
authorizer.authorizeOrThrow(
+ callContext.getPolarisCallContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -370,6 +374,7 @@ public class PolarisCatalogHandlerWrapper {
"View does not exist: %s",
identifier)))
.toList();
authorizer.authorizeOrThrow(
+ callContext.getPolarisCallContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -430,6 +435,7 @@ public class PolarisCatalogHandlerWrapper {
PolarisResolvedPathWrapper secondary =
resolutionManifest.getResolvedPath(dst.namespace(), true);
authorizer.authorizeOrThrow(
+ callContext.getPolarisCallContext(),
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -566,10 +572,7 @@ public class PolarisCatalogHandlerWrapper {
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (isExternal(catalog)) {
throw new BadRequestException("Cannot create table on external
catalogs.");
}
@@ -585,10 +588,7 @@ public class PolarisCatalogHandlerWrapper {
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (isExternal(catalog)) {
throw new BadRequestException("Cannot create table on external
catalogs.");
}
@@ -694,10 +694,7 @@ public class PolarisCatalogHandlerWrapper {
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (isExternal(catalog)) {
throw new BadRequestException("Cannot create table on external
catalogs.");
}
@@ -717,10 +714,7 @@ public class PolarisCatalogHandlerWrapper {
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (isExternal(catalog)) {
throw new BadRequestException("Cannot create table on external
catalogs.");
}
@@ -774,10 +768,7 @@ public class PolarisCatalogHandlerWrapper {
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (catalog
.getCatalogType()
.equals(org.apache.polaris.core.admin.model.Catalog.TypeEnum.INTERNAL)) {
@@ -904,10 +895,7 @@ public class PolarisCatalogHandlerWrapper {
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (isExternal(catalog)) {
throw new BadRequestException("Cannot update table on external
catalogs.");
}
@@ -923,10 +911,7 @@ public class PolarisCatalogHandlerWrapper {
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (isExternal(catalog)) {
throw new BadRequestException("Cannot update table on external
catalogs.");
}
@@ -948,10 +933,7 @@ public class PolarisCatalogHandlerWrapper {
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (isExternal(catalog)) {
throw new BadRequestException("Cannot drop table on external catalogs.");
}
@@ -973,10 +955,7 @@ public class PolarisCatalogHandlerWrapper {
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (isExternal(catalog)) {
throw new BadRequestException("Cannot rename table on external
catalogs.");
}
@@ -997,10 +976,7 @@ public class PolarisCatalogHandlerWrapper {
.toList());
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (isExternal(catalog)) {
throw new BadRequestException("Cannot update table on external
catalogs.");
}
@@ -1104,10 +1080,7 @@ public class PolarisCatalogHandlerWrapper {
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (isExternal(catalog)) {
throw new BadRequestException("Cannot create view on external
catalogs.");
}
@@ -1127,10 +1100,7 @@ public class PolarisCatalogHandlerWrapper {
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (isExternal(catalog)) {
throw new BadRequestException("Cannot replace view on external
catalogs.");
}
@@ -1160,10 +1130,7 @@ public class PolarisCatalogHandlerWrapper {
CatalogEntity catalog =
CatalogEntity.of(
- resolutionManifest
- .getResolvedReferenceCatalogEntity()
- .getResolvedLeafEntity()
- .getEntity());
+
resolutionManifest.getResolvedReferenceCatalogEntity().getResolvedLeafEntity());
if (isExternal(catalog)) {
throw new BadRequestException("Cannot rename view on external
catalogs.");
}
diff --git
a/polaris-service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
b/polaris-service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
index 5151f0f7..994e80e9 100644
---
a/polaris-service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
+++
b/polaris-service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
@@ -131,12 +131,7 @@ public abstract class PolarisAuthzTestBase {
new Schema(
required(3, "id", Types.IntegerType.get(), "unique ID 🤪"),
required(4, "data", Types.StringType.get()));
- protected final PolarisAuthorizer polarisAuthorizer =
- new PolarisAuthorizerImpl(
- new DefaultConfigurationStore(
- Map.of(
-
PolarisConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING.key,
- true)));
+ protected PolarisAuthorizer polarisAuthorizer;
protected BasePolarisCatalog baseCatalog;
protected PolarisAdminService adminService;
@@ -159,7 +154,14 @@ public abstract class PolarisAuthzTestBase {
RealmContext realmContext = () -> "realm";
PolarisMetaStoreManager metaStoreManager =
metaStoreManagerFactory.getOrCreateMetaStoreManager(realmContext);
-
+ polarisAuthorizer =
+ new PolarisAuthorizerImpl(
+ () -> metaStoreManager,
+ new DefaultConfigurationStore(
+ Map.of(
+
PolarisConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING
+ .key,
+ true)));
Map<String, Object> configMap =
Map.of(
"ALLOW_SPECIFYING_FILE_IO_IMPL", true,
"ALLOW_EXTERNAL_METADATA_FILE_LOCATION", true);
diff --git
a/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogTest.java
b/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogTest.java
index 9495365f..cba7ebaa 100644
---
a/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogTest.java
+++
b/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogTest.java
@@ -184,7 +184,7 @@ public class BasePolarisCatalogTest extends
CatalogTests<BasePolarisCatalog> {
entityManager,
metaStoreManager,
authenticatedRoot,
- new PolarisAuthorizerImpl(new PolarisConfigurationStore() {}));
+ new PolarisAuthorizerImpl(() -> metaStoreManager, new
PolarisConfigurationStore() {}));
String storageLocation = "s3://my-bucket/path/to/data";
storageConfigModel =
AwsStorageConfigInfo.builder()
diff --git
a/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogViewTest.java
b/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogViewTest.java
index 7ad1d53d..1f64fb21 100644
---
a/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogViewTest.java
+++
b/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogViewTest.java
@@ -116,7 +116,7 @@ public class BasePolarisCatalogViewTest extends
ViewCatalogTests<BasePolarisCata
entityManager,
metaStoreManager,
authenticatedRoot,
- new PolarisAuthorizerImpl(new PolarisConfigurationStore() {}));
+ new PolarisAuthorizerImpl(() -> metaStoreManager, new
PolarisConfigurationStore() {}));
adminService.createCatalog(
new CatalogEntity.Builder()
.setName(CATALOG_NAME)
