This is an automated email from the ASF dual-hosted git repository.
snazy pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/polaris.git
The following commit(s) were added to refs/heads/main by this push:
new 88f58fc9c Make PolarisAuthorizer RequestScoped (#2340)
88f58fc9c is described below
commit 88f58fc9ce7842ee48ea44bbfce4965e1a3ec41c
Author: Christopher Lambert <xn...@gmx.de>
AuthorDate: Fri Aug 15 10:20:58 2025 +0200
Make PolarisAuthorizer RequestScoped (#2340)
all methods in `PolarisAuthorizer` currently have a `CallContext`
parameter.
in its only implementation only `CallContext.getRealmConfig` is getting
used.
so since `PolarisAuthorizer` cant be used outside a request, we can
simply make it request-scoped and inject the request-scoped `RealmConfig`
directly.
---
.../org/apache/polaris/core/auth/PolarisAuthorizer.java | 3 ---
.../apache/polaris/core/auth/PolarisAuthorizerImpl.java | 17 ++++++++---------
.../polaris/service/admin/PolarisAdminService.java | 11 -----------
.../polaris/service/catalog/common/CatalogHandler.java | 6 ------
.../service/catalog/policy/PolicyCatalogHandler.java | 3 ---
.../apache/polaris/service/config/ServiceProducers.java | 12 ++++++------
.../polaris/service/admin/ManagementServiceTest.java | 2 +-
.../polaris/service/admin/PolarisAuthzTestBase.java | 4 ++--
.../service/catalog/AbstractIcebergCatalogTest.java | 2 +-
.../service/catalog/AbstractIcebergCatalogViewTest.java | 2 +-
.../catalog/AbstractPolarisGenericTableCatalogTest.java | 2 +-
.../service/catalog/AbstractPolicyCatalogTest.java | 2 +-
12 files changed, 21 insertions(+), 45 deletions(-)
diff --git
a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java
b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java
index 0e35bf2f3..31e69b083 100644
---
a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java
+++
b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java
@@ -22,7 +22,6 @@ import jakarta.annotation.Nonnull;
import jakarta.annotation.Nullable;
import java.util.List;
import java.util.Set;
-import org.apache.polaris.core.context.CallContext;
import org.apache.polaris.core.entity.PolarisBaseEntity;
import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
@@ -30,7 +29,6 @@ import
org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
public interface PolarisAuthorizer {
void authorizeOrThrow(
- @Nonnull CallContext callContext,
@Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
@Nonnull Set<PolarisBaseEntity> activatedEntities,
@Nonnull PolarisAuthorizableOperation authzOp,
@@ -38,7 +36,6 @@ public interface PolarisAuthorizer {
@Nullable PolarisResolvedPathWrapper secondary);
void authorizeOrThrow(
- @Nonnull CallContext callContext,
@Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
@Nonnull Set<PolarisBaseEntity> activatedEntities,
@Nonnull PolarisAuthorizableOperation authzOp,
diff --git
a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java
b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java
index 6b582e7a7..baae15fc0 100644
---
a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java
+++
b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java
@@ -114,7 +114,7 @@ import java.util.Set;
import java.util.stream.Collectors;
import org.apache.iceberg.exceptions.ForbiddenException;
import org.apache.polaris.core.config.FeatureConfiguration;
-import org.apache.polaris.core.context.CallContext;
+import org.apache.polaris.core.config.RealmConfig;
import org.apache.polaris.core.entity.PolarisBaseEntity;
import org.apache.polaris.core.entity.PolarisEntityConstants;
import org.apache.polaris.core.entity.PolarisEntityCore;
@@ -530,8 +530,12 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
List.of(TABLE_DETACH_POLICY, CATALOG_MANAGE_METADATA,
CATALOG_MANAGE_CONTENT));
}
+ private final RealmConfig realmConfig;
+
@Inject
- public PolarisAuthorizerImpl() {}
+ public PolarisAuthorizerImpl(RealmConfig realmConfig) {
+ this.realmConfig = realmConfig;
+ }
/**
* Checks whether the {@code grantedPrivilege} is sufficient to confer
{@code desiredPrivilege},
@@ -554,14 +558,12 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
@Override
public void authorizeOrThrow(
- @Nonnull CallContext callContext,
@Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
@Nonnull Set<PolarisBaseEntity> activatedEntities,
@Nonnull PolarisAuthorizableOperation authzOp,
@Nullable PolarisResolvedPathWrapper target,
@Nullable PolarisResolvedPathWrapper secondary) {
authorizeOrThrow(
- callContext,
authenticatedPrincipal,
activatedEntities,
authzOp,
@@ -571,17 +573,14 @@ public class PolarisAuthorizerImpl implements
PolarisAuthorizer {
@Override
public void authorizeOrThrow(
- @Nonnull CallContext callContext,
@Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
@Nonnull Set<PolarisBaseEntity> activatedEntities,
@Nonnull PolarisAuthorizableOperation authzOp,
@Nullable List<PolarisResolvedPathWrapper> targets,
@Nullable List<PolarisResolvedPathWrapper> secondaries) {
boolean enforceCredentialRotationRequiredState =
- callContext
- .getRealmConfig()
- .getConfig(
-
FeatureConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING);
+ realmConfig.getConfig(
+
FeatureConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING);
if (enforceCredentialRotationRequiredState
&& authenticatedPrincipal
.getPrincipalEntity()
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java
b/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java
index 9c6d6f339..1be6e373e 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java
@@ -251,7 +251,6 @@ public class PolarisAdminService {
PolarisResolvedPathWrapper rootContainerWrapper =
resolutionManifest.getResolvedRootContainerEntityAsPath();
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedPrincipalRoleEntities(),
op,
@@ -297,7 +296,6 @@ public class PolarisAdminService {
return;
}
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -319,7 +317,6 @@ public class PolarisAdminService {
throw new NotFoundException("CatalogRole does not exist: %s",
catalogRoleName);
}
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -350,7 +347,6 @@ public class PolarisAdminService {
principalRoleName, PolarisEntityType.PRINCIPAL_ROLE);
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -387,7 +383,6 @@ public class PolarisAdminService {
principalRoleName, PolarisEntityType.PRINCIPAL_ROLE);
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -418,7 +413,6 @@ public class PolarisAdminService {
resolutionManifest.getResolvedTopLevelEntity(principalName,
PolarisEntityType.PRINCIPAL);
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -458,7 +452,6 @@ public class PolarisAdminService {
resolutionManifest.getResolvedPath(catalogRoleName, true);
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -489,7 +482,6 @@ public class PolarisAdminService {
PolarisResolvedPathWrapper catalogRoleWrapper =
resolutionManifest.getResolvedPath(catalogRoleName, true);
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -530,7 +522,6 @@ public class PolarisAdminService {
resolutionManifest.getResolvedPath(catalogRoleName, true);
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -577,7 +568,6 @@ public class PolarisAdminService {
resolutionManifest.getResolvedPath(catalogRoleName, true);
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -617,7 +607,6 @@ public class PolarisAdminService {
resolutionManifest.getResolvedPath(catalogRoleName, true);
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandler.java
b/runtime/service/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandler.java
index 523369c7c..6b2a8ae10 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandler.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandler.java
@@ -142,7 +142,6 @@ public abstract class CatalogHandler {
throw new NoSuchNamespaceException("Namespace does not exist: %s",
namespace);
}
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -177,7 +176,6 @@ public abstract class CatalogHandler {
throw new NoSuchNamespaceException("Namespace does not exist: %s",
parentNamespace);
}
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -216,7 +214,6 @@ public abstract class CatalogHandler {
throw new NoSuchNamespaceException("Namespace does not exist: %s",
namespace);
}
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -246,7 +243,6 @@ public abstract class CatalogHandler {
throwNotFoundExceptionForTableLikeEntity(identifier, List.of(subType));
}
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -298,7 +294,6 @@ public abstract class CatalogHandler {
"View does not exist: %s",
identifier)))
.toList();
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -368,7 +363,6 @@ public abstract class CatalogHandler {
PolarisResolvedPathWrapper secondary =
resolutionManifest.getResolvedPath(dst.namespace(), true);
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java
b/runtime/service/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java
index c967f8971..942173599 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java
@@ -167,7 +167,6 @@ public class PolicyCatalogHandler extends CatalogHandler {
}
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -212,7 +211,6 @@ public class PolicyCatalogHandler extends CatalogHandler {
throw new NotFoundException("Catalog not found");
}
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
@@ -272,7 +270,6 @@ public class PolicyCatalogHandler extends CatalogHandler {
determinePolicyMappingOperation(target, targetWrapper, isAttach);
authorizer.authorizeOrThrow(
- callContext,
authenticatedPrincipal,
resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
op,
diff --git
a/runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java
b/runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java
index b83b68c0f..9580fd564 100644
---
a/runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java
+++
b/runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java
@@ -133,12 +133,6 @@ public class ServiceProducers {
return new ResolutionManifestFactoryImpl(resolverFactory);
}
- @Produces
- @ApplicationScoped
- public PolarisAuthorizer polarisAuthorizer() {
- return new PolarisAuthorizerImpl();
- }
-
@Produces
@Singleton
public PolarisDiagnostics polarisDiagnostics() {
@@ -170,6 +164,12 @@ public class ServiceProducers {
return callContext.getRealmConfig();
}
+ @Produces
+ @RequestScoped
+ public PolarisAuthorizer polarisAuthorizer(RealmConfig realmConfig) {
+ return new PolarisAuthorizerImpl(realmConfig);
+ }
+
// Polaris service beans - selected from @Identifier-annotated beans
@Produces
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/admin/ManagementServiceTest.java
b/runtime/service/src/test/java/org/apache/polaris/service/admin/ManagementServiceTest.java
index edc011a80..aa9dd5734 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/admin/ManagementServiceTest.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/admin/ManagementServiceTest.java
@@ -201,7 +201,7 @@ public class ManagementServiceTest {
return "";
}
},
- new PolarisAuthorizerImpl(),
+ new PolarisAuthorizerImpl(callContext.getRealmConfig()),
new ReservedProperties() {
@Override
public List<String> prefixes() {
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
b/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
index 606b23162..6aa54b111 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
@@ -228,8 +228,6 @@ public abstract class PolarisAuthzTestBase {
metaStoreManager =
managerFactory.getOrCreateMetaStoreManager(realmContext);
userSecretsManager =
userSecretsManagerFactory.getOrCreateUserSecretsManager(realmContext);
- polarisAuthorizer = new PolarisAuthorizerImpl();
-
polarisContext =
new PolarisCallContext(
realmContext,
@@ -240,6 +238,8 @@ public abstract class PolarisAuthzTestBase {
callContext = polarisContext;
realmConfig = polarisContext.getRealmConfig();
+ polarisAuthorizer = new
PolarisAuthorizerImpl(polarisContext.getRealmConfig());
+
PrincipalEntity rootPrincipal =
metaStoreManager.findRootPrincipal(polarisContext).orElseThrow();
this.authenticatedRoot = new AuthenticatedPolarisPrincipal(rootPrincipal,
Set.of());
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogTest.java
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogTest.java
index 352a5276f..4c69be2d7 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogTest.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogTest.java
@@ -313,7 +313,7 @@ public abstract class AbstractIcebergCatalogTest extends
CatalogTests<IcebergCat
metaStoreManager,
userSecretsManager,
securityContext,
- new PolarisAuthorizerImpl(),
+ new PolarisAuthorizerImpl(polarisContext.getRealmConfig()),
reservedProperties);
String storageLocation = "s3://my-bucket/path/to/data";
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogViewTest.java
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogViewTest.java
index 67a112bd0..260f834fd 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogViewTest.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogViewTest.java
@@ -182,7 +182,7 @@ public abstract class AbstractIcebergCatalogViewTest
extends ViewCatalogTests<Ic
metaStoreManager,
userSecretsManager,
securityContext,
- new PolarisAuthorizerImpl(),
+ new PolarisAuthorizerImpl(polarisContext.getRealmConfig()),
reservedProperties);
adminService.createCatalog(
new CreateCatalogRequest(
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolarisGenericTableCatalogTest.java
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolarisGenericTableCatalogTest.java
index ef2046b82..6f4d7c23d 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolarisGenericTableCatalogTest.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolarisGenericTableCatalogTest.java
@@ -173,7 +173,7 @@ public abstract class
AbstractPolarisGenericTableCatalogTest {
metaStoreManager,
userSecretsManager,
securityContext,
- new PolarisAuthorizerImpl(),
+ new PolarisAuthorizerImpl(polarisContext.getRealmConfig()),
reservedProperties);
String storageLocation = "s3://my-bucket/path/to/data";
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolicyCatalogTest.java
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolicyCatalogTest.java
index dd26c7275..cf0717f54 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolicyCatalogTest.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolicyCatalogTest.java
@@ -194,7 +194,7 @@ public abstract class AbstractPolicyCatalogTest {
metaStoreManager,
userSecretsManager,
securityContext,
- new PolarisAuthorizerImpl(),
+ new PolarisAuthorizerImpl(callContext.getRealmConfig()),
reservedProperties);
String storageLocation = "s3://my-bucket/path/to/data";
