This is an automated email from the ASF dual-hosted git repository.
adutra pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/polaris.git
The following commit(s) were added to refs/heads/main by this push:
new 926e81dd0 Prefer PolarisPrincipal.getRoles in Resolver (#2925)
926e81dd0 is described below
commit 926e81dd07a9f5ef0ceeb003d15546395090e13d
Author: Christopher Lambert <[email protected]>
AuthorDate: Fri Oct 31 11:26:04 2025 +0100
Prefer PolarisPrincipal.getRoles in Resolver (#2925)
it should be sufficient to rely on `SecurityContext.getUserPrincipal`
alone, we dont need to call `isUserInRole` explicitly.
note due to the `ResolverTest` testing with non-existent roles we have
to add null-filtering to the `Resolver`.
---
.../core/persistence/resolver/Resolver.java | 29 ++++++++++------------
.../service/admin/PolarisAuthzTestBase.java | 29 ----------------------
.../AbstractPolarisGenericTableCatalogTest.java | 1 -
.../iceberg/AbstractIcebergCatalogTest.java | 1 -
.../iceberg/AbstractIcebergCatalogViewTest.java | 1 -
.../catalog/policy/AbstractPolicyCatalogTest.java | 1 -
6 files changed, 13 insertions(+), 49 deletions(-)
diff --git
a/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java
b/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java
index a4eaf3dfe..913086ce7 100644
---
a/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java
+++
b/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java
@@ -28,6 +28,7 @@ import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.polaris.core.PolarisCallContext;
@@ -69,7 +70,6 @@ public class Resolver {
// the id of the principal making the call or 0 if unknown
private final @Nonnull PolarisPrincipal polarisPrincipal;
- private final @Nonnull SecurityContext securityContext;
// reference catalog name for name resolution
private final String referenceCatalogName;
@@ -137,7 +137,6 @@ public class Resolver {
this.diagnostics = diagnostics;
this.polarisMetaStoreManager = polarisMetaStoreManager;
this.cache = cache;
- this.securityContext = securityContext;
this.referenceCatalogName = referenceCatalogName;
// validate inputs
@@ -467,11 +466,11 @@ public class Resolver {
// update all principal roles with latest
if (!this.resolvedCallerPrincipalRoles.isEmpty()) {
- List<ResolvedPolarisEntity> refreshedResolvedCallerPrincipalRoles =
- new ArrayList<>(this.resolvedCallerPrincipalRoles.size());
- this.resolvedCallerPrincipalRoles.forEach(
- ce ->
refreshedResolvedCallerPrincipalRoles.add(this.getFreshlyResolved(ce)));
- this.resolvedCallerPrincipalRoles =
refreshedResolvedCallerPrincipalRoles;
+ this.resolvedCallerPrincipalRoles =
+ resolvedCallerPrincipalRoles.stream()
+ .map(this::getFreshlyResolved)
+ .filter(Objects::nonNull)
+ .collect(Collectors.toList());
}
// update referenced catalog
@@ -776,13 +775,11 @@ public class Resolver {
/**
* Resolve all principal roles that the principal has grants for
*
- * @param toValidate
- * @param resolvedCallerPrincipal1
* @return the list of resolved principal roles the principal has grants for
*/
private List<ResolvedPolarisEntity> resolveAllPrincipalRoles(
- List<ResolvedPolarisEntity> toValidate, ResolvedPolarisEntity
resolvedCallerPrincipal1) {
- return resolvedCallerPrincipal1.getGrantRecordsAsGrantee().stream()
+ List<ResolvedPolarisEntity> toValidate, ResolvedPolarisEntity
callerPrincipal) {
+ return callerPrincipal.getGrantRecordsAsGrantee().stream()
.filter(gr -> gr.getPrivilegeCode() ==
PolarisPrivilege.PRINCIPAL_ROLE_USAGE.getCode())
.map(
gr ->
@@ -791,22 +788,22 @@ public class Resolver {
PolarisEntityType.PRINCIPAL_ROLE,
PolarisEntityConstants.getRootEntityId(),
gr.getSecurableId()))
+ .filter(Objects::nonNull)
.collect(Collectors.toList());
}
/**
- * Resolve the specified list of principal roles. The SecurityContext is
used to determine whether
- * the principal actually has the roles specified.
+ * Resolve the specified list of principal roles. The PolarisPrincipal is
used to determine
+ * whether the principal actually has the roles specified.
*
- * @param toValidate
- * @param roleNames
* @return the filtered list of resolved principal roles
*/
private List<ResolvedPolarisEntity> resolvePrincipalRolesByName(
List<ResolvedPolarisEntity> toValidate, Set<String> roleNames) {
return roleNames.stream()
- .filter(securityContext::isUserInRole)
+ .filter(roleName -> polarisPrincipal.getRoles().contains(roleName))
.map(roleName -> resolveByName(toValidate,
PolarisEntityType.PRINCIPAL_ROLE, roleName))
+ .filter(Objects::nonNull)
.collect(Collectors.toList());
}
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
b/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
index 6db99fb34..72f3b1a9e 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java
@@ -38,7 +38,6 @@ import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
-import java.util.stream.Collectors;
import org.apache.iceberg.CatalogProperties;
import org.apache.iceberg.Schema;
import org.apache.iceberg.catalog.Catalog;
@@ -69,7 +68,6 @@ import
org.apache.polaris.core.credentials.PolarisCredentialManager;
import org.apache.polaris.core.entity.CatalogEntity;
import org.apache.polaris.core.entity.CatalogRoleEntity;
import org.apache.polaris.core.entity.PolarisBaseEntity;
-import org.apache.polaris.core.entity.PolarisEntityType;
import org.apache.polaris.core.entity.PolarisPrivilege;
import org.apache.polaris.core.entity.PrincipalEntity;
import org.apache.polaris.core.entity.PrincipalRoleEntity;
@@ -77,7 +75,6 @@ import
org.apache.polaris.core.identity.provider.ServiceIdentityProvider;
import org.apache.polaris.core.persistence.MetaStoreManagerFactory;
import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
import org.apache.polaris.core.persistence.dao.entity.BaseResult;
-import org.apache.polaris.core.persistence.dao.entity.EntityResult;
import org.apache.polaris.core.persistence.dao.entity.PrivilegeResult;
import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest;
import org.apache.polaris.core.persistence.resolver.ResolutionManifestFactory;
@@ -464,34 +461,9 @@ public abstract class PolarisAuthzTestBase {
protected @Nonnull SecurityContext securityContext(PolarisPrincipal p) {
SecurityContext securityContext = Mockito.mock(SecurityContext.class);
Mockito.when(securityContext.getUserPrincipal()).thenReturn(p);
- Set<String> principalRoleNames = loadPrincipalRolesNames(p);
- Mockito.when(securityContext.isUserInRole(Mockito.anyString()))
- .thenAnswer(invocation ->
principalRoleNames.contains(invocation.getArgument(0)));
return securityContext;
}
- protected @Nonnull Set<String> loadPrincipalRolesNames(PolarisPrincipal p) {
- PolarisBaseEntity principal =
- metaStoreManager
- .findPrincipalByName(callContext.getPolarisCallContext(),
p.getName())
- .orElseThrow();
- return metaStoreManager
- .loadGrantsToGrantee(callContext.getPolarisCallContext(), principal)
- .getGrantRecords()
- .stream()
- .filter(gr -> gr.getPrivilegeCode() ==
PolarisPrivilege.PRINCIPAL_ROLE_USAGE.getCode())
- .map(
- gr ->
- metaStoreManager.loadEntity(
- callContext.getPolarisCallContext(),
- 0L,
- gr.getSecurableId(),
- PolarisEntityType.PRINCIPAL_ROLE))
- .map(EntityResult::getEntity)
- .map(PolarisBaseEntity::getName)
- .collect(Collectors.toSet());
- }
-
protected @Nonnull PrincipalEntity rotateAndRefreshPrincipal(
PolarisMetaStoreManager metaStoreManager,
String principalName,
@@ -524,7 +496,6 @@ public abstract class PolarisAuthzTestBase {
}
SecurityContext securityContext = Mockito.mock(SecurityContext.class);
Mockito.when(securityContext.getUserPrincipal()).thenReturn(authenticatedRoot);
-
Mockito.when(securityContext.isUserInRole(Mockito.anyString())).thenReturn(true);
PolarisPassthroughResolutionView passthroughView =
new PolarisPassthroughResolutionView(
resolutionManifestFactory, securityContext, CATALOG_NAME);
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/generic/AbstractPolarisGenericTableCatalogTest.java
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/generic/AbstractPolarisGenericTableCatalogTest.java
index 4f2ce23af..bef3a13ee 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/generic/AbstractPolarisGenericTableCatalogTest.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/generic/AbstractPolarisGenericTableCatalogTest.java
@@ -167,7 +167,6 @@ public abstract class
AbstractPolarisGenericTableCatalogTest {
securityContext = Mockito.mock(SecurityContext.class);
when(securityContext.getUserPrincipal()).thenReturn(authenticatedRoot);
- when(securityContext.isUserInRole(isA(String.class))).thenReturn(true);
PolarisAuthorizer authorizer = new PolarisAuthorizerImpl(realmConfig);
ReservedProperties reservedProperties = ReservedProperties.NONE;
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/iceberg/AbstractIcebergCatalogTest.java
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/iceberg/AbstractIcebergCatalogTest.java
index 72cda7ecb..7a8e276b2 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/iceberg/AbstractIcebergCatalogTest.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/iceberg/AbstractIcebergCatalogTest.java
@@ -316,7 +316,6 @@ public abstract class AbstractIcebergCatalogTest extends
CatalogTests<IcebergCat
securityContext = Mockito.mock(SecurityContext.class);
when(securityContext.getUserPrincipal()).thenReturn(authenticatedRoot);
- when(securityContext.isUserInRole(isA(String.class))).thenReturn(true);
PolarisAuthorizer authorizer = new PolarisAuthorizerImpl(realmConfig);
reservedProperties = new ReservedProperties() {};
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/iceberg/AbstractIcebergCatalogViewTest.java
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/iceberg/AbstractIcebergCatalogViewTest.java
index d6fc35005..46f72c0e8 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/iceberg/AbstractIcebergCatalogViewTest.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/iceberg/AbstractIcebergCatalogViewTest.java
@@ -173,7 +173,6 @@ public abstract class AbstractIcebergCatalogViewTest
extends ViewCatalogTests<Ic
SecurityContext securityContext = Mockito.mock(SecurityContext.class);
when(securityContext.getUserPrincipal()).thenReturn(authenticatedRoot);
- when(securityContext.isUserInRole(Mockito.anyString())).thenReturn(true);
PolarisAuthorizer authorizer = new PolarisAuthorizerImpl(realmConfig);
ReservedProperties reservedProperties = ReservedProperties.NONE;
diff --git
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/policy/AbstractPolicyCatalogTest.java
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/policy/AbstractPolicyCatalogTest.java
index f03afecdb..bc185450b 100644
---
a/runtime/service/src/test/java/org/apache/polaris/service/catalog/policy/AbstractPolicyCatalogTest.java
+++
b/runtime/service/src/test/java/org/apache/polaris/service/catalog/policy/AbstractPolicyCatalogTest.java
@@ -188,7 +188,6 @@ public abstract class AbstractPolicyCatalogTest {
securityContext = Mockito.mock(SecurityContext.class);
when(securityContext.getUserPrincipal()).thenReturn(authenticatedRoot);
- when(securityContext.isUserInRole(isA(String.class))).thenReturn(true);
PolarisAuthorizer authorizer = new PolarisAuthorizerImpl(realmConfig);
ReservedProperties reservedProperties = ReservedProperties.NONE;
