Hi Sung, Thanks a lot for putting together the doc and PR! I really appreciate the effort you put into it. I’ve reviewed the doc and left some comments. Overall, it’s a solid proposal and heading in the right direction. I’m also excited that it could open the door to more advanced access control models by providing more context in the future. For example, ABAC would be possible when more resource/user attributes can be taken into account. That of course won't be part of the current effort, it also needs more discussions, but it's more tangible if we get started with OPA integration.
Yufei On Wed, Oct 1, 2025 at 3:08 PM Sung Yun <[email protected]> wrote: > Hi folks, > > I'm seeking feedback on an RFC to add Open Policy Agent (OPA) as an > opt-in authorizer plugin for Polaris. The motivation is > straightforward: as deployments scale, RBAC alone struggles with > context (purpose of use, data sensitivity, workload identity) and > often devolves into role explosion. Policy engines like OPA enable us > to decouple policy from code and express richer attribute-based rules > in a Rego, improving auditability and testability without changing > Polaris’ catalog semantics. > > Delegating policy decisions to OPA will also enable organizations to > reuse their existing, centralized policy store. Polaris can run OPA > locally as a sidecar while OPA fetches bundles from the centralized > policy distribution pipeline, which may be a necessity due to a > streamlined governance strategy. > > The proposal is ready for review (so is the PR) and has been > intentionally designed to be safe to trial. The existing > PolarisAuthorizerImpl will remain the default and the proposed > OpaPolarisAuthorizer is strictly opt-in through configurations. > Implementation details, configuration, and security options are in the > RFC. > > I'd appreciate your review and feedback! > > Thanks, > Sung > > Google Doc: > https://docs.google.com/document/d/1HadMFygjbuZathZZPanO6cFVorx0Ju0FopkICxX1tCE/edit?tab=t.0 > PR: https://github.com/apache/polaris/pull/2680 >
