Hi everyone,
I'd like to start a discussion regarding an API addition in the
PolarisAuthorizer.
We recently introduced fine-grained AuthorizableOperations[1], allowing a
single updateTable request to trigger multiple logical operations that each
require authorization checks. Currently, PolarisAuthorizer provide:
void authorizeOrThrow(
PolarisPrincipal principal,
PolarisBaseEntity entity,
PolarisAuthorizableOperation operation,
@Nullable List<PolarisResolvedPathWrapper> targets,
@Nullable List<PolarisResolvedPathWrapper> secondaries);
which could only checks one operation each time, being inefficient when
many fine-grained table updates operations are combined in a single
updateTable request (e.g. CTAS)
The proposal is to introduce new apis to authorize a batch of
AuthorizableOperations, each with the same set of targets and secondaries.
e.g.
void authorizeOrThrow(
PolarisPrincipal principal,
Set<PolarisBaseEntity> activatedEntities,
Set<PolarisAuthorizableOperation> operations,
@Nullable List<PolarisResolvedPathWrapper> targets,
@Nullable List<PolarisResolvedPathWrapper> secondaries);
This allows authorizer impl to perform a single batch check for one
updateTable call, which saves resources for OpaAuthorizer[2] or other
REST-based authorizer.
The implementation could be found in PR#2767[3]
I’d love to hear your thoughts. If there are (will be) any other proposed
API changes for PolarisAuthorizer, we could look into combining them for a
new version of the authorizer APIs together.
[1] https://github.com/apache/polaris/pull/2697
[2] https://github.com/apache/polaris/pull/2680
[3] https://github.com/apache/polaris/pull/2767
Best regards,
Jonas
