collado-mike opened a new pull request, #465: URL: https://github.com/apache/polaris/pull/465
# Description Currently, the `PolarisAuthorizer` implementation relies on the `ResolvedPolarisEntity` to return a list of grants for each entity in order to determine if a Principal has authorization to perform an operation on a given target. The grant records are populated by the `Resolver`, utilizing the `EntityCache` for a given realm to avoid unnecessary roundtrips to the persistence store for, e.g., the grants held by a given `PrincipalRole` or `CatalogRole`. Because the `PolarisAuthorizer` relies on the grant records in the `ResolvedPolarisEntity`, there's no opportunity to utilize custom grant logic (for example, to declare a target to be globally viewable or attach PrincipalRoles dynamically) without either updating the Resolver or writing custom grant records prior to the Resolver execution. This change decouples the `PolarisAuthorizer` from the `ResolvedPolarisEntity` so that it depends entirely on the `PolarisGrantManager` to declare which grants exist on a securable. It implements a `EntityCacheGrantManager` that, under the hood, still works with the `EntityCache` so that the lookups from the `Resolver` populate the cache with both entities and grants. However, the `PolarisAuthorizer` doesn't need to know anything about the `EntityCache` or the `Resolver` types. For convenience, it still uses the `PolarisResolvedPathWrapper`, as it's still a useful container for passing around full paths for entities. The logic in the `PolarisAuthorizer` is unchanged and all tests still pass. An additional test class is added to verify the `EntityCacheGrantManager` works directly with the cache and will delegate to the underlying `PolarisGrantManager` when necessary. Note that the logic that implicitly grants the `service_admin` role `SERVICE_MANAGE_ACCESS` privileges on the implicit root container has been moved to the `EntityCacheGrantManager`. I ran the tests without this move and they all still passed, so it seems that, at some point, the root container is being persisted and the grants are recorded. However, to ensure backward compatibility, I ported the logic. We may want to get rid of that at some point. Fixes # (issue) ## Type of change Please delete options that are not relevant. - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] Documentation update - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] This change requires a documentation update # How Has This Been Tested? Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration - [X] EntityCacheGrantManagerTest **Test Configuration**: * Hardware: * Toolchain: * SDK: # Checklist: Please delete options that are not relevant. - [X] I have performed a self-review of my code - [X] I have commented my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [X] My changes generate no new warnings - [ ] If adding new functionality, I have discussed my implementation with the community using the linked GitHub issue -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
