collado-mike commented on code in PR #465: URL: https://github.com/apache/polaris/pull/465#discussion_r1867125345
########## polaris-core/src/main/java/org/apache/polaris/core/persistence/cache/EntityCacheGrantManager.java: ########## @@ -0,0 +1,236 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.core.persistence.cache; + +import java.util.ArrayList; +import java.util.List; +import java.util.stream.Collectors; +import org.apache.polaris.core.PolarisCallContext; +import org.apache.polaris.core.auth.PolarisGrantManager; +import org.apache.polaris.core.context.RealmContext; +import org.apache.polaris.core.entity.PolarisBaseEntity; +import org.apache.polaris.core.entity.PolarisEntityConstants; +import org.apache.polaris.core.entity.PolarisEntityCore; +import org.apache.polaris.core.entity.PolarisEntityType; +import org.apache.polaris.core.entity.PolarisGrantRecord; +import org.apache.polaris.core.entity.PolarisPrivilege; +import org.apache.polaris.core.persistence.BaseResult; +import org.jetbrains.annotations.NotNull; +import org.jetbrains.annotations.Nullable; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * PolarisGrantManger implementation that uses an EntityCache to retrieve entities and is backed by + * a delegate grant manager for persisting grant changes. This allows consumers to reuse cache + * entities without necessarily being aware of the {@link EntityCache} or the {@link + * EntityCacheEntry} specifics. Typically, the {@link + * org.apache.polaris.core.persistence.resolver.Resolver} is responsible for validating the cache + * state. This class does no validation of the entity version or the grant version of any cache + * record. + */ +public class EntityCacheGrantManager implements PolarisGrantManager { + private static final Logger LOGGER = LoggerFactory.getLogger(EntityCacheGrantManager.class); + private final PolarisGrantManager delegateGrantManager; + private final EntityCache entityCache; + private PolarisGrantRecord serviceAdminRootContainerGrant; + private PolarisBaseEntity serviceAdminEntity; + + public static final class EntityCacheGrantManagerFactory implements PolarisGrantManager.Factory { + private final PolarisGrantManager.Factory delegateGrantManagerFactory; + private final RealmEntityCacheFactory realmEntityCacheFactory; + + public EntityCacheGrantManagerFactory( + Factory delegateGrantManagerFactory, RealmEntityCacheFactory realmEntityCacheFactory) { + this.delegateGrantManagerFactory = delegateGrantManagerFactory; + this.realmEntityCacheFactory = realmEntityCacheFactory; + } + + @Override + public PolarisGrantManager getGrantManagerForRealm(RealmContext realm) { + return new EntityCacheGrantManager( + delegateGrantManagerFactory.getGrantManagerForRealm(realm), + realmEntityCacheFactory.getOrCreateEntityCache(realm)); + } + } + + public EntityCacheGrantManager( + PolarisGrantManager delegateGrantManager, EntityCache entityCache) { + this.delegateGrantManager = delegateGrantManager; + this.entityCache = entityCache; + } + + @Override + public @NotNull PrivilegeResult grantUsageOnRoleToGrantee( + @NotNull PolarisCallContext callCtx, + @Nullable PolarisEntityCore catalog, + @NotNull PolarisEntityCore role, + @NotNull PolarisEntityCore grantee) { + try { + return delegateGrantManager.grantUsageOnRoleToGrantee(callCtx, catalog, role, grantee); + } finally { + LOGGER.debug("Invalidating cache for role {} and grantee {}", role, grantee); + entityCache.removeCacheEntry(role); + entityCache.removeCacheEntry(grantee); + } + } + + @Override + public @NotNull PrivilegeResult revokeUsageOnRoleFromGrantee( + @NotNull PolarisCallContext callCtx, + @Nullable PolarisEntityCore catalog, + @NotNull PolarisEntityCore role, + @NotNull PolarisEntityCore grantee) { + try { + return delegateGrantManager.revokeUsageOnRoleFromGrantee(callCtx, catalog, role, grantee); + } finally { + LOGGER.debug("Invalidating cache for role {} and grantee {}", role, grantee); + entityCache.removeCacheEntry(role); + entityCache.removeCacheEntry(grantee); + } + } + + @Override + public @NotNull PrivilegeResult grantPrivilegeOnSecurableToRole( + @NotNull PolarisCallContext callCtx, + @NotNull PolarisEntityCore grantee, + @Nullable List<PolarisEntityCore> catalogPath, + @NotNull PolarisEntityCore securable, + @NotNull PolarisPrivilege privilege) { + try { + return delegateGrantManager.grantPrivilegeOnSecurableToRole( + callCtx, grantee, catalogPath, securable, privilege); + } finally { + LOGGER.debug("Invalidating cache for securable {} and grantee {}", securable, grantee); + entityCache.removeCacheEntry(securable); + entityCache.removeCacheEntry(grantee); + } + } + + @Override + public @NotNull PrivilegeResult revokePrivilegeOnSecurableFromRole( + @NotNull PolarisCallContext callCtx, + @NotNull PolarisEntityCore grantee, + @Nullable List<PolarisEntityCore> catalogPath, + @NotNull PolarisEntityCore securable, + @NotNull PolarisPrivilege privilege) { + try { + return delegateGrantManager.revokePrivilegeOnSecurableFromRole( + callCtx, grantee, catalogPath, securable, privilege); + } finally { + LOGGER.debug("Invalidating cache for securable {} and grantee {}", securable, grantee); + entityCache.removeCacheEntry(securable); + entityCache.removeCacheEntry(grantee); + } + } + + @Override + public @NotNull LoadGrantsResult loadGrantsOnSecurable( + @NotNull PolarisCallContext callCtx, long securableCatalogId, long securableId) { + EntityCacheLookupResult lookupResult = + entityCache.getOrLoadEntityById(callCtx, securableCatalogId, securableId); + if (lookupResult == null || lookupResult.getCacheEntry() == null) { Review Comment: yeah, the API separation still needs a lot of work. Originally, I wanted to break the cache methods out of the `PolarisMetaStoreManager` entirely, but without the DI support, it was too hard to cast underlying impls to the right interfaces. But, in reality, this API skew has really always been there. It's just more clearly evident now that we're explicitly invoking `loadCachedEntryById` when `loadGrantsOnSecurable` is called. Previously, this was just hidden by the fact that the authorizer simply got passed the `ResolvedPolarisEntity` and the Resolver just loaded everything from the cache without any pretense of talking to the `PolarisMetaStoreManager`. Eventually, I think the `EntityCache` and the `PolarisRemoteCache` types need to be addressed, but first is to encapsulate their usage into more generalized types so that they can be changed without impacting the rest of the calling code. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
