Re: [PR] Update PolarisAuthorizerImpl to use PolarisGrantManager interface and add EntityCache based PolarisGrantManager impl [polaris]

Mon, 02 Dec 2024 22:46:38 -0800 


collado-mike commented on code in PR #465:
URL: https://github.com/apache/polaris/pull/465#discussion_r1867137713


##########
polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java:
##########
@@ -602,15 +606,25 @@ public boolean hasTransitivePrivilege(
       Set<Long> activatedGranteeIds,
       PolarisPrivilege desiredPrivilege,
       PolarisResolvedPathWrapper resolvedPath) {
+    PolarisGrantManager grantManager =
+        grantManagerFactory.getGrantManagerForRealm(
+            CallContext.getCurrentContext().getRealmContext());
+    PolarisCallContext callContext = 
CallContext.getCurrentContext().getPolarisCallContext();
 
     // Iterate starting at the parent, since the most common case should be to 
manage grants as
     // high up in the resource hierarchy as possible, so we expect earlier 
termination.
-    for (ResolvedPolarisEntity resolvedSecurableEntity : 
resolvedPath.getResolvedFullPath()) {
-      Preconditions.checkState(
-          resolvedSecurableEntity.getGrantRecordsAsSecurable() != null,
-          "Got null grantRecordsAsSecurable for resolvedSecurableEntity %s",
-          resolvedSecurableEntity);
-      for (PolarisGrantRecord grantRecord : 
resolvedSecurableEntity.getGrantRecordsAsSecurable()) {
+    for (PolarisEntity resolvedSecurableEntity : 
resolvedPath.getRawFullPath()) {
+      PolarisGrantManager.LoadGrantsResult grantsResult =
+          grantManager.loadGrantsOnSecurable(

Review Comment:
   If this is a reference to the same 
`PolarisMetaStoreManagerImpl.loadCachedEntryById` and 
`PolarisMetaStoreManagerImpl.loadGrantsOnSecurable` API difference you call out 
below, I do think there's more work to line the cache up with the metastore API 
calls. Ultimately, I think the `PolarisServerImpl` should be fetching the same 
cached grant records that are being returned to the Authorizer so that the 
return values and the authz assertions are the same.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to