adutra commented on issue #819: URL: https://github.com/apache/polaris/issues/819#issuecomment-2609569562
@collado-mike `RealmContextResolver` wasn't deleted, but renamed. Its default implementation is here now: https://github.com/apache/polaris/blob/390f1fa57bb1af24a21aa95fdbff49a46e31add7/service/common/src/main/java/org/apache/polaris/service/context/DefaultRealmIdResolver.java#L29 > The RealmIdFilter or RealmContextResolver must be executed prior to authentication - a caller can only be authenticated within a realm. Thanks for confirming, that was my conclusion as well. For the record, it was already being resolved prior to authentication, but with one annoying difference: the realm was being resolved as part of CDI resolution, see here: https://github.com/apache/polaris/blob/df538b3928d259e9ec0339d05b12ef6c73b55a15/quarkus/service/src/main/java/org/apache/polaris/service/quarkus/config/QuarkusProducers.java#L101-L110 While this works well in the happy case (the realm can be resolved), it throws HTTP 500 in the unhappy case of wrong realm. Hence the changes in this PR: realm resolution is moved to a pre-auth filter: https://github.com/apache/polaris/blob/9c454942cc12de03ed820dc324c90b7ff4e38341/service/common/src/main/java/org/apache/polaris/service/context/RealmIdFilter.java#L48-L56 The filter resolves the realm, then sets it as a request property. Then CDI now simply reads the realm ID from the request property and produces the request-scoped bean that will be injected everywhere: https://github.com/apache/polaris/blob/9c454942cc12de03ed820dc324c90b7ff4e38341/quarkus/service/src/main/java/org/apache/polaris/service/quarkus/config/QuarkusProducers.java#L101-L105 Does that make sense? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
