eric-maynard commented on code in PR #1416:
URL: https://github.com/apache/polaris/pull/1416#discussion_r2053509608
##########
service/common/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java:
##########
@@ -141,4 +160,107 @@ private void authorizeBasicPolicyOperationOrThrow(
initializeCatalog();
}
+
+ private void authorizePolicyAttachmentOperationOrThrow(
+ PolicyIdentifier identifier, PolicyAttachmentTarget target, boolean
isAttach) {
+ resolutionManifest =
+ entityManager.prepareResolutionManifest(callContext, securityContext,
catalogName);
+ resolutionManifest.addPassthroughPath(
+ new ResolverPath(
+ PolarisCatalogHelpers.identifierToList(identifier.getNamespace(),
identifier.getName()),
+ PolarisEntityType.POLICY,
+ true /* optional */),
+ identifier);
+
+ switch (target.getType()) {
+ case CATALOG -> {}
+ case NAMESPACE -> {
+ Namespace targetNamespace = Namespace.of(target.getPath().toArray(new
String[0]));
+ resolutionManifest.addPath(
+ new ResolverPath(Arrays.asList(targetNamespace.levels()),
PolarisEntityType.NAMESPACE),
+ targetNamespace);
+ }
+ case TABLE_LIKE -> {
+ TableIdentifier targetIdentifier =
+ TableIdentifier.of(target.getPath().toArray(new String[0]));
+ resolutionManifest.addPath(
+ new ResolverPath(
+ PolarisCatalogHelpers.tableIdentifierToList(targetIdentifier),
+ PolarisEntityType.TABLE_LIKE),
+ targetIdentifier);
+ }
+ default -> throw new IllegalArgumentException("Unsupported target type:
" + target.getType());
+ }
+
+ ResolverStatus status = resolutionManifest.resolveAll();
+
+ throwNotFoundExceptionIfFailToResolve(status, identifier);
+
+ PolarisResolvedPathWrapper policyWrapper =
+ resolutionManifest.getPassthroughResolvedPath(
+ identifier, PolarisEntityType.POLICY,
PolarisEntitySubType.NULL_SUBTYPE);
+ if (policyWrapper == null) {
+ throw new NoSuchPolicyException(String.format("Policy does not exist:
%s", identifier));
+ }
+
+ PolarisResolvedPathWrapper targetWrapper =
+ PolicyCatalogUtils.getResolvedPathWrapper(resolutionManifest, target);
+
+ PolarisAuthorizableOperation op =
+ determinePolicyAttachmentOperation(target, targetWrapper, isAttach);
+
+ authorizer.authorizeOrThrow(
+ authenticatedPrincipal,
+ resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
+ op,
+ policyWrapper,
+ targetWrapper);
+
+ initializeCatalog();
+ }
+
+ private PolarisAuthorizableOperation determinePolicyAttachmentOperation(
Review Comment:
nit: this confused me when I first saw it called because it's talking about
"Attachment" operations when half the time it's used for a "Detachment"
operation. Maybe just `determineRequiredOperation` or something?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
