HonahX commented on code in PR #1416:
URL: https://github.com/apache/polaris/pull/1416#discussion_r2054444537
##########
service/common/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java:
##########
@@ -141,4 +160,107 @@ private void authorizeBasicPolicyOperationOrThrow(
initializeCatalog();
}
+
+ private void authorizePolicyAttachmentOperationOrThrow(
+ PolicyIdentifier identifier, PolicyAttachmentTarget target, boolean
isAttach) {
+ resolutionManifest =
+ entityManager.prepareResolutionManifest(callContext, securityContext,
catalogName);
+ resolutionManifest.addPassthroughPath(
+ new ResolverPath(
+ PolarisCatalogHelpers.identifierToList(identifier.getNamespace(),
identifier.getName()),
+ PolarisEntityType.POLICY,
+ true /* optional */),
+ identifier);
+
+ switch (target.getType()) {
+ case CATALOG -> {}
+ case NAMESPACE -> {
+ Namespace targetNamespace = Namespace.of(target.getPath().toArray(new
String[0]));
+ resolutionManifest.addPath(
+ new ResolverPath(Arrays.asList(targetNamespace.levels()),
PolarisEntityType.NAMESPACE),
+ targetNamespace);
+ }
+ case TABLE_LIKE -> {
+ TableIdentifier targetIdentifier =
+ TableIdentifier.of(target.getPath().toArray(new String[0]));
+ resolutionManifest.addPath(
+ new ResolverPath(
+ PolarisCatalogHelpers.tableIdentifierToList(targetIdentifier),
+ PolarisEntityType.TABLE_LIKE),
+ targetIdentifier);
+ }
+ default -> throw new IllegalArgumentException("Unsupported target type:
" + target.getType());
+ }
+
+ ResolverStatus status = resolutionManifest.resolveAll();
+
+ throwNotFoundExceptionIfFailToResolve(status, identifier);
+
+ PolarisResolvedPathWrapper policyWrapper =
+ resolutionManifest.getPassthroughResolvedPath(
+ identifier, PolarisEntityType.POLICY,
PolarisEntitySubType.NULL_SUBTYPE);
+ if (policyWrapper == null) {
+ throw new NoSuchPolicyException(String.format("Policy does not exist:
%s", identifier));
+ }
+
+ PolarisResolvedPathWrapper targetWrapper =
+ PolicyCatalogUtils.getResolvedPathWrapper(resolutionManifest, target);
+
+ PolarisAuthorizableOperation op =
+ determinePolicyAttachmentOperation(target, targetWrapper, isAttach);
+
+ authorizer.authorizeOrThrow(
+ authenticatedPrincipal,
+ resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
+ op,
+ policyWrapper,
+ targetWrapper);
+
+ initializeCatalog();
+ }
+
+ private PolarisAuthorizableOperation determinePolicyAttachmentOperation(
Review Comment:
Good point! How about `determinePolicyMappingOperation`? This name should
represent both attachment and detachment.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
