flyrain commented on code in PR #1421:
URL: https://github.com/apache/polaris/pull/1421#discussion_r2054993355
##########
service/common/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java:
##########
@@ -161,6 +175,49 @@ private void authorizeBasicPolicyOperationOrThrow(
initializeCatalog();
}
+ private void authorizeGetApplicablePoliciesOperationOrThrow(
+ @Nullable Namespace namespace, @Nullable String targetName) {
+ if (namespace == null || namespace.isEmpty()) {
+ // catalog
+ PolarisAuthorizableOperation op =
+ PolarisAuthorizableOperation.GET_APPLICABLE_POLICIES_ON_CATALOG;
+ authorizeBasicCatalogOperationOrThrow(op);
+ } else if (Strings.isNullOrEmpty(targetName)) {
+ // namespace
+ PolarisAuthorizableOperation op =
+ PolarisAuthorizableOperation.GET_APPLICABLE_POLICIES_ON_NAMESPACE;
+ authorizeBasicNamespaceOperationOrThrow(op, namespace);
+ } else {
+ // table
+ TableIdentifier tableIdentifier = TableIdentifier.of(namespace,
targetName);
+ PolarisAuthorizableOperation op =
+ PolarisAuthorizableOperation.GET_APPLICABLE_POLICIES_ON_TABLE;
+ // only Iceberg tables are supported
+ authorizeBasicTableLikeOperationOrThrow(
+ op, PolarisEntitySubType.ICEBERG_TABLE, tableIdentifier);
+ }
+ }
+
+ private void
authorizeBasicCatalogOperationOrThrow(PolarisAuthorizableOperation op) {
+ resolutionManifest =
+ entityManager.prepareResolutionManifest(callContext, securityContext,
catalogName);
+ resolutionManifest.resolveAll();
+
+ PolarisResolvedPathWrapper targetCatalog =
+ resolutionManifest.getResolvedReferenceCatalogEntity();
+ if (targetCatalog == null) {
+ throw new NotFoundException("Catalog not found");
+ }
+ authorizer.authorizeOrThrow(
+ authenticatedPrincipal,
+ resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
+ op,
+ targetCatalog,
+ null /* secondary */);
+
+ initializeCatalog();
Review Comment:
Just for my information: Is this mainly for refreshing the object
`resolutionManifest` in the `polarisCatalog`? I guess we could give a better
name to something like `reinitiatCatalog()`. Not a blocker though.
##########
service/common/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java:
##########
@@ -161,6 +175,49 @@ private void authorizeBasicPolicyOperationOrThrow(
initializeCatalog();
}
+ private void authorizeGetApplicablePoliciesOperationOrThrow(
+ @Nullable Namespace namespace, @Nullable String targetName) {
+ if (namespace == null || namespace.isEmpty()) {
+ // catalog
+ PolarisAuthorizableOperation op =
+ PolarisAuthorizableOperation.GET_APPLICABLE_POLICIES_ON_CATALOG;
+ authorizeBasicCatalogOperationOrThrow(op);
+ } else if (Strings.isNullOrEmpty(targetName)) {
+ // namespace
+ PolarisAuthorizableOperation op =
+ PolarisAuthorizableOperation.GET_APPLICABLE_POLICIES_ON_NAMESPACE;
+ authorizeBasicNamespaceOperationOrThrow(op, namespace);
+ } else {
+ // table
+ TableIdentifier tableIdentifier = TableIdentifier.of(namespace,
targetName);
+ PolarisAuthorizableOperation op =
+ PolarisAuthorizableOperation.GET_APPLICABLE_POLICIES_ON_TABLE;
+ // only Iceberg tables are supported
+ authorizeBasicTableLikeOperationOrThrow(
+ op, PolarisEntitySubType.ICEBERG_TABLE, tableIdentifier);
+ }
+ }
+
+ private void
authorizeBasicCatalogOperationOrThrow(PolarisAuthorizableOperation op) {
+ resolutionManifest =
+ entityManager.prepareResolutionManifest(callContext, securityContext,
catalogName);
+ resolutionManifest.resolveAll();
+
+ PolarisResolvedPathWrapper targetCatalog =
+ resolutionManifest.getResolvedReferenceCatalogEntity();
+ if (targetCatalog == null) {
+ throw new NotFoundException("Catalog not found");
+ }
+ authorizer.authorizeOrThrow(
+ authenticatedPrincipal,
+ resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
+ op,
+ targetCatalog,
+ null /* secondary */);
Review Comment:
Nit: the comment seems unnecessary
##########
quarkus/service/src/test/java/org/apache/polaris/service/quarkus/catalog/PolicyCatalogHandlerAuthzTest.java:
##########
@@ -722,4 +722,68 @@ public void testDetachFromPolicyInsufficientPrivileges() {
newWrapper(Set.of(PRINCIPAL_ROLE2)).detachPolicy(POLICY_NS1_1,
detachPolicyRequest);
}
+
+ @Test
+ public void testGetApplicablePoliciesOnCatalogSufficientPrivileges() {
+ doTestSufficientPrivileges(
+ List.of(
+ PolarisPrivilege.CATALOG_READ_PROPERTIES,
+ PolarisPrivilege.CATALOG_WRITE_PROPERTIES,
+ PolarisPrivilege.CATALOG_MANAGE_METADATA),
+ () -> newWrapper().getApplicablePolicies(null, null, null),
+ null /* cleanupAction */);
+ }
+
+ @Test
+ public void testGetApplicablePoliciesOnCatalogInsufficientPrivileges() {
+ doTestInsufficientPrivileges(
+ List.of(
+ PolarisPrivilege.NAMESPACE_READ_PROPERTIES,
+ PolarisPrivilege.POLICY_READ,
+ PolarisPrivilege.TABLE_READ_PROPERTIES),
+ () -> newWrapper().getApplicablePolicies(null, null, null));
+ }
+
+ @Test
+ public void testGetApplicablePoliciesOnNamespaceSufficientPrivileges() {
+ doTestSufficientPrivileges(
+ List.of(
+ PolarisPrivilege.NAMESPACE_READ_PROPERTIES,
+ PolarisPrivilege.NAMESPACE_WRITE_PROPERTIES,
+ PolarisPrivilege.CATALOG_MANAGE_METADATA),
+ () -> newWrapper().getApplicablePolicies(NS1, null, null),
+ null /* cleanupAction */);
+ }
+
+ @Test
+ public void testGetApplicablePoliciesOnNamespaceInSufficientPrivileges() {
+ doTestInsufficientPrivileges(
+ List.of(
+ PolarisPrivilege.CATALOG_READ_PROPERTIES,
+ PolarisPrivilege.POLICY_READ,
+ PolarisPrivilege.TABLE_READ_PROPERTIES),
+ () -> newWrapper().getApplicablePolicies(NS1, null, null));
+ }
+
+ @Test
+ public void testGetApplicablePoliciesOnTableSufficientPrivileges() {
+ doTestSufficientPrivileges(
+ List.of(
+ PolarisPrivilege.TABLE_READ_PROPERTIES,
Review Comment:
Q: is there a namespace level read privilege can cascade to privilege
TABLE_READ_PROPERTIES?
##########
quarkus/service/src/test/java/org/apache/polaris/service/quarkus/catalog/PolicyCatalogHandlerAuthzTest.java:
##########
@@ -722,4 +722,68 @@ public void testDetachFromPolicyInsufficientPrivileges() {
newWrapper(Set.of(PRINCIPAL_ROLE2)).detachPolicy(POLICY_NS1_1,
detachPolicyRequest);
}
+
+ @Test
+ public void testGetApplicablePoliciesOnCatalogSufficientPrivileges() {
+ doTestSufficientPrivileges(
+ List.of(
+ PolarisPrivilege.CATALOG_READ_PROPERTIES,
+ PolarisPrivilege.CATALOG_WRITE_PROPERTIES,
+ PolarisPrivilege.CATALOG_MANAGE_METADATA),
+ () -> newWrapper().getApplicablePolicies(null, null, null),
+ null /* cleanupAction */);
+ }
+
+ @Test
+ public void testGetApplicablePoliciesOnCatalogInsufficientPrivileges() {
+ doTestInsufficientPrivileges(
+ List.of(
+ PolarisPrivilege.NAMESPACE_READ_PROPERTIES,
+ PolarisPrivilege.POLICY_READ,
+ PolarisPrivilege.TABLE_READ_PROPERTIES),
+ () -> newWrapper().getApplicablePolicies(null, null, null));
+ }
+
+ @Test
+ public void testGetApplicablePoliciesOnNamespaceSufficientPrivileges() {
+ doTestSufficientPrivileges(
+ List.of(
+ PolarisPrivilege.NAMESPACE_READ_PROPERTIES,
+ PolarisPrivilege.NAMESPACE_WRITE_PROPERTIES,
+ PolarisPrivilege.CATALOG_MANAGE_METADATA),
+ () -> newWrapper().getApplicablePolicies(NS1, null, null),
+ null /* cleanupAction */);
+ }
+
+ @Test
+ public void testGetApplicablePoliciesOnNamespaceInSufficientPrivileges() {
+ doTestInsufficientPrivileges(
+ List.of(
+ PolarisPrivilege.CATALOG_READ_PROPERTIES,
Review Comment:
Q: Does CATALOG_READ_PROPERTIES imply NAMESPACE_READ_PROPERTIES?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
