sfc-gh-jojiang commented on code in PR #1421:
URL: https://github.com/apache/polaris/pull/1421#discussion_r2055008266
##########
service/common/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java:
##########
@@ -161,6 +175,49 @@ private void authorizeBasicPolicyOperationOrThrow(
initializeCatalog();
}
+ private void authorizeGetApplicablePoliciesOperationOrThrow(
+ @Nullable Namespace namespace, @Nullable String targetName) {
+ if (namespace == null || namespace.isEmpty()) {
+ // catalog
+ PolarisAuthorizableOperation op =
+ PolarisAuthorizableOperation.GET_APPLICABLE_POLICIES_ON_CATALOG;
+ authorizeBasicCatalogOperationOrThrow(op);
+ } else if (Strings.isNullOrEmpty(targetName)) {
+ // namespace
+ PolarisAuthorizableOperation op =
+ PolarisAuthorizableOperation.GET_APPLICABLE_POLICIES_ON_NAMESPACE;
+ authorizeBasicNamespaceOperationOrThrow(op, namespace);
+ } else {
+ // table
+ TableIdentifier tableIdentifier = TableIdentifier.of(namespace,
targetName);
+ PolarisAuthorizableOperation op =
+ PolarisAuthorizableOperation.GET_APPLICABLE_POLICIES_ON_TABLE;
+ // only Iceberg tables are supported
+ authorizeBasicTableLikeOperationOrThrow(
+ op, PolarisEntitySubType.ICEBERG_TABLE, tableIdentifier);
+ }
+ }
+
+ private void
authorizeBasicCatalogOperationOrThrow(PolarisAuthorizableOperation op) {
+ resolutionManifest =
+ entityManager.prepareResolutionManifest(callContext, securityContext,
catalogName);
+ resolutionManifest.resolveAll();
+
+ PolarisResolvedPathWrapper targetCatalog =
+ resolutionManifest.getResolvedReferenceCatalogEntity();
+ if (targetCatalog == null) {
+ throw new NotFoundException("Catalog not found");
+ }
+ authorizer.authorizeOrThrow(
+ authenticatedPrincipal,
+ resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
+ op,
+ targetCatalog,
+ null /* secondary */);
+
+ initializeCatalog();
Review Comment:
This is the time when the PolicyCatalog is initialized. The high-level
workflow is that for each rest request, we first initialize a
`PoicyCatalogHandler` and put entities into `resolutionManifest`, resolve and
do authorization, if the authorization passed, a `PolicyCatalog` is initialized
to handle the request. So `PolicyCatalog` object is never re-used after it
serves one request
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
