adutra commented on code in PR #1478: URL: https://github.com/apache/polaris/pull/1478#discussion_r2069348091
########## site/content/in-dev/unreleased/realm.md: ########## @@ -0,0 +1,61 @@ +--- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +Title: Entities +type: docs +weight: 400 +--- + +This page explains what a realm is and what it is used for in Polaris. + +### What is it? + +A realm in Polaris serves as logical partitioning mechanism within the catalog system. This isolation allows for multitenancy, enabling different teams, environment or organizations to operate independently within the same Polaris deployment. + +### Key Characteristics + +**Isolation:** Each realm encapsulates its own set of resources, ensuring that operations, security breaches or policies in one realm do not affect others. + +**Authentication Context:** When configuring Polaris, credentials are associated with a specific realm. This allows for the separation of security concerns across different realms. + +For example: Review Comment: I would remove the example; it does not demonstrate "separation of security concerns across different realms". ########## site/content/in-dev/unreleased/realm.md: ########## @@ -0,0 +1,61 @@ +--- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +Title: Entities +type: docs +weight: 400 +--- + +This page explains what a realm is and what it is used for in Polaris. + +### What is it? + +A realm in Polaris serves as logical partitioning mechanism within the catalog system. This isolation allows for multitenancy, enabling different teams, environment or organizations to operate independently within the same Polaris deployment. Review Comment: ```suggestion A realm in Polaris serves as logical partitioning mechanism within the catalog system. This isolation allows for multitenancy, enabling different teams, environments or organizations to operate independently within the same Polaris deployment. ``` ########## site/content/in-dev/unreleased/realm.md: ########## @@ -0,0 +1,61 @@ +--- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +Title: Entities +type: docs +weight: 400 +--- + +This page explains what a realm is and what it is used for in Polaris. + +### What is it? + +A realm in Polaris serves as logical partitioning mechanism within the catalog system. This isolation allows for multitenancy, enabling different teams, environment or organizations to operate independently within the same Polaris deployment. + +### Key Characteristics + +**Isolation:** Each realm encapsulates its own set of resources, ensuring that operations, security breaches or policies in one realm do not affect others. + +**Authentication Context:** When configuring Polaris, credentials are associated with a specific realm. This allows for the separation of security concerns across different realms. + +For example: + +`./gradlesw run -Dpolaris.bootstrap.credentials=POLARIS,root,secret +` +In this case POLARIS is the realm, root is the clientID and secret is the client secret. + +**ConfigurationScope:** Realm identifiers are used in various configurations, such as database paths: Review Comment: ```suggestion **Configuration Scope:** Realm identifiers are used in various configurations, such as connection strings, feature configurations, etc. ``` ########## site/content/in-dev/unreleased/realm.md: ########## @@ -0,0 +1,61 @@ +--- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +Title: Entities +type: docs +weight: 400 +--- + +This page explains what a realm is and what it is used for in Polaris. + +### What is it? + +A realm in Polaris serves as logical partitioning mechanism within the catalog system. This isolation allows for multitenancy, enabling different teams, environment or organizations to operate independently within the same Polaris deployment. + +### Key Characteristics + +**Isolation:** Each realm encapsulates its own set of resources, ensuring that operations, security breaches or policies in one realm do not affect others. + +**Authentication Context:** When configuring Polaris, credentials are associated with a specific realm. This allows for the separation of security concerns across different realms. + +For example: + +`./gradlesw run -Dpolaris.bootstrap.credentials=POLARIS,root,secret +` +In this case POLARIS is the realm, root is the clientID and secret is the client secret. + +**ConfigurationScope:** Realm identifiers are used in various configurations, such as database paths: + +For example: + +`jdbc:h2:file:./build/test_data/polaris/{realm}/db +` +This ensures that each realm's data is stored separately. + +### How is it used in the system? + +**Authentication and Authorization:** For example, in `BasePolarisAuthenticator`, `RealmContext` is used to provide context about the current security domain, which is used to retrieve the correct `PolarisMetastoreManager` that manages all Polaris entities and associated grant records metadata for +authorization. + +**Isolation:** In methods like `createEntityManagerFactory(@Nonnull RealmContext realmContext)` from `PolarisEclipseLinkPersistenceUnit` interface, the realm context influence how resources are created or managed based on the security policies of that realm. Review Comment: This is very geared towards EclipseLink, I'd suggest to stay more generic. ########## site/content/in-dev/unreleased/realm.md: ########## @@ -0,0 +1,61 @@ +--- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +Title: Entities +type: docs +weight: 400 +--- + +This page explains what a realm is and what it is used for in Polaris. + +### What is it? + +A realm in Polaris serves as logical partitioning mechanism within the catalog system. This isolation allows for multitenancy, enabling different teams, environment or organizations to operate independently within the same Polaris deployment. + +### Key Characteristics + +**Isolation:** Each realm encapsulates its own set of resources, ensuring that operations, security breaches or policies in one realm do not affect others. + +**Authentication Context:** When configuring Polaris, credentials are associated with a specific realm. This allows for the separation of security concerns across different realms. + +For example: + +`./gradlesw run -Dpolaris.bootstrap.credentials=POLARIS,root,secret +` +In this case POLARIS is the realm, root is the clientID and secret is the client secret. + +**ConfigurationScope:** Realm identifiers are used in various configurations, such as database paths: + +For example: + +`jdbc:h2:file:./build/test_data/polaris/{realm}/db +` +This ensures that each realm's data is stored separately. + +### How is it used in the system? + +**Authentication and Authorization:** For example, in `BasePolarisAuthenticator`, `RealmContext` is used to provide context about the current security domain, which is used to retrieve the correct `PolarisMetastoreManager` that manages all Polaris entities and associated grant records metadata for +authorization. + +**Isolation:** In methods like `createEntityManagerFactory(@Nonnull RealmContext realmContext)` from `PolarisEclipseLinkPersistenceUnit` interface, the realm context influence how resources are created or managed based on the security policies of that realm. +An example of this is the way a realm name is used to create a database connection url so that you have one database instance per realm, or it can be more granular and applied at primary key level (within the same database instance). + +**RealmContext:** It is a key concept used to identify and resolve the context in which operations are performed. For example `DefaultRealmContextResolver`, a realm is resolved from request headers, and operations are performed based on the resolved realm identifier. Review Comment: This imho should come as the first item, since this is a key component that is triggered even before the authentication phase. ########## site/content/in-dev/unreleased/realm.md: ########## @@ -0,0 +1,61 @@ +--- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +Title: Entities +type: docs +weight: 400 +--- + +This page explains what a realm is and what it is used for in Polaris. + +### What is it? + +A realm in Polaris serves as logical partitioning mechanism within the catalog system. This isolation allows for multitenancy, enabling different teams, environment or organizations to operate independently within the same Polaris deployment. + +### Key Characteristics + +**Isolation:** Each realm encapsulates its own set of resources, ensuring that operations, security breaches or policies in one realm do not affect others. + +**Authentication Context:** When configuring Polaris, credentials are associated with a specific realm. This allows for the separation of security concerns across different realms. + +For example: + +`./gradlesw run -Dpolaris.bootstrap.credentials=POLARIS,root,secret +` +In this case POLARIS is the realm, root is the clientID and secret is the client secret. + +**ConfigurationScope:** Realm identifiers are used in various configurations, such as database paths: + +For example: Review Comment: I would again remove the example for a few reasons: 1. it implicitly refers to database-per-realm, but it's not the only enacted way of doing multitenancy at the persistence layer, we also agreed on single-database with realm in primary key. 2. It uses H2 and file system path, which is not a recommended approach. ########## site/content/in-dev/unreleased/realm.md: ########## @@ -0,0 +1,61 @@ +--- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +Title: Entities +type: docs +weight: 400 +--- + +This page explains what a realm is and what it is used for in Polaris. + +### What is it? + +A realm in Polaris serves as logical partitioning mechanism within the catalog system. This isolation allows for multitenancy, enabling different teams, environment or organizations to operate independently within the same Polaris deployment. + +### Key Characteristics + +**Isolation:** Each realm encapsulates its own set of resources, ensuring that operations, security breaches or policies in one realm do not affect others. + +**Authentication Context:** When configuring Polaris, credentials are associated with a specific realm. This allows for the separation of security concerns across different realms. + +For example: + +`./gradlesw run -Dpolaris.bootstrap.credentials=POLARIS,root,secret +` +In this case POLARIS is the realm, root is the clientID and secret is the client secret. + +**ConfigurationScope:** Realm identifiers are used in various configurations, such as database paths: + +For example: + +`jdbc:h2:file:./build/test_data/polaris/{realm}/db +` +This ensures that each realm's data is stored separately. + +### How is it used in the system? + +**Authentication and Authorization:** For example, in `BasePolarisAuthenticator`, `RealmContext` is used to provide context about the current security domain, which is used to retrieve the correct `PolarisMetastoreManager` that manages all Polaris entities and associated grant records metadata for +authorization. + +**Isolation:** In methods like `createEntityManagerFactory(@Nonnull RealmContext realmContext)` from `PolarisEclipseLinkPersistenceUnit` interface, the realm context influence how resources are created or managed based on the security policies of that realm. Review Comment: ```suggestion **Isolation:** In the persistence layer, the realm context influences how resources are created or managed based on the security policies of that realm. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
