snazy commented on code in PR #2307: URL: https://github.com/apache/polaris/pull/2307#discussion_r2272615542
########## runtime/service/src/main/java/org/apache/polaris/service/auth/PersistedPolarisPrincipal.java: ########## @@ -0,0 +1,62 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.service.auth; + +import java.util.Map; +import java.util.Set; +import org.apache.polaris.core.auth.PolarisPrincipal; +import org.apache.polaris.core.entity.PrincipalEntity; +import org.apache.polaris.immutables.PolarisImmutable; + +/** + * A persisted {@link PolarisPrincipal}, exposing the underlying {@link PrincipalEntity}. + * + * <p>Note: This class is intended for internal use within the Polaris authentication system. + */ +@PolarisImmutable +abstract class PersistedPolarisPrincipal implements PolarisPrincipal { + + /** + * Creates a new instance of {@link PersistedPolarisPrincipal} from the given {@link + * PrincipalEntity} and roles. + */ + static PersistedPolarisPrincipal of(PrincipalEntity principalEntity, Set<String> principalRoles) { + return ImmutablePersistedPolarisPrincipal.builder() + .entity(principalEntity) + .roles(principalRoles) + .build(); + } + + abstract PrincipalEntity getEntity(); + + @Override + public final String getName() { + return getEntity().getName(); + } + + @Override + public final long getId() { + return getEntity().getId(); + } + + @Override + public final Map<String, String> getProperties() { + return getEntity().getInternalPropertiesAsMap(); Review Comment: Maybe make this a `@Value.Lazy` so the implicit JSON deserialization happens only once. ########## runtime/service/src/main/java/org/apache/polaris/service/auth/PolarisCredential.java: ########## @@ -21,19 +21,25 @@ import io.quarkus.security.credential.Credential; import jakarta.annotation.Nullable; import java.util.Set; +import org.apache.polaris.immutables.PolarisImmutable; /** - * Principal information extracted from authentication data (typically, an access token) by the - * configured authentication mechanism. Used to determine the principal id, name, and roles while - * authenticating a request. - * - * <p>This interface also implements Quarkus {@link Credential}, thus allowing it to be used as a - * {@linkplain io.quarkus.security.identity.SecurityIdentity#getCredential(Class) security identity - * credential}. - * - * @see DefaultAuthenticator + * A Quarkus Security {@link Credential} exposing Polaris-specific attributes: the principal id, + * name, and roles. */ -public interface PrincipalAuthInfo extends Credential { +@PolarisImmutable +public interface PolarisCredential extends Credential { + + static PolarisCredential of( + @Nullable Long getPrincipalId, + @Nullable String getPrincipalName, + Set<String> getPrincipalRoles) { + return ImmutablePolarisCredential.builder() + .principalId(getPrincipalId) + .principalName(getPrincipalName) + .principalRoles(getPrincipalRoles) Review Comment: ```suggestion static PolarisCredential of( @Nullable Long principalId, @Nullable String principalName, Set<String> principalRoles) { return ImmutablePolarisCredential.builder() .principalId(principalId) .principalName(principalName) .principalRoles(principalRoles) ``` ########## polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisPrincipal.java: ########## @@ -0,0 +1,89 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.core.auth; + +import java.security.Principal; +import java.util.Map; +import java.util.Set; +import org.apache.polaris.core.entity.PrincipalEntity; +import org.apache.polaris.immutables.PolarisImmutable; + +/** Represents a {@link Principal} in the Polaris system. */ +@PolarisImmutable +public interface PolarisPrincipal extends Principal { + + /** + * Creates a new instance of {@link PolarisPrincipal} from the given {@link PrincipalEntity} and + * roles. + * + * <p>The created principal will have the same ID and name as the {@link PrincipalEntity}, and its + * properties will be derived from the internal properties of the entity. + * + * @param principalEntity the principal entity representing the user or service + * @param roles the set of roles associated with the principal + */ + static PolarisPrincipal of(PrincipalEntity principalEntity, Set<String> roles) { + return of( + principalEntity.getId(), + principalEntity.getName(), + principalEntity.getInternalPropertiesAsMap(), + roles); + } + + /** + * Creates a new instance of {@link PolarisPrincipal} with the specified ID, name, roles, and + * properties. + * + * @param id the unique identifier of the principal + * @param name the name of the principal + * @param properties additional properties associated with the principal + * @param roles the set of roles associated with the principal + */ + static PolarisPrincipal of( + long id, String name, Map<String, String> properties, Set<String> roles) { + return ImmutablePolarisPrincipal.builder() + .id(id) + .name(name) + .properties(properties) + .roles(roles) + .build(); + } + + /** + * Returns the unique identifier of the principal. + * + * <p>This identifier is used to uniquely identify the principal within a Polaris realm. + */ + long getId(); Review Comment: We differentiate between persisted (`PersistedPolarisPrincipal`) and non-persistent ones. I wonder whether this getter should be present at all here. It could at least return an `OptionalLong` to make it clear that only persisted principals have an ID. WDYT? ########## runtime/service/src/main/java/org/apache/polaris/service/auth/external/OidcPolarisCredentialAugmentor.java: ########## @@ -78,26 +78,20 @@ public Uni<SecurityIdentity> augment( .select(Identifier.Literal.of(config.principalRolesMapper().type())) .get(); return Uni.createFrom() - .item(() -> setPrincipalAuthInfo(identity, principalMapper, principalRolesMapper)); + .item(() -> setPolarisCredential(identity, principalMapper, principalRolesMapper)); Review Comment: Nit: mind adding a comment that the two mappers may do expensive work, hence justifying the async call here? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
