sungwy commented on PR #2680: URL: https://github.com/apache/polaris/pull/2680#issuecomment-3392293058
> Will post my complete review soon. Adding one thing first, currently all grant and revoke privilege operation (e.g. `grantPrivilegeOnCatalogToRole`) won’t work as expected, since these mapping has to happen in the OPA side. How do we position these APIs? If we still want to support them within Polaris, we need new interfaces between the OPA service and Polaris. I think the least thing we could do now is blocking these operation for OPA authorizer. Given the current PR is large, I’m OK to leave it in another PR. Thanks @singhpk234 for bring it up for discussion. Hi @flyrain - I agree! In our planned architecture, we are thinking of returning `false` on the Management APIs through the OPA Server rego. But I agree that we should review whether it would make sense to just systematically fail on these actions within the OpaPolarisAuthorizer itself before sending the request to OPA . -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
