Re: [PR] Implement Finer Grained Operations and Privileges For Update Table [polaris]

[via GitHub]

HonahX commented on code in PR #2697:
URL: https://github.com/apache/polaris/pull/2697#discussion_r2404185059


##########
runtime/service/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandler.java:
##########
@@ -238,29 +241,52 @@ protected void 
authorizeCreateTableLikeUnderNamespaceOperationOrThrow(
     initializeCatalog();
   }
 
+  /**
+   * Ensures resolution manifest is initialized for a table identifier. This 
allows checking
+   * catalog-level feature flags or other resolved entities before 
authorization. If already
+   * initialized, this is a no-op.
+   */
+  protected void ensureResolutionManifestForTable(TableIdentifier identifier) {
+    if (resolutionManifest == null) {
+      resolutionManifest =
+          resolutionManifestFactory.createResolutionManifest(
+              callContext, securityContext, catalogName);
+
+      // The underlying Catalog is also allowed to fetch "fresh" versions of 
the target entity.
+      resolutionManifest.addPassthroughPath(
+          new ResolverPath(
+              PolarisCatalogHelpers.tableIdentifierToList(identifier),
+              PolarisEntityType.TABLE_LIKE,
+              true /* optional */),
+          identifier);
+      resolutionManifest.resolveAll();
+    }
+  }

Review Comment:
   How about we just creating another helper in `icebergCatalogHandler`, like 
   ```java
   authorizeUpdateTableOperationOrThrow(
   UpdateTableRequest request,
   PolarisEntitySubType subType,
   TableIdentifier identifier,
   ) {
   // add path, resolve like normal
   
   // get catalog entity and verify the config
   
   getUpdateTableAuthorizableOperations(request);
   
   for (PolarisAuthorizableOperation op : ops) {
         authorizer.authorizeOrThrow(
             polarisPrincipal,
             resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
             op,
             target,
             null /* secondary */);
       }
   }
   ```
   So we do not have to resolve twice. It will indeed create some duplicated 
code, but that could be solved in future refactoring and is IMHO preferred than 
resolve path twice (assuming in some case EntityCache is not available)?
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org