dimas-b commented on code in PR #3228:
URL: https://github.com/apache/polaris/pull/3228#discussion_r2599471490
##########
extensions/auth/opa/impl/src/main/java/org/apache/polaris/extension/auth/opa/OpaPolarisAuthorizer.java:
##########
@@ -95,6 +95,21 @@ public OpaPolarisAuthorizer(
this.objectMapper = objectMapper;
}
+ @Override
+ public boolean requiresPrincipalRoles() {
+ return false;
+ }
+
+ @Override
+ public boolean requiresCatalogRoles() {
+ return false;
+ }
+
+ @Override
+ public boolean requiresResolvedEntities() {
+ return false;
+ }
Review Comment:
@singhpk234 : I'm not sure what you mean by "delegated" AuthZ :thinking: The
`PolarisAuthorizer` interface has multiple implementations, but I do not think
this is "delegation" per se... Maybe I'm missing some context.
As far as the different (two in OSS) implementations of `PolarisAuthorizer`
are concerns, they have different requirements on the amount of input data they
require for making AuthZ decisions. These new interface methods are intended
(as far as I understand) to allow other Polaris classes to perform less work,
if some input data is not needed by a particular authorizer.
I suppose there will be other related code changes that expose the benefits
of the new methods added in this PR.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
