Re: [PR] Authorizer: expose the required level of detail [polaris]

Tue, 09 Dec 2025 08:09:34 -0800 


dimas-b commented on code in PR #3228:
URL: https://github.com/apache/polaris/pull/3228#discussion_r2603336758


##########
extensions/auth/opa/impl/src/main/java/org/apache/polaris/extension/auth/opa/OpaPolarisAuthorizer.java:
##########
@@ -95,6 +95,21 @@ public OpaPolarisAuthorizer(
     this.objectMapper = objectMapper;
   }
 
+  @Override
+  public boolean requiresPrincipalRoles() {
+    return false;
+  }
+
+  @Override
+  public boolean requiresCatalogRoles() {
+    return false;
+  }
+
+  @Override
+  public boolean requiresResolvedEntities() {
+    return false;
+  }

Review Comment:
   @singhpk234 : Thanks for clarifying the meaning of "delegated authZ" in this 
context. I think I understand what you mean, although, I would not personally 
use the term "delegation" here as in the content of Auth N/Z it has a different 
meaning usually (acting on behalf of a different identity).
   
   Re: `SupportsDelegatedAuthZ` the implementation you propose is mostly 
equivalent to the state of the code in this PR, IMHO.
   
   However, there is a downside - as @snazy mentions, the callers would have to 
perform `instanceof` checks on the `PolarisAuthorizer` instances, which will 
complicate the code on the caller side. Plus, CDI will become much harder, 
because injection normally guarantees only the declared type of the variable in 
runtime. Sub-classing is not guaranteed to be exposed in injected objects in 
CDI... Sub-classes may be exposes "as is" or they may not be (e.g. proxies may 
be injected). All in all, this approach increases code complexity.
   
   If you have strong reasons to avoid introducing even byte-code compatible 
changes to `PolarisAuthorizer` (as in this PR). I'd proposed to move the 
methods from `SupportsDelegatedAuthZ` into a (new) `AuthorizationHints` 
interface to be produced from `PolarisAuthorizerFactory` and used at call sites 
that can optimize execution based on the information the new interface provides.
   
   @snazy @singhpk234 : WDYT?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to