dimas-b commented on code in PR #3250:
URL: https://github.com/apache/polaris/pull/3250#discussion_r2608433021
##########
polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java:
##########
@@ -764,6 +794,17 @@ private ResolverStatus
resolveCallerPrincipalAndPrincipalRoles(
return new ResolverStatus(ResolverStatus.StatusEnum.SUCCESS);
}
+ private boolean isExternalPrincipal() {
+ return
Boolean.parseBoolean(polarisPrincipal.getProperties().getOrDefault("external",
"false"));
Review Comment:
WDYT about making `isExternal()` a method of `PolarisPrincipal`?
##########
polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java:
##########
@@ -744,13 +745,42 @@ private ResolverStatus resolvePaths(
private ResolverStatus resolveCallerPrincipalAndPrincipalRoles(
List<ResolvedPolarisEntity> toValidate) {
+ if (isExternalPrincipal()) {
+ PrincipalEntity externalPrincipal = createExternalPrincipalEntity();
+ this.resolvedCallerPrincipal =
+ new ResolvedPolarisEntity(
+ diagnostics,
+ externalPrincipal,
+ List.of(),
+ externalPrincipal.getGrantRecordsVersion());
+ this.resolvedEntriesById.put(
+ this.resolvedCallerPrincipal.getEntity().getId(),
this.resolvedCallerPrincipal);
+ this.resolvedCallerPrincipalRoles = List.of();
+ return new ResolverStatus(ResolverStatus.StatusEnum.SUCCESS);
+ }
+
// resolve the principal, by name or id
this.resolvedCallerPrincipal =
this.resolveByName(toValidate, PolarisEntityType.PRINCIPAL,
polarisPrincipal.getName());
// if the principal was not found, we can end right there
if (this.resolvedCallerPrincipal == null
|| this.resolvedCallerPrincipal.getEntity().isDropped()) {
+ if (isExternalPrincipal()) {
Review Comment:
can this be `true` without returning on line 759?
##########
runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/NoneTokenBrokerFactory.java:
##########
@@ -0,0 +1,78 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.service.auth.internal.broker;
+
+import io.smallrye.common.annotation.Identifier;
+import jakarta.enterprise.context.ApplicationScoped;
+import org.apache.iceberg.exceptions.NotAuthorizedException;
+import org.apache.polaris.core.PolarisCallContext;
+import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
+import org.apache.polaris.service.auth.PolarisCredential;
+import org.apache.polaris.service.auth.internal.service.OAuthError;
+import org.apache.polaris.service.types.TokenType;
+
+/** A no-op token broker factory used when authentication is delegated to an
external IdP. */
+@ApplicationScoped
+@Identifier("none")
+public class NoneTokenBrokerFactory implements TokenBrokerFactory {
+
+ private static final TokenBroker DISABLED_TOKEN_BROKER =
+ new TokenBroker() {
+ @Override
+ public boolean supportsGrantType(String grantType) {
+ return false;
+ }
+
+ @Override
+ public boolean supportsRequestedTokenType(TokenType tokenType) {
+ return false;
+ }
+
+ @Override
+ public TokenResponse generateFromClientSecrets(
+ String clientId,
+ String clientSecret,
+ String grantType,
+ String scope,
+ TokenType requestedTokenType) {
+ return TokenResponse.of(OAuthError.invalid_request);
Review Comment:
I'm not sure about `invalid_request`... it may actually be well-formed...
How about `unsupported_grant_type`?
##########
polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java:
##########
@@ -744,13 +745,42 @@ private ResolverStatus resolvePaths(
private ResolverStatus resolveCallerPrincipalAndPrincipalRoles(
List<ResolvedPolarisEntity> toValidate) {
+ if (isExternalPrincipal()) {
+ PrincipalEntity externalPrincipal = createExternalPrincipalEntity();
Review Comment:
This is an entity without a (real) ID... Some it's a kind of ephemeral
entity... Would it be possible to avoid creating it at all?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
