sungwy commented on code in PR #3250: URL: https://github.com/apache/polaris/pull/3250#discussion_r2608788954
########## runtime/service/src/main/java/org/apache/polaris/service/auth/internal/broker/NoneTokenBrokerFactory.java: ########## @@ -0,0 +1,78 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.service.auth.internal.broker; + +import io.smallrye.common.annotation.Identifier; +import jakarta.enterprise.context.ApplicationScoped; +import org.apache.iceberg.exceptions.NotAuthorizedException; +import org.apache.polaris.core.PolarisCallContext; +import org.apache.polaris.core.persistence.PolarisMetaStoreManager; +import org.apache.polaris.service.auth.PolarisCredential; +import org.apache.polaris.service.auth.internal.service.OAuthError; +import org.apache.polaris.service.types.TokenType; + +/** A no-op token broker factory used when authentication is delegated to an external IdP. */ +@ApplicationScoped +@Identifier("none") +public class NoneTokenBrokerFactory implements TokenBrokerFactory { + + private static final TokenBroker DISABLED_TOKEN_BROKER = + new TokenBroker() { + @Override + public boolean supportsGrantType(String grantType) { + return false; + } + + @Override + public boolean supportsRequestedTokenType(TokenType tokenType) { + return false; + } + + @Override + public TokenResponse generateFromClientSecrets( + String clientId, + String clientSecret, + String grantType, + String scope, + TokenType requestedTokenType) { + return TokenResponse.of(OAuthError.invalid_request); Review Comment: That's a great suggestion - thank you! ########## polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java: ########## @@ -764,6 +794,17 @@ private ResolverStatus resolveCallerPrincipalAndPrincipalRoles( return new ResolverStatus(ResolverStatus.StatusEnum.SUCCESS); } + private boolean isExternalPrincipal() { + return Boolean.parseBoolean(polarisPrincipal.getProperties().getOrDefault("external", "false")); Review Comment: I think that's worth considering. I put it into `PolarisPrincipal` as a part of the property for now because it was already available, but I think adding it as an attribute or adding a class method that infers the property value is up for discussion ########## polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java: ########## @@ -744,13 +745,42 @@ private ResolverStatus resolvePaths( private ResolverStatus resolveCallerPrincipalAndPrincipalRoles( List<ResolvedPolarisEntity> toValidate) { + if (isExternalPrincipal()) { + PrincipalEntity externalPrincipal = createExternalPrincipalEntity(); + this.resolvedCallerPrincipal = + new ResolvedPolarisEntity( + diagnostics, + externalPrincipal, + List.of(), + externalPrincipal.getGrantRecordsVersion()); + this.resolvedEntriesById.put( + this.resolvedCallerPrincipal.getEntity().getId(), this.resolvedCallerPrincipal); + this.resolvedCallerPrincipalRoles = List.of(); + return new ResolverStatus(ResolverStatus.StatusEnum.SUCCESS); + } + // resolve the principal, by name or id this.resolvedCallerPrincipal = this.resolveByName(toValidate, PolarisEntityType.PRINCIPAL, polarisPrincipal.getName()); // if the principal was not found, we can end right there if (this.resolvedCallerPrincipal == null || this.resolvedCallerPrincipal.getEntity().isDropped()) { + if (isExternalPrincipal()) { Review Comment: It cannot - this was before I moved the condition upto line 748 to avoid principal resolution altogether if it is external. I'll remove this check here to remove redundancy ########## polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java: ########## @@ -744,13 +745,42 @@ private ResolverStatus resolvePaths( private ResolverStatus resolveCallerPrincipalAndPrincipalRoles( List<ResolvedPolarisEntity> toValidate) { + if (isExternalPrincipal()) { + PrincipalEntity externalPrincipal = createExternalPrincipalEntity(); Review Comment: That's a good question - I'm a bit confused about the role of `PrincipalEntity`. We do have a public method for `getResolvedCallerPrincipal()` that returns `resolvedCallerPrincipal`. It's not being used anywhere in the codebase today, but I thought it'd be safe to populate it as it requires it to be `@Nonnull`: https://github.com/apache/polaris/blob/23ba2a05adc9c75f3e72aaf2ca370b4886964328/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java#L272C19-L280 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
