sungwy opened a new pull request, #3427: URL: https://github.com/apache/polaris/pull/3427
<!-- 📝 Describe what changes you're proposing, especially breaking or user-facing changes. 📖 See https://github.com/apache/polaris/blob/main/CONTRIBUTING.md for more. --> Introduce path‑only resolution API in the resolver stack without changing handler or authorizer behavior. While working on a PR to move the principal, roles and entity resolution logic into the `PolarisAuthorizerImpl`, I learned that resolution is done for a few reasons: 1. Materializing the concrete entity/ID and hierarchy needed for execution (e.g., delete/rename/move, policy attach/detach, create under namespace). 2. Existence checks (return not‑found early, avoid operating on missing entities). 3. Providing resolved targets to the authorizer (entity IDs, types, and parent relationships) so auth decisions are based on authoritative state. While (2) and (3) can be moved into the `PolarisAuthorizer` in line with the suggestion discussed in this [PR comment](https://github.com/apache/polaris/pull/3228#issuecomment-3661802316), (1) needs to still be executed in the Handlers after a successful authorization. Hence, introducing this path-only resolution API will allow a follow‑up auth refactor to decouple execution‑time path resolution from (2) and (3) for authorizable actions that are only require entity or path resolution, without attempting to resolve the principal, or associated roles. ## Checklist - [ ] 🛡️ Don't disclose security issues! (contact [email protected]) - [ ] 🔗 Clearly explained why the changes are needed, or linked related issues: Fixes # - [ ] 🧪 Added/updated tests with good coverage, or manually tested (and explained how) - [ ] 💡 Added comments for complex logic - [ ] 🧾 Updated `CHANGELOG.md` (if needed) - [ ] 📚 Updated documentation in `site/content/in-dev/unreleased` (if needed) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
