sungwy opened a new issue, #3779:
URL: https://github.com/apache/polaris/issues/3779
### Is your feature request related to a problem? Please describe.
### Overview
This issue tracks the multi‑phase refactor of the PolarisAuthorizer SPI
described in
[RFC](https://docs.google.com/document/d/1OaiQG_C4-yUe0ihaDBxtw_mEcOOzUBnWPazzVbjQi5U/edit?tab=t.0#heading=h.dyow25dt9w1).
The goal of this refactoring is three folds:
- move resolution from Handler (like `CatalogHandler` or
`PolarisAdminService`) call sites to `PolarisAuthorizer` to enable
`PolarisAuthorizer` implementations to decide what to resolve (Principal, RBAC,
entities, paths, etc)
- update Authorization SPI to conform to broadly accepted standard
authorization intent as inputs to enhance its flexibility in introducing
integrations to more authorization standards as an interface
- Introduce a breaking change in `OpaPolarisAuthorizer`'s behavior to remove
dependency on Polaris native Principal and RBAC.
### Phases
- Phase 1 - New `PolarisAuthorizer` SPI + selective resolution API (not
called by any call sites): https://github.com/apache/polaris/pull/3760
- Phase 2 - Implement new SPI in `PolarisAuthorizerImpl` (not called by any
call sites)
- Phase 3 - Implement new SPI in`OpaPolarisAuthorizer` (not called by any
call sites)
- Phase 4 - Handler migration (resolution before authorization)
- Phase 5 - Handler migration (`authorizeOrThrow`)
- Phase 6 - `OpaPolarisAuthorizer`: breaking changes to skip Polaris native
principal and RBAC resolution
### Describe the solution you'd like
_No response_
### Describe alternatives you've considered
_No response_
### Additional context
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
