sungwy commented on code in PR #3760:
URL: https://github.com/apache/polaris/pull/3760#discussion_r2841996926
##########
polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java:
##########
@@ -22,11 +22,47 @@
import jakarta.annotation.Nullable;
import java.util.List;
import java.util.Set;
+import org.apache.iceberg.exceptions.ForbiddenException;
import org.apache.polaris.core.entity.PolarisBaseEntity;
import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
/** Interface for invoking authorization checks. */
public interface PolarisAuthorizer {
+ /**
+ * Resolve authorizer-specific inputs before authorization.
+ *
+ * <p>Implementations may resolve only the entities required for the request
(for example, the
+ * caller principal, principal roles, catalog roles, and requested targets)
and store that state
+ * in {@link AuthorizationState}.
+ *
+ * <p>This method should not perform authorization decisions directly.
+ */
+ void resolveAuthorizationInputs(
+ @Nonnull AuthorizationState authzState, @Nonnull AuthorizationRequest
request);
+
+ /**
+ * Core authorization entry point for the new SPI.
+ *
+ * <p>Implementations should rely on any required state in {@link
AuthorizationState} and the
+ * intent captured by {@link AuthorizationRequest} (principal, operation,
and target securables).
+ */
+ @Nonnull
+ AuthorizationDecision authorizeDecision(
Review Comment:
yeah I initially had it as `authorize` and then renamed it because I thought
the new name implied that we are returning an `AuthorizationDecision`... but I
think I agree with you that it's more confusing. I'll take the suggestion and
revert it back
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
