gracechen09 opened a new pull request, #4398: URL: https://github.com/apache/polaris/pull/4398
This is phase 6 of [#3779](https://github.com/apache/polaris/issues/3779). Change 1: Resolve authz inputs using scoped resolution Before the change, OPA authorizer called `manifest.resolveAll()`, which resolves the caller principal, all principal roles and all requested paths. OPA authorizer authorizes based on `PolarisSecurable` intent in AuthorizationRequest and doesn't use resolved principal or role entities. After the change, `resolveAuthorizationInputs()` calls `manifest.resolveSelections()` with the input that OPA needs. Change 2: Block unsupported operations Before the change, `authorize()` handled all the operations. After the change, `authorize()` blocks the operations that target the `principal`, `principal_role` and `catalog_role` entity types. When using OPA, principals and roles are expected to be managed externally, therefore OPA should not handle the authorization from Polaris principal management API. ## Checklist - [ ] ๐ก๏ธ Don't disclose security issues! (contact [email protected]) - [ ] ๐ Clearly explained why the changes are needed, or linked related issues: Fixes # - [ ] ๐งช Added/updated tests with good coverage, or manually tested (and explained how) - [ ] ๐ก Added comments for complex logic - [ ] ๐งพ Updated `CHANGELOG.md` (if needed) - [ ] ๐ Updated documentation in `site/content/in-dev/unreleased` (if needed) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
