sungwy opened a new pull request, #4409: URL: https://github.com/apache/polaris/pull/4409
<!-- ๐ Describe what changes you're proposing, especially breaking or user-facing changes. ๐ See https://github.com/apache/polaris/blob/main/CONTRIBUTING.md for more. --> This PR introduces a breaking change to the the new authorization SPI request model to make authorization intent explicit and to separate single-request shape from batching. Handler call sites on main have not migrated to the new SPI yet, so these changes are safe to introduce. This is an alternative proposal to https://github.com/apache/polaris/pull/4201 Changes are as follows: - remove AuthorizationTargetBinding - remove PolarisPrincipal from AuthorizationRequest (only has single operation + no target, single target or pairwise targets) - make AuthorizationRequest a sealed hierarchy of: - UntargetedAuthorizationRequest - SingleTargetAuthorizationRequest - PairwiseTargetAuthorizationRequest - model batching as List<AuthorizationRequest> for one principal, rather than one request with multiple bindings The benefit of this change is that it allows the `AuthorizationRequest`, and the authorize SPI to explicitly encapsulate the relationship between the operation and the targets without leaving it to the `PolarisAuthorizer` implementation to interpret it. ### Batching In order to support this model, a batching SPI needs to be introduced. Batching consists of a single `PolarisPrincipal` and multiple `AuthorizationRequests`, and can represent: - one operation across multiple targets - genuinely multiple authorization intents in one handler flow (e.g. granular authorization for `updateTable`) Current batch behavior is intentionally conservative: - batch resolveAuthorizationInputs(...) is implementation-defined - built-in RBAC and OPA implementations resolve once per batch via shared resolveAll() - batch authorize(...) defaults to sequential evaluation - OPA now evaluates batches sequentially (this is a notable non-breaking, performance impacting change) This preserves authorization outcomes while leaving room for PolarisAuthorizer implementation to introduce batching semantics in the downstream contract in the future. ## Checklist - [ ] ๐ก๏ธ Don't disclose security issues! (contact [email protected]) - [x] ๐ Clearly explained why the changes are needed, or linked related issues: Fixes # - [x] ๐งช Added/updated tests with good coverage, or manually tested (and explained how) - [x] ๐ก Added comments for complex logic - [ ] ๐งพ Updated `CHANGELOG.md` (if needed) - [ ] ๐ Updated documentation in `site/content/in-dev/unreleased` (if needed) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
