Re: [PR] auth: Refactor `AuthorizationRequest` Into Explicit Shapes [polaris]

Wed, 13 May 2026 05:45:25 -0700 


sungwy commented on code in PR #4409:
URL: https://github.com/apache/polaris/pull/4409#discussion_r3234323190


##########
extensions/auth/opa/impl/src/main/java/org/apache/polaris/extension/auth/opa/OpaPolarisAuthorizer.java:
##########
@@ -109,25 +110,55 @@ public OpaPolarisAuthorizer(
    */
   @Override
   public void resolveAuthorizationInputs(
-      @Nonnull AuthorizationState authzState, @Nonnull AuthorizationRequest 
request) {
+      @Nonnull AuthorizationState authzState,
+      @Nonnull PolarisPrincipal polarisPrincipal,
+      @Nonnull AuthorizationRequest request) {
+    authzState.getResolutionManifest().resolveAll();
+  }
+
+  @Override
+  public void resolveAuthorizationInputs(
+      @Nonnull AuthorizationState authzState,
+      @Nonnull PolarisPrincipal polarisPrincipal,
+      @Nonnull List<AuthorizationRequest> requests) {
+    Preconditions.checkArgument(
+        !requests.isEmpty(), "Authorization request batch must contain at 
least one request");
     authzState.getResolutionManifest().resolveAll();
   }
 
   @Override
   @Nonnull
   public AuthorizationDecision authorize(
-      @Nonnull AuthorizationState authzState, @Nonnull AuthorizationRequest 
request) {
+      @Nonnull AuthorizationState authzState,
+      @Nonnull PolarisPrincipal polarisPrincipal,
+      @Nonnull AuthorizationRequest request) {
     boolean allowed =
         queryOpa(
             buildOpaAuthorizationInput(
-                request.getPrincipal(),
+                polarisPrincipal,
                 request.getOperation(),
                 toResourceEntitiesFromSecurables(request.getTargets()),
                 toResourceEntitiesFromSecurables(request.getSecondaries())));
     return allowed
         ? AuthorizationDecision.allow()
         : AuthorizationDecision.deny(
-            "OPA denied authorization for " + 
request.formatForAuthorizationMessage());
+            "OPA denied authorization for principal="
+                + polarisPrincipal.getName()
+                + " operation="
+                + request.getOperation());

Review Comment:
   Thanks Copilot. This was intentional, as it was suggested in a previous 
discussion that hiding internal security semantics may be beneficial.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to