sungwy commented on code in PR #4409:
URL: https://github.com/apache/polaris/pull/4409#discussion_r3237702728
##########
polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java:
##########
@@ -38,26 +39,85 @@ public interface PolarisAuthorizer {
* <p>This method should not perform authorization decisions directly.
*/
void resolveAuthorizationInputs(
- @Nonnull AuthorizationState authzState, @Nonnull AuthorizationRequest
request);
+ @Nonnull AuthorizationState authzState,
+ @Nonnull PolarisPrincipal polarisPrincipal,
Review Comment:
Hi Dmitri, that's a good suggestion and I agree with the direction.
Splitting the caller-facing API from the implementation/plugin SPI seems clean.
One question I had while thinking about it: if we do that for
`PolarisPrincipal`, do you think we should apply the same principle to
`RealmContext` as well? Some authorizers may also need realm information as
part of the effective auth context, so I’m curious whether you think those
should be treated consistently or not.
That said, I agree this is probably better left out of scope for this PR and
handled in a follow-up.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
