visit2rahul commented on code in PR #4420:
URL: https://github.com/apache/polaris/pull/4420#discussion_r3284684413
##########
extensions/auth/ranger/impl/src/main/java/org/apache/polaris/extension/auth/ranger/RangerPolarisAuthorizer.java:
##########
@@ -136,14 +131,8 @@ public void authorizeOrThrow(
}
try {
- if (enforceCredentialRotationRequiredState
- && authzOp != PolarisAuthorizableOperation.ROTATE_CREDENTIALS
- && polarisPrincipal
- .getProperties()
-
.containsKey(PolarisEntityConstants.PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE))
{
- throw new ForbiddenException(
- OPERATION_NOT_ALLOWED_FOR_USER_ERROR, polarisPrincipal.getName(),
authzOp.name());
- }
+ AuthorizationPreConditions.checkCredentialRotationRequired(
Review Comment:
Thank you @dimas-b. Understood, makes sense.
@sungwy - could you weigh in here when you get a chance? Want to make sure
there is no design reason against enforcing this in `OpaPolarisAuthorizer` from
the OPA side before we proceed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
