sungwy commented on code in PR #4409:
URL: https://github.com/apache/polaris/pull/4409#discussion_r3336592521
##########
polaris-core/src/test/java/org/apache/polaris/core/auth/PolarisAuthorizerImplTest.java:
##########
@@ -205,19 +206,142 @@ void authorizeResolvesNamespaceTargetUsingCatalog() {
.getResolvedPath(ResolvedPathKey.of(List.of("ns"),
PolarisEntityType.NAMESPACE), true);
verify(authorizer)
.authorizeOrThrow(
- eq(request.getPrincipal()),
+ eq(principal),
eq(Set.of()),
eq(PolarisAuthorizableOperation.LIST_NAMESPACES),
eq(List.of(namespaceWrapper)),
eq(null));
}
+ @Test
+ void authorizeSingleOperationMultiIntentRequestEvaluatesSequentially() {
+ PolarisAuthorizerImpl authorizer = spy(new
PolarisAuthorizerImpl(mock(RealmConfig.class)));
+ AuthorizationState authzState = new AuthorizationState();
+ PolarisResolutionManifest manifest = mock(PolarisResolutionManifest.class);
+ PolarisResolvedPathWrapper firstCatalogWrapper =
mock(PolarisResolvedPathWrapper.class);
+ PolarisResolvedPathWrapper secondCatalogWrapper =
mock(PolarisResolvedPathWrapper.class);
+ PolarisPrincipal principal = PolarisPrincipal.of("alice", Map.of(),
Set.of("role"));
+
+ authzState.setResolutionManifest(manifest);
+ when(manifest.getResolvedTopLevelEntity("catalog1",
PolarisEntityType.CATALOG))
+ .thenReturn(firstCatalogWrapper);
+ when(manifest.getResolvedTopLevelEntity("catalog2",
PolarisEntityType.CATALOG))
+ .thenReturn(secondCatalogWrapper);
+
when(manifest.getAllActivatedCatalogRoleAndPrincipalRoles()).thenReturn(Set.of());
+ doNothing()
+ .when(authorizer)
+ .authorizeOrThrow(
+ any(PolarisPrincipal.class),
+ ArgumentMatchers.any(),
+ eq(PolarisAuthorizableOperation.GET_CATALOG),
+ ArgumentMatchers.any(),
+ ArgumentMatchers.<List<PolarisResolvedPathWrapper>>any());
+
+ AuthorizationDecision decision =
+ authorizer.authorize(
+ authzState,
+ new AuthorizationRequest(
+ principal,
+ List.of(
+ new SingleTargetAuthorizationIntent(
+ PolarisAuthorizableOperation.GET_CATALOG,
+ PolarisSecurable.of(
+ new PathSegment(PolarisEntityType.CATALOG,
"catalog1"))),
+ new SingleTargetAuthorizationIntent(
+ PolarisAuthorizableOperation.GET_CATALOG,
+ PolarisSecurable.of(
+ new PathSegment(PolarisEntityType.CATALOG,
"catalog2"))))));
+
+ assertThat(decision.isAllowed()).isTrue();
+ verify(authorizer, times(1))
Review Comment:
yeah sorry - I think the naming of the test is what's causing the confusion
- what I mean to verify here is simply the current behavior of
`PolarisAuthorizerImpl` that splits up the `AuthorizationRequest` by intent
that invokes `authorizeOrThrow` sequentially.
I'm not too concerned about verifying the ordered nature of those sequential
calls.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
