Re: [PR] auth: Refactor `AuthorizationRequest` Into Explicit Shapes [polaris]

Mon, 01 Jun 2026 15:07:05 -0700 


sungwy commented on code in PR #4409:
URL: https://github.com/apache/polaris/pull/4409#discussion_r3337445075


##########
polaris-core/src/test/java/org/apache/polaris/core/auth/PolarisAuthorizerImplTest.java:
##########
@@ -205,19 +206,142 @@ void authorizeResolvesNamespaceTargetUsingCatalog() {
         .getResolvedPath(ResolvedPathKey.of(List.of("ns"), 
PolarisEntityType.NAMESPACE), true);
     verify(authorizer)
         .authorizeOrThrow(
-            eq(request.getPrincipal()),
+            eq(principal),
             eq(Set.of()),
             eq(PolarisAuthorizableOperation.LIST_NAMESPACES),
             eq(List.of(namespaceWrapper)),
             eq(null));
   }
 
+  @Test
+  void authorizeSingleOperationMultiIntentRequestEvaluatesSequentially() {
+    PolarisAuthorizerImpl authorizer = spy(new 
PolarisAuthorizerImpl(mock(RealmConfig.class)));
+    AuthorizationState authzState = new AuthorizationState();
+    PolarisResolutionManifest manifest = mock(PolarisResolutionManifest.class);
+    PolarisResolvedPathWrapper firstCatalogWrapper = 
mock(PolarisResolvedPathWrapper.class);
+    PolarisResolvedPathWrapper secondCatalogWrapper = 
mock(PolarisResolvedPathWrapper.class);
+    PolarisPrincipal principal = PolarisPrincipal.of("alice", Map.of(), 
Set.of("role"));
+
+    authzState.setResolutionManifest(manifest);
+    when(manifest.getResolvedTopLevelEntity("catalog1", 
PolarisEntityType.CATALOG))
+        .thenReturn(firstCatalogWrapper);
+    when(manifest.getResolvedTopLevelEntity("catalog2", 
PolarisEntityType.CATALOG))
+        .thenReturn(secondCatalogWrapper);
+    
when(manifest.getAllActivatedCatalogRoleAndPrincipalRoles()).thenReturn(Set.of());
+    doNothing()
+        .when(authorizer)
+        .authorizeOrThrow(
+            any(PolarisPrincipal.class),
+            ArgumentMatchers.any(),
+            eq(PolarisAuthorizableOperation.GET_CATALOG),
+            ArgumentMatchers.any(),
+            ArgumentMatchers.<List<PolarisResolvedPathWrapper>>any());
+
+    AuthorizationDecision decision =
+        authorizer.authorize(
+            authzState,
+            new AuthorizationRequest(
+                principal,
+                List.of(
+                    new SingleTargetAuthorizationIntent(
+                        PolarisAuthorizableOperation.GET_CATALOG,
+                        PolarisSecurable.of(
+                            new PathSegment(PolarisEntityType.CATALOG, 
"catalog1"))),
+                    new SingleTargetAuthorizationIntent(
+                        PolarisAuthorizableOperation.GET_CATALOG,
+                        PolarisSecurable.of(
+                            new PathSegment(PolarisEntityType.CATALOG, 
"catalog2"))))));
+
+    assertThat(decision.isAllowed()).isTrue();
+    verify(authorizer, times(1))

Review Comment:
   I'll just leave it for now - it's an easy change but I'm focused on gettin 
this PR merged, so I'll keep your approval for now



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to