From 82ee3db492ab33f839b5851f8fec8cfc266e8932 Mon Sep 17 00:00:00 2001 From: Christopher Lambert <1204398+XN137@users.noreply.github.com> Date: Wed, 13 Aug 2025 09:41:15 +0200 Subject: [PATCH] Make PolarisAuthorizer RequestScoped all methods in `PolarisAuthorizer` currently have a `CallContext` parameter. in its only implementation only `CallContext.getRealmConfig` is getting used. so since `PolarisAuthorizer` cant be used outside a request, we can simply make it request-scoped and inject the request-scoped `RealmConfig` directly. --- .../polaris/core/auth/PolarisAuthorizer.java | 3 --- .../core/auth/PolarisAuthorizerImpl.java | 17 ++++++++--------- .../service/admin/PolarisAdminService.java | 11 ----------- .../service/catalog/common/CatalogHandler.java | 6 ------ .../catalog/policy/PolicyCatalogHandler.java | 3 --- .../service/config/ServiceProducers.java | 12 ++++++------ .../service/admin/ManagementServiceTest.java | 2 +- .../service/admin/PolarisAuthzTestBase.java | 4 ++-- .../catalog/AbstractIcebergCatalogTest.java | 2 +- .../catalog/AbstractIcebergCatalogViewTest.java | 2 +- .../AbstractPolarisGenericTableCatalogTest.java | 2 +- .../catalog/AbstractPolicyCatalogTest.java | 2 +- 12 files changed, 21 insertions(+), 45 deletions(-) diff --git a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java index 0e35bf2f3a..31e69b0832 100644 --- a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java +++ b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java @@ -22,7 +22,6 @@ import jakarta.annotation.Nullable; import java.util.List; import java.util.Set; -import org.apache.polaris.core.context.CallContext; import org.apache.polaris.core.entity.PolarisBaseEntity; import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper; @@ -30,7 +29,6 @@ public interface PolarisAuthorizer { void authorizeOrThrow( - @Nonnull CallContext callContext, @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal, @Nonnull Set activatedEntities, @Nonnull PolarisAuthorizableOperation authzOp, @@ -38,7 +36,6 @@ void authorizeOrThrow( @Nullable PolarisResolvedPathWrapper secondary); void authorizeOrThrow( - @Nonnull CallContext callContext, @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal, @Nonnull Set activatedEntities, @Nonnull PolarisAuthorizableOperation authzOp, diff --git a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java index 6b582e7a77..baae15fc09 100644 --- a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java +++ b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java @@ -114,7 +114,7 @@ import java.util.stream.Collectors; import org.apache.iceberg.exceptions.ForbiddenException; import org.apache.polaris.core.config.FeatureConfiguration; -import org.apache.polaris.core.context.CallContext; +import org.apache.polaris.core.config.RealmConfig; import org.apache.polaris.core.entity.PolarisBaseEntity; import org.apache.polaris.core.entity.PolarisEntityConstants; import org.apache.polaris.core.entity.PolarisEntityCore; @@ -530,8 +530,12 @@ public class PolarisAuthorizerImpl implements PolarisAuthorizer { List.of(TABLE_DETACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT)); } + private final RealmConfig realmConfig; + @Inject - public PolarisAuthorizerImpl() {} + public PolarisAuthorizerImpl(RealmConfig realmConfig) { + this.realmConfig = realmConfig; + } /** * Checks whether the {@code grantedPrivilege} is sufficient to confer {@code desiredPrivilege}, @@ -554,14 +558,12 @@ public boolean matchesOrIsSubsumedBy( @Override public void authorizeOrThrow( - @Nonnull CallContext callContext, @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal, @Nonnull Set activatedEntities, @Nonnull PolarisAuthorizableOperation authzOp, @Nullable PolarisResolvedPathWrapper target, @Nullable PolarisResolvedPathWrapper secondary) { authorizeOrThrow( - callContext, authenticatedPrincipal, activatedEntities, authzOp, @@ -571,17 +573,14 @@ public void authorizeOrThrow( @Override public void authorizeOrThrow( - @Nonnull CallContext callContext, @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal, @Nonnull Set activatedEntities, @Nonnull PolarisAuthorizableOperation authzOp, @Nullable List targets, @Nullable List secondaries) { boolean enforceCredentialRotationRequiredState = - callContext - .getRealmConfig() - .getConfig( - FeatureConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING); + realmConfig.getConfig( + FeatureConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING); if (enforceCredentialRotationRequiredState && authenticatedPrincipal .getPrincipalEntity() diff --git a/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java b/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java index bfb77ac262..6b74cdbd17 100644 --- a/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java +++ b/runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java @@ -250,7 +250,6 @@ private void authorizeBasicRootOperationOrThrow(PolarisAuthorizableOperation op) PolarisResolvedPathWrapper rootContainerWrapper = resolutionManifest.getResolvedRootContainerEntityAsPath(); authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedPrincipalRoleEntities(), op, @@ -296,7 +295,6 @@ private void authorizeBasicTopLevelEntityOperationOrThrow( return; } authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -318,7 +316,6 @@ private void authorizeBasicCatalogRoleOperationOrThrow( throw new NotFoundException("CatalogRole does not exist: %s", catalogRoleName); } authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -349,7 +346,6 @@ private void authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow( principalRoleName, PolarisEntityType.PRINCIPAL_ROLE); authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -386,7 +382,6 @@ private void authorizeGrantOnTopLevelEntityToPrincipalRoleOperationOrThrow( principalRoleName, PolarisEntityType.PRINCIPAL_ROLE); authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -417,7 +412,6 @@ private void authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow( resolutionManifest.getResolvedTopLevelEntity(principalName, PolarisEntityType.PRINCIPAL); authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -457,7 +451,6 @@ private void authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow( resolutionManifest.getResolvedPath(catalogRoleName, true); authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -488,7 +481,6 @@ private void authorizeGrantOnCatalogOperationOrThrow( PolarisResolvedPathWrapper catalogRoleWrapper = resolutionManifest.getResolvedPath(catalogRoleName, true); authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -529,7 +521,6 @@ private void authorizeGrantOnNamespaceOperationOrThrow( resolutionManifest.getResolvedPath(catalogRoleName, true); authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -576,7 +567,6 @@ private void authorizeGrantOnTableLikeOperationOrThrow( resolutionManifest.getResolvedPath(catalogRoleName, true); authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -616,7 +606,6 @@ private void authorizeGrantOnPolicyOperationOrThrow( resolutionManifest.getResolvedPath(catalogRoleName, true); authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, diff --git a/runtime/service/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandler.java b/runtime/service/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandler.java index 523369c7c9..6b2a8ae101 100644 --- a/runtime/service/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandler.java +++ b/runtime/service/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandler.java @@ -142,7 +142,6 @@ protected void authorizeBasicNamespaceOperationOrThrow( throw new NoSuchNamespaceException("Namespace does not exist: %s", namespace); } authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -177,7 +176,6 @@ protected void authorizeCreateNamespaceUnderNamespaceOperationOrThrow( throw new NoSuchNamespaceException("Namespace does not exist: %s", parentNamespace); } authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -216,7 +214,6 @@ protected void authorizeCreateTableLikeUnderNamespaceOperationOrThrow( throw new NoSuchNamespaceException("Namespace does not exist: %s", namespace); } authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -246,7 +243,6 @@ protected void authorizeBasicTableLikeOperationOrThrow( throwNotFoundExceptionForTableLikeEntity(identifier, List.of(subType)); } authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -298,7 +294,6 @@ protected void authorizeCollectionOfTableLikeOperationOrThrow( "View does not exist: %s", identifier))) .toList(); authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -368,7 +363,6 @@ protected void authorizeRenameTableLikeOperationOrThrow( PolarisResolvedPathWrapper secondary = resolutionManifest.getResolvedPath(dst.namespace(), true); authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, diff --git a/runtime/service/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java b/runtime/service/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java index c967f8971e..9421735998 100644 --- a/runtime/service/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java +++ b/runtime/service/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java @@ -167,7 +167,6 @@ private void authorizeBasicPolicyOperationOrThrow( } authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -212,7 +211,6 @@ private void authorizeBasicCatalogOperationOrThrow(PolarisAuthorizableOperation throw new NotFoundException("Catalog not found"); } authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, @@ -272,7 +270,6 @@ private void authorizePolicyMappingOperationOrThrow( determinePolicyMappingOperation(target, targetWrapper, isAttach); authorizer.authorizeOrThrow( - callContext, authenticatedPrincipal, resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), op, diff --git a/runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java b/runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java index b83b68c0f6..9580fd5643 100644 --- a/runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java +++ b/runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java @@ -133,12 +133,6 @@ public ResolutionManifestFactory resolutionManifestFactory(ResolverFactory resol return new ResolutionManifestFactoryImpl(resolverFactory); } - @Produces - @ApplicationScoped - public PolarisAuthorizer polarisAuthorizer() { - return new PolarisAuthorizerImpl(); - } - @Produces @Singleton public PolarisDiagnostics polarisDiagnostics() { @@ -170,6 +164,12 @@ public RealmConfig realmConfig(CallContext callContext) { return callContext.getRealmConfig(); } + @Produces + @RequestScoped + public PolarisAuthorizer polarisAuthorizer(RealmConfig realmConfig) { + return new PolarisAuthorizerImpl(realmConfig); + } + // Polaris service beans - selected from @Identifier-annotated beans @Produces diff --git a/runtime/service/src/test/java/org/apache/polaris/service/admin/ManagementServiceTest.java b/runtime/service/src/test/java/org/apache/polaris/service/admin/ManagementServiceTest.java index edc011a803..aa9dd57343 100644 --- a/runtime/service/src/test/java/org/apache/polaris/service/admin/ManagementServiceTest.java +++ b/runtime/service/src/test/java/org/apache/polaris/service/admin/ManagementServiceTest.java @@ -201,7 +201,7 @@ public String getAuthenticationScheme() { return ""; } }, - new PolarisAuthorizerImpl(), + new PolarisAuthorizerImpl(callContext.getRealmConfig()), new ReservedProperties() { @Override public List prefixes() { diff --git a/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java b/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java index 5e2b349d16..92baef53df 100644 --- a/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java +++ b/runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java @@ -224,8 +224,6 @@ public void before(TestInfo testInfo) { metaStoreManager = managerFactory.getOrCreateMetaStoreManager(realmContext); userSecretsManager = userSecretsManagerFactory.getOrCreateUserSecretsManager(realmContext); - polarisAuthorizer = new PolarisAuthorizerImpl(); - polarisContext = new PolarisCallContext( realmContext, @@ -235,6 +233,8 @@ public void before(TestInfo testInfo) { callContext = polarisContext; + polarisAuthorizer = new PolarisAuthorizerImpl(polarisContext.getRealmConfig()); + PrincipalEntity rootPrincipal = metaStoreManager.findRootPrincipal(polarisContext).orElseThrow(); this.authenticatedRoot = new AuthenticatedPolarisPrincipal(rootPrincipal, Set.of()); diff --git a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogTest.java b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogTest.java index b37447616a..423b597ce5 100644 --- a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogTest.java +++ b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogTest.java @@ -311,7 +311,7 @@ public void before(TestInfo testInfo) { metaStoreManager, userSecretsManager, securityContext, - new PolarisAuthorizerImpl(), + new PolarisAuthorizerImpl(polarisContext.getRealmConfig()), reservedProperties); String storageLocation = "s3://my-bucket/path/to/data"; diff --git a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogViewTest.java b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogViewTest.java index b7ad589300..166fe8c127 100644 --- a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogViewTest.java +++ b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogViewTest.java @@ -179,7 +179,7 @@ public void before(TestInfo testInfo) { metaStoreManager, userSecretsManager, securityContext, - new PolarisAuthorizerImpl(), + new PolarisAuthorizerImpl(polarisContext.getRealmConfig()), reservedProperties); adminService.createCatalog( new CreateCatalogRequest( diff --git a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolarisGenericTableCatalogTest.java b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolarisGenericTableCatalogTest.java index f2524798f9..23c2afc538 100644 --- a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolarisGenericTableCatalogTest.java +++ b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolarisGenericTableCatalogTest.java @@ -170,7 +170,7 @@ public void before(TestInfo testInfo) { metaStoreManager, userSecretsManager, securityContext, - new PolarisAuthorizerImpl(), + new PolarisAuthorizerImpl(polarisContext.getRealmConfig()), reservedProperties); String storageLocation = "s3://my-bucket/path/to/data"; diff --git a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolicyCatalogTest.java b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolicyCatalogTest.java index dbfab7da25..978e729bb4 100644 --- a/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolicyCatalogTest.java +++ b/runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolicyCatalogTest.java @@ -195,7 +195,7 @@ public void before(TestInfo testInfo) { metaStoreManager, userSecretsManager, securityContext, - new PolarisAuthorizerImpl(), + new PolarisAuthorizerImpl(callContext.getRealmConfig()), reservedProperties); String storageLocation = "s3://my-bucket/path/to/data";