Re: [PR] Update PolarisAuthorizerImpl to use PolarisGrantManager interface and add EntityCache based PolarisGrantManager impl [polaris]

Tue, 03 Dec 2024 06:11:46 -0800 


dimas-b commented on code in PR #465:
URL: https://github.com/apache/polaris/pull/465#discussion_r1867791881


##########
polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java:
##########
@@ -602,15 +606,25 @@ public boolean hasTransitivePrivilege(
       Set<Long> activatedGranteeIds,
       PolarisPrivilege desiredPrivilege,
       PolarisResolvedPathWrapper resolvedPath) {
+    PolarisGrantManager grantManager =
+        grantManagerFactory.getGrantManagerForRealm(
+            CallContext.getCurrentContext().getRealmContext());
+    PolarisCallContext callContext = 
CallContext.getCurrentContext().getPolarisCallContext();
 
     // Iterate starting at the parent, since the most common case should be to 
manage grants as
     // high up in the resource hierarchy as possible, so we expect earlier 
termination.
-    for (ResolvedPolarisEntity resolvedSecurableEntity : 
resolvedPath.getResolvedFullPath()) {
-      Preconditions.checkState(
-          resolvedSecurableEntity.getGrantRecordsAsSecurable() != null,
-          "Got null grantRecordsAsSecurable for resolvedSecurableEntity %s",
-          resolvedSecurableEntity);
-      for (PolarisGrantRecord grantRecord : 
resolvedSecurableEntity.getGrantRecordsAsSecurable()) {
+    for (PolarisEntity resolvedSecurableEntity : 
resolvedPath.getRawFullPath()) {
+      PolarisGrantManager.LoadGrantsResult grantsResult =
+          grantManager.loadGrantsOnSecurable(

Review Comment:
   This thread is about the overall assumptions on the consistency of data in 
storage in the presence of concurrent changes.
   
   With this code, grants for different objects in the same logical API-level 
operation may be loaded from different states of the data (e.g. results of two 
of more RDBMS transaction). So my question is whether this is a concern. I'm 
not proposing any particular approach, just wondering for my own understanding.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to