Re: [PR] Update PolarisAuthorizerImpl to use PolarisGrantManager interface and add EntityCache based PolarisGrantManager impl [polaris]

Wed, 11 Dec 2024 23:48:21 -0800 


collado-mike commented on code in PR #465:
URL: https://github.com/apache/polaris/pull/465#discussion_r1881527419


##########
polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java:
##########
@@ -602,15 +606,25 @@ public boolean hasTransitivePrivilege(
       Set<Long> activatedGranteeIds,
       PolarisPrivilege desiredPrivilege,
       PolarisResolvedPathWrapper resolvedPath) {
+    PolarisGrantManager grantManager =
+        grantManagerFactory.getGrantManagerForRealm(
+            CallContext.getCurrentContext().getRealmContext());
+    PolarisCallContext callContext = 
CallContext.getCurrentContext().getPolarisCallContext();
 
     // Iterate starting at the parent, since the most common case should be to 
manage grants as
     // high up in the resource hierarchy as possible, so we expect earlier 
termination.
-    for (ResolvedPolarisEntity resolvedSecurableEntity : 
resolvedPath.getResolvedFullPath()) {
-      Preconditions.checkState(
-          resolvedSecurableEntity.getGrantRecordsAsSecurable() != null,
-          "Got null grantRecordsAsSecurable for resolvedSecurableEntity %s",
-          resolvedSecurableEntity);
-      for (PolarisGrantRecord grantRecord : 
resolvedSecurableEntity.getGrantRecordsAsSecurable()) {
+    for (PolarisEntity resolvedSecurableEntity : 
resolvedPath.getRawFullPath()) {
+      PolarisGrantManager.LoadGrantsResult grantsResult =
+          grantManager.loadGrantsOnSecurable(

Review Comment:
   This code, like the existing code, assumes that all of the entities are in 
the cache once the Resolver runs. That process puts all of the entities and 
their grants into the cache so that by the time the Authorizer retrieves the 
grants, it fetches them from the cache. This approach is basically hiding that 
fact by wrapping the cache in a `PolarisGrantManager`. The impact on cache hits 
is the same, but we can make other changes to the persistence interface and the 
principal role resolution without affecting the Authorizer.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to