singhpk234 commented on code in PR #2048:
URL: https://github.com/apache/polaris/pull/2048#discussion_r2211134220
##########
service/common/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalog.java:
##########
@@ -525,16 +535,17 @@ private static Policy constructPolicy(PolicyEntity
policyEntity) {
.build();
}
- private static ApplicablePolicy constructApplicablePolicy(
- PolicyEntity policyEntity, boolean inherited) {
+ private ApplicablePolicy constructApplicablePolicy(PolicyEntity
policyEntity, boolean inherited) {
Namespace parentNamespace = policyEntity.getParentNamespace();
return ApplicablePolicy.builder()
.setPolicyType(policyEntity.getPolicyType().getName())
.setInheritable(policyEntity.getPolicyType().isInheritable())
.setName(policyEntity.getName())
.setDescription(policyEntity.getDescription())
- .setContent(policyEntity.getContent())
+ .setContent(
Review Comment:
We are just replacing the `get-applicable policy` with the context, its a
key point to resolve server side identity and the client engine doesn't even
needs to know about these as it might not even know user's identity (just has
token).
Now if the concern is we want to know exact policy one can just load it
right and we don't resolve context there :
please have a look in this API :
https://github.com/apache/polaris/blob/main/spec/polaris-catalog-service.yaml#L153
so IMHO this concern is addressed !
> this seems like a leakage of an access control mechanism outside of the
realm of PolarisAuthorizer
I thought about this really hard, even talked to folks inside, so far the
PolarisAuthorizer interface just Authorizes based on RBAC, now Authorzier
returning FGAC predicates and projections would require more thorough thought
I just followed the existing way of retriving the policies from persistence
and doing checks which policies apply to the caller ?
if we want to go on the route of supporting GetAccessControlPolicy via
Authorizer interface, Here is what I had in mind.
``` java
public interface FGACAwarePolarisAuthorizer extends PolarisAuthorizer {
default AuthorizationContext authorizeOrThrowWithFGAC(
@Nonnull CallContext callContext,
@Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
@Nonnull Set<PolarisBaseEntity> activatedEntities,
@Nonnull PolarisAuthorizableOperation authzOp,
@Nullable PolarisResolvedPathWrapper target,
@Nullable PolarisResolvedPathWrapper secondary) {
authorizeOrThrow(callContext, authenticatedPrincipal, activatedEntities,
authzOp, target, secondary);
// query policies from persistence and give back FGAC policy
// create AuthZ context
}
AuthorizationContext authorizeOrThrowWithFGAC(
@Nonnull CallContext callContext,
@Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
@Nonnull Set<PolarisBaseEntity> activatedEntities,
@Nonnull PolarisAuthorizableOperation authzOp,
@Nullable List<PolarisResolvedPathWrapper> targets,
@Nullable List<PolarisResolvedPathWrapper> secondaries) {
authorizeOrThrow(callContext, authenticatedPrincipal, activatedEntities,
authzOp, targets, secondaries);
// query policies from persistence and give back FGAC policy
// create AuthZ context
}
}
```
AuthorizationContext
- AccessControlPolicyContent
- Map<Object, Object> additionalParams
wdyt ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
