Re: [PR] core: introduce `resolvePathsOnly()` in `Resolver` and `PolarisResolutionManifest` [polaris]

Thu, 15 Jan 2026 20:21:24 -0800 


sungwy commented on PR #3427:
URL: https://github.com/apache/polaris/pull/3427#issuecomment-3758074756

   > @sungwy : how to you envision choosing which `Resolver` method to use in 
runtime?
   
   Good question @dimas-b.
   
   Today we effectively hard-code the resolver choice in handlers. There are 
two call sites:
   
   * **Handlers** (`CatalogHandler`, `PolarisAdminService`)
     * resolve for **existence checks** before authorization
     * resolve again to **fetch entities for execution** after authorization
   * **Authorizers** (`PolarisAuthorizerImpl`, `OpaPolarisAuthorizer`)
     * implicitly depend on fully resolved entities to make authorization 
decisions
   
   If we introduce a new `PolarisAuthorizer` API that accepts *unresolved* 
`AuthorizationTarget`s and move **existence checks into the Authorizer**, then:
   * the **Authorizer** decides whether resolution is needed at all for that 
callsite, and which entities need resolution
   * unsupported actions can fail fast (e.g. `PrincipalRole` creation in 
`OpaPolarisAuthorizer`) without resolution
   * non Polaris-RBAC dependent authorizers can skip RBAC-entity resolution 
entirely
   
   **Before refactor** (handlers always resolve eagerly):
   
   | Callsite | Existence check (Handler) | Execution fetch (Handler) |
   |---------|----------------------------|----------------------------|
   | PolarisAuthorizerImpl – RBAC | `resolveAll()` | `resolveAll()` |
   | PolarisAuthorizerImpl – Catalog | `resolveAll()` | `resolveAll()` |
   | OpaPolarisAuthorizer – RBAC | `resolveAll()` | `resolveAll()` |
   | OpaPolarisAuthorizer – Catalog | `resolveAll()` | `resolveAll()` |
   
   **After refactor** (authorizer controls resolution):
   
   | Callsite | Existence check (Authorizer) | Execution fetch (Handler) |
   |---------|-------------------------------|----------------------------|
   | PolarisAuthorizerImpl – RBAC | `resolveAll()` | `resolveAll()` |
   | PolarisAuthorizerImpl – Catalog | `resolvePathsOnly()` | 
`resolvePathsOnly()` |
   | OpaPolarisAuthorizer – RBAC | **throw** (unsupported) | *skipped* |
   | OpaPolarisAuthorizer – Catalog | `resolvePathsOnly()` | 
`resolvePathsOnly()` |
   
   
   In summary: by moving existence checks into the Authorizer and standardizing 
catalog call sites on `resolvePathsOnly()`:
   * `OpaPolarisAuthorizer` can remain truly non-RBAC-dependent
   * unsupported actions fail early, before any metastore lookups
   * handlers do not need to understand authorization-specific resolution 
semantics


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to