Re: [PR] Implement PolicyCatalogAdapter [polaris]

via GitHub Thu, 24 Apr 2025 22:22:14 -0700


flyrain commented on code in PR #1438:
URL: https://github.com/apache/polaris/pull/1438#discussion_r2059561552



##########
regtests/t_spark_sql/ref/spark_sql_basic.sh.ref:
##########
@@ -1,4 +1,4 @@
-{"defaults":{"default-base-location":"file:///tmp/spark_sql_s3_catalog"},"overrides":{"prefix":"spark_sql_basic_catalog"},"endpoints":["GET
 /v1/{prefix}/namespaces","GET /v1/{prefix}/namespaces/{namespace}","HEAD 
/v1/{prefix}/namespaces/{namespace}","POST /v1/{prefix}/namespaces","POST 
/v1/{prefix}/namespaces/{namespace}/properties","DELETE 
/v1/{prefix}/namespaces/{namespace}","GET 
/v1/{prefix}/namespaces/{namespace}/tables","GET 
/v1/{prefix}/namespaces/{namespace}/tables/{table}","HEAD 
/v1/{prefix}/namespaces/{namespace}/tables/{table}","POST 
/v1/{prefix}/namespaces/{namespace}/tables","POST 
/v1/{prefix}/namespaces/{namespace}/tables/{table}","DELETE 
/v1/{prefix}/namespaces/{namespace}/tables/{table}","POST 
/v1/{prefix}/tables/rename","POST 
/v1/{prefix}/namespaces/{namespace}/register","POST 
/v1/{prefix}/namespaces/{namespace}/tables/{table}/metrics","POST 
/v1/{prefix}/transactions/commit","GET 
/v1/{prefix}/namespaces/{namespace}/views","GET 
/v1/{prefix}/namespaces/{namespace}/view
 s/{view}","HEAD /v1/{prefix}/namespaces/{namespace}/views/{view}","POST 
/v1/{prefix}/namespaces/{namespace}/views","POST 
/v1/{prefix}/namespaces/{namespace}/views/{view}","DELETE 
/v1/{prefix}/namespaces/{namespace}/views/{view}","POST 
/v1/{prefix}/views/rename","POST /v1/{prefix}/transactions/commit","GET 
polaris/v1/{prefix}/namespaces/{namespace}/generic-tables","POST 
polaris/v1/{prefix}/namespaces/{namespace}/generic-tables","DELETE 
polaris/v1/{prefix}/namespaces/{namespace}/generic-tables/{generic-table}","GET 
polaris/v1/{prefix}/namespaces/{namespace}/generic-tables/{generic-table}"]}
+{"defaults":{"default-base-location":"file:///tmp/spark_sql_s3_catalog"},"overrides":{"prefix":"spark_sql_basic_catalog"},"endpoints":["GET
 /v1/{prefix}/namespaces","GET /v1/{prefix}/namespaces/{namespace}","HEAD 
/v1/{prefix}/namespaces/{namespace}","POST /v1/{prefix}/namespaces","POST 
/v1/{prefix}/namespaces/{namespace}/properties","DELETE 
/v1/{prefix}/namespaces/{namespace}","GET 
/v1/{prefix}/namespaces/{namespace}/tables","GET 
/v1/{prefix}/namespaces/{namespace}/tables/{table}","HEAD 
/v1/{prefix}/namespaces/{namespace}/tables/{table}","POST 
/v1/{prefix}/namespaces/{namespace}/tables","POST 
/v1/{prefix}/namespaces/{namespace}/tables/{table}","DELETE 
/v1/{prefix}/namespaces/{namespace}/tables/{table}","POST 
/v1/{prefix}/tables/rename","POST 
/v1/{prefix}/namespaces/{namespace}/register","POST 
/v1/{prefix}/namespaces/{namespace}/tables/{table}/metrics","POST 
/v1/{prefix}/transactions/commit","GET 
/v1/{prefix}/namespaces/{namespace}/views","GET 
/v1/{prefix}/namespaces/{namespace}/view
 s/{view}","HEAD /v1/{prefix}/namespaces/{namespace}/views/{view}","POST 
/v1/{prefix}/namespaces/{namespace}/views","POST 
/v1/{prefix}/namespaces/{namespace}/views/{view}","DELETE 
/v1/{prefix}/namespaces/{namespace}/views/{view}","POST 
/v1/{prefix}/views/rename","POST /v1/{prefix}/transactions/commit","GET 
polaris/v1/{prefix}/namespaces/{namespace}/generic-tables","POST 
polaris/v1/{prefix}/namespaces/{namespace}/generic-tables","DELETE 
polaris/v1/{prefix}/namespaces/{namespace}/generic-tables/{generic-table}","GET 
polaris/v1/{prefix}/namespaces/{namespace}/generic-tables/{generic-table}","GET 
/polaris/v1/{prefix}/namespaces/{namespace}/policies","POST 
/polaris/v1/{prefix}/namespaces/{namespace}/policies","GET 
/polaris/v1/{prefix}/namespaces/{namespace}/policies/{policy-name}","PUT 
/polaris/v1/{prefix}/namespaces/{namespace}/policies/{policy-name}","DELETE 
/polaris/v1/{prefix}/namespaces/{namespace}/policies/{policy-name}","PUT 
/polaris/v1/{prefix}/namespaces/{namespace}/policies/{pol
 icy-name}/mappings","POST 
/polaris/v1/{prefix}/namespaces/{namespace}/policies/{policy-name}/mappings","GET
 /polaris/v1/{prefix}/applicable-policies"]}

Review Comment:
   Should we change other related files as well, like `spark_sql_s3.sh.ref`, 
`spark_sql_gcp.sh.ref`, etc. like #1454 did. 



##########
service/common/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java:
##########
@@ -72,6 +73,8 @@ public PolicyCatalogHandler(
 
   @Override
   protected void initializeCatalog() {
+    FeatureConfiguration.enforceFeatureEnabledOrThrow(
+        callContext, FeatureConfiguration.ENABLE_POLICY_STORE);

Review Comment:
   This seems a bit weird to me. Why do we enforce feature configure here and 
only here? Shouldn't we enforce that in each method of class 
`PolicyCatalogAdapter`?



##########
service/common/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogAdapter.java:
##########
@@ -0,0 +1,213 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.service.catalog.policy;
+
+import jakarta.enterprise.context.RequestScoped;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.SecurityContext;
+import org.apache.iceberg.catalog.Namespace;
+import org.apache.iceberg.exceptions.NotAuthorizedException;
+import org.apache.iceberg.rest.RESTUtil;
+import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal;
+import org.apache.polaris.core.auth.PolarisAuthorizer;
+import org.apache.polaris.core.context.CallContext;
+import org.apache.polaris.core.context.RealmContext;
+import org.apache.polaris.core.persistence.PolarisEntityManager;
+import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
+import org.apache.polaris.core.policy.PolicyType;
+import org.apache.polaris.service.catalog.CatalogPrefixParser;
+import org.apache.polaris.service.catalog.api.PolarisCatalogPolicyApiService;
+import org.apache.polaris.service.catalog.common.CatalogAdapter;
+import org.apache.polaris.service.types.AttachPolicyRequest;
+import org.apache.polaris.service.types.CreatePolicyRequest;
+import org.apache.polaris.service.types.DetachPolicyRequest;
+import org.apache.polaris.service.types.GetApplicablePoliciesResponse;
+import org.apache.polaris.service.types.ListPoliciesResponse;
+import org.apache.polaris.service.types.LoadPolicyResponse;
+import org.apache.polaris.service.types.PolicyIdentifier;
+import org.apache.polaris.service.types.UpdatePolicyRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@RequestScoped
+public class PolicyCatalogAdapter implements PolarisCatalogPolicyApiService, 
CatalogAdapter {
+  private static final Logger LOGGER = 
LoggerFactory.getLogger(PolicyCatalogAdapter.class);
+
+  private final RealmContext realmContext;
+  private final CallContext callContext;
+  private final PolarisEntityManager entityManager;
+  private final PolarisMetaStoreManager metaStoreManager;
+  private final PolarisAuthorizer polarisAuthorizer;
+  private final CatalogPrefixParser prefixParser;
+
+  @Inject
+  public PolicyCatalogAdapter(
+      RealmContext realmContext,
+      CallContext callContext,
+      PolarisEntityManager entityManager,
+      PolarisMetaStoreManager metaStoreManager,
+      PolarisAuthorizer polarisAuthorizer,
+      CatalogPrefixParser prefixParser) {
+    this.realmContext = realmContext;
+    this.callContext = callContext;
+    this.entityManager = entityManager;
+    this.metaStoreManager = metaStoreManager;
+    this.polarisAuthorizer = polarisAuthorizer;
+    this.prefixParser = prefixParser;
+  }
+
+  private PolicyCatalogHandler newHandlerWrapper(SecurityContext 
securityContext, String prefix) {
+    var authenticatedPrincipal = (AuthenticatedPolarisPrincipal) 
securityContext.getUserPrincipal();
+    if (authenticatedPrincipal == null) {
+      throw new NotAuthorizedException("Failed to find authenticatedPrincipal 
in SecurityContext");
+    }

Review Comment:
   Would suggest to extract to a static method, so that it could be reused by 
all adapters. Not a blocker though. I'm Ok with a followup.
   ```
     private static void validataPrincipal(SecurityContext securityContext) {
       var authenticatedPrincipal = (AuthenticatedPolarisPrincipal) 
securityContext.getUserPrincipal();
       if (authenticatedPrincipal == null) {
         throw new NotAuthorizedException("Failed to find 
authenticatedPrincipal in SecurityContext");
       }
     }
   ```
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Implement PolicyCatalogAdapter [polaris]

Reply via email to