adutra commented on code in PR #2388:
URL: https://github.com/apache/polaris/pull/2388#discussion_r2292977963
##########
runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java:
##########
@@ -305,6 +301,30 @@ private void authorizeBasicTopLevelEntityOperationOrThrow(
null /* secondary */);
}
+ /**
+ * Returns true if the target entity is the same as the current
authenticated {@link
+ * PolarisPrincipal}.
+ */
+ private boolean isSelfEntity(PolarisEntity entity) {
+ // Entity name is unique for (realm_id, catalog_id, parent_id, type_code),
+ // which is reduced to (realm_id, type_code) for top-level entities;
+ // so there can be only one principal with a given name inside any realm.
+ return entity.getType() == PolarisEntityType.PRINCIPAL
+ && entity.getName().equals(polarisPrincipal.getName());
+ }
+
+ /**
+ * Returns true if the operation is a "self" operation, that is, an
operation that is being
+ * performed by the principal on itself.
+ *
+ * <p>TODO: If we do add more "self" privilege operations for PRINCIPAL
targets this should be
+ * extracted into an EnumSet and/or pushed down into PolarisAuthorizer.
+ */
+ private static boolean isSelfOperation(PolarisAuthorizableOperation op) {
+ return op.equals(PolarisAuthorizableOperation.ROTATE_CREDENTIALS)
+ || op.equals(PolarisAuthorizableOperation.RESET_CREDENTIALS);
Review Comment:
I see the change has been made in #2197: only `ROTATE_CREDENTIALS` remains a
"self-operation".
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
