Re: [PR] core: Authorization SPI Refactor (Draft) [polaris]

Mon, 09 Feb 2026 05:55:33 -0800 


sungwy commented on code in PR #3681:
URL: https://github.com/apache/polaris/pull/3681#discussion_r2782781214


##########
runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java:
##########
@@ -217,23 +255,22 @@ private static CatalogEntity getCatalogByName(
 
   private static CatalogRoleEntity getCatalogRoleByName(
       PolarisResolutionManifest resolutionManifest, String catalogRoleName) {
-    return 
Optional.ofNullable(resolutionManifest.getResolvedPath(catalogRoleName))
+    PolarisSecurable catalogRoleSecurable =
+        new PolarisSecurable(PolarisEntityType.CATALOG_ROLE, 
List.of(catalogRoleName));
+    return 
Optional.ofNullable(resolutionManifest.getResolvedPath(catalogRoleSecurable))
         .map(PolarisResolvedPathWrapper::getRawLeafEntity)
         .map(CatalogRoleEntity::of)
         .orElseThrow(() -> new NotFoundException("CatalogRole %s not found", 
catalogRoleName));
   }
 
   private void authorizeBasicRootOperationOrThrow(PolarisAuthorizableOperation 
op) {
     PolarisResolutionManifest resolutionManifest = newResolutionManifest(null);
-    resolutionManifest.resolveAll();
-    PolarisResolvedPathWrapper rootContainerWrapper =
-        resolutionManifest.getResolvedRootContainerEntityAsPath();
-    authorizer.authorizeOrThrow(
-        polarisPrincipal,
-        resolutionManifest.getAllActivatedPrincipalRoleEntities(),
-        op,
-        rootContainerWrapper,
-        null /* secondary */);
+    AuthorizationCallContext authzContext = new 
AuthorizationCallContext(resolutionManifest);

Review Comment:
   Hi @dimas-b - great suggestion.
   
   Yes, I think that aligns well with the proposed strategy to define the 
Resolution semantics at request-scope instead, and build consistency guarantees 
on it. I think creating a request-scoped bean for `AuthorizationCallContext` 
would be safe, and we can evaluate if we can do the same for the resolution 
semantics after a dedicated design proposal on the Resolution/Persistence model



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to