dimas-b commented on code in PR #3681:
URL: https://github.com/apache/polaris/pull/3681#discussion_r2800830716
##########
polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java:
##########
@@ -27,14 +27,36 @@
/** Interface for invoking authorization checks. */
public interface PolarisAuthorizer {
+ /**
+ * Pre-authorization hook for resolving authorizer-specific inputs.
+ *
+ * <p>Implementations may resolve or validate any inputs needed to make an
authorization decision.
+ */
+ void preAuthorize(@Nonnull AuthorizationState ctx, @Nonnull
AuthorizationRequest request);
Review Comment:
That said, how about the pattern of defining the SPI to return a `boolean`
or some object with explicit failure into and adding convenience methods for
simple call sites?
```
AuthDecision preAuthorize(...);
default void preAuthorizeOrThrow(...) {
AuthDecition d = preAuthorize(...);
if (!d.isAllowed()) {
throw new ForbiddenException(d.getMessage()...);
}
}
```
This way the exception type and API-level message format is controlled by
Polaris (core) code, while AuthZ implementations only need to provide a yes/no
output and (optionally) an explanation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
