sungwy opened a new pull request, #3760: URL: https://github.com/apache/polaris/pull/3760
<!-- ๐ Describe what changes you're proposing, especially breaking or user-facing changes. ๐ See https://github.com/apache/polaris/blob/main/CONTRIBUTING.md for more. --> This is the first PR in a series to refactor the PolarisAuthorizer SPI so authorizer implementations can control whether Polaris-native principal/RBAC resolution is required. Summary of changes in this PR: - Added `authorizeDecision(...)` (returns `AuthorizationDecision`) and a new `authorizeOrThrow(...)` overload that uses `AuthorizationState` + `AuthorizationRequest`. - Added request-scoped `RequestAuthorizationState` CDI bean implementing `AuthorizationState`. - Implemented resolver selection planning so `resolveSelections(...)` can skip caller principal/role resolution when not requested. - Included new selection-based resolution tests in ResolverTest. - New classes introduced: `AuthorizationDecision`, `AuthorizationState`, `AuthorizationRequest` In this PR, handlers still use the legacy call sites, and hence no behavior change is expected. The new SPI methods remain unimplemented in `PolarisAuthorizerImpl` and `OpaPolarisAuthorizer`. Once this SPI is accepted, follow-up PRs will implement the new SPI methods in `PolarisAuthorizerImpl` and `OpaPolarisAuthorizer`. RFC Google Doc on Authorization Refactor: [Link](https://docs.google.com/document/d/1OaiQG_C4-yUe0ihaDBxtw_mEcOOzUBnWPazzVbjQi5U/edit?tab=t.0#heading=h.dyow25dt9w1) ## Checklist - [ ] ๐ก๏ธ Don't disclose security issues! (contact [email protected]) - [x] ๐ Clearly explained why the changes are needed, or linked related issues: Fixes # - [ ] ๐งช Added/updated tests with good coverage, or manually tested (and explained how) - [x] ๐ก Added comments for complex logic - [ ] ๐งพ Updated `CHANGELOG.md` (if needed) - [ ] ๐ Updated documentation in `site/content/in-dev/unreleased` (if needed) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
