Re: [PR] core: Refactor PolarisAuthorizer SPI (Phase 1): new interfaces and utilities [polaris]

Tue, 24 Feb 2026 18:49:55 -0800 


dimas-b commented on code in PR #3760:
URL: https://github.com/apache/polaris/pull/3760#discussion_r2850530322


##########
polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java:
##########
@@ -22,11 +22,47 @@
 import jakarta.annotation.Nullable;
 import java.util.List;
 import java.util.Set;
+import org.apache.iceberg.exceptions.ForbiddenException;
 import org.apache.polaris.core.entity.PolarisBaseEntity;
 import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
 
 /** Interface for invoking authorization checks. */
 public interface PolarisAuthorizer {
+  /**
+   * Resolve authorizer-specific inputs before authorization.
+   *
+   * <p>Implementations may resolve only the entities required for the request 
(for example, the
+   * caller principal, principal roles, catalog roles, and requested targets) 
and store that state
+   * in {@link AuthorizationState}.
+   *
+   * <p>This method should not perform authorization decisions directly.
+   */
+  void resolveAuthorizationInputs(
+      @Nonnull AuthorizationState authzState, @Nonnull AuthorizationRequest 
request);
+
+  /**
+   * Core authorization entry point for the new SPI.
+   *
+   * <p>Implementations should rely on any required state in {@link 
AuthorizationState} and the
+   * intent captured by {@link AuthorizationRequest} (principal, operation, 
and target securables).
+   */
+  @Nonnull
+  AuthorizationDecision authorizeDecision(
+      @Nonnull AuthorizationState authzState, @Nonnull AuthorizationRequest 
request);
+
+  /**
+   * Convenience method that throws a {@link ForbiddenException} when 
authorization is denied.
+   *
+   * <p>Implementations should provide allow/deny decisions via {@link 
#authorizeDecision}.
+   */
+  default void authorizeOrThrow(
+      @Nonnull AuthorizationState authzState, @Nonnull AuthorizationRequest 
request) {
+    AuthorizationDecision decision = authorizeDecision(authzState, request);
+    if (!decision.isAllowed()) {
+      String message = decision.getMessageOrDefault("Authorization denied");

Review Comment:
   +1



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to