sungwy opened a new pull request, #3999: URL: https://github.com/apache/polaris/pull/3999
This PR implements phases 2 and 3 of the authorization refactor tracking issue. (https://github.com/apache/polaris/issues/3779) It introduces request-based authorization with `AuthorizationRequest`, in both `PolarisAuthorizerImpl` and `OpaPolarisAuthorizer`. The new SPI method `authorize` is still not called by Polaris endpoint handlers. That will be done in phase 4 and 5 of the authorization refactoring effort. Hence, no behavior changes are expected in existing endpoint handling, except for `ROOT` handling in `OpaPolarisAuthorizer` noted below. In order to decouple RBAC semantics from Polaris's core, we move RBAC operation semantics like _Privileges_ and newly introduced _Scope_ semantic into `RbacOperationSemantics`. The PR also adds `FullyQualifiedPath` as a lexical path with parent representation that `OpaPolarisAuthorizer` can use to construct the OPA request input payload. ### Breaking change OPA input payloads no longer include `ROOT` in resource parent chains. This is intentional, since `ROOT` is an internal Polaris RBAC semantic and should not be part of the external OPA request contract ## Checklist - [ ] ๐ก๏ธ Don't disclose security issues! (contact [email protected]) - [x] ๐ Clearly explained why the changes are needed, or linked related issues: Fixes # - [x] ๐งช Added/updated tests with good coverage, or manually tested (and explained how) - [x] ๐ก Added comments for complex logic - [ ] ๐งพ Updated `CHANGELOG.md` (if needed) - [ ] ๐ Updated documentation in `site/content/in-dev/unreleased` (if needed) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
