Currently, the PolarisAuthorizer implementation relies on the ResolvedPolarisEntity to return a list of grants for each entity in order to determine if a Principal has authorization to perform an operation on a given target. The grant records are populated by the Resolver, utilizing the EntityCache for a given realm to avoid unnecessary roundtrips to the persistence store for, e.g., the grants held by a given PrincipalRole or CatalogRole.
Because the PolarisAuthorizer relies on the grant records in the ResolvedPolarisEntity, there's no opportunity to utilize custom grant logic (for example, to declare a target to be globally viewable or attach PrincipalRoles dynamically) without either updating the Resolver or writing custom grant records prior to the Resolver execution.
This change decouples the PolarisAuthorizer from the ResolvedPolarisEntity so that it depends entirely on the PolarisGrantManager to declare which grants exist on a securable. It implements a EntityCacheGrantManager that, under the hood, still works with the EntityCache so that the lookups from the Resolver populate the cache with both entities and grants. However, the PolarisAuthorizer doesn't need to know anything about the EntityCache or the Resolver types. For convenience, it still uses the PolarisResolvedPathWrapper, as it's still a useful container for passing around full paths for entities.
The logic in the PolarisAuthorizer is unchanged and all tests still pass. An additional test class is added to verify the EntityCacheGrantManager works directly with the cache and will delegate to the underlying PolarisGrantManager when necessary.
Note that the logic that implicitly grants the service_admin role SERVICE_MANAGE_ACCESS privileges on the implicit root container has been moved to the EntityCacheGrantManager. I ran the tests without this move and they all still passed, so it seems that, at some point, the root container is being persisted and the grants are recorded. However, to ensure backward compatibility, I ported the logic. We may want to get rid of that at some point.
Fixes # (issue)
Type of change
Please delete options that are not relevant.
[ ] Bug fix (non-breaking change which fixes an issue)
[ ] Documentation update
[ ] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[ ] This change requires a documentation update
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
[X] EntityCacheGrantManagerTest
Test Configuration:
Hardware:
Toolchain:
SDK:
Checklist:
Please delete options that are not relevant.
[X] I have performed a self-review of my code
[X] I have commented my code, particularly in hard-to-understand areas
[ ] I have made corresponding changes to the documentation
[X] My changes generate no new warnings
[ ] If adding new functionality, I have discussed my implementation with the community using the linked GitHub issue
Description
Currently, the
PolarisAuthorizerimplementation relies on theResolvedPolarisEntityto return a list of grants for each entity in order to determine if a Principal has authorization to perform an operation on a given target. The grant records are populated by theResolver, utilizing theEntityCachefor a given realm to avoid unnecessary roundtrips to the persistence store for, e.g., the grants held by a givenPrincipalRoleorCatalogRole.Because the
PolarisAuthorizerrelies on the grant records in theResolvedPolarisEntity, there's no opportunity to utilize custom grant logic (for example, to declare a target to be globally viewable or attach PrincipalRoles dynamically) without either updating the Resolver or writing custom grant records prior to the Resolver execution.This change decouples the
PolarisAuthorizerfrom theResolvedPolarisEntityso that it depends entirely on thePolarisGrantManagerto declare which grants exist on a securable. It implements aEntityCacheGrantManagerthat, under the hood, still works with theEntityCacheso that the lookups from theResolverpopulate the cache with both entities and grants. However, thePolarisAuthorizerdoesn't need to know anything about theEntityCacheor theResolvertypes. For convenience, it still uses thePolarisResolvedPathWrapper, as it's still a useful container for passing around full paths for entities.The logic in the
PolarisAuthorizeris unchanged and all tests still pass. An additional test class is added to verify theEntityCacheGrantManagerworks directly with the cache and will delegate to the underlyingPolarisGrantManagerwhen necessary.Note that the logic that implicitly grants the
service_adminroleSERVICE_MANAGE_ACCESSprivileges on the implicit root container has been moved to theEntityCacheGrantManager. I ran the tests without this move and they all still passed, so it seems that, at some point, the root container is being persisted and the grants are recorded. However, to ensure backward compatibility, I ported the logic. We may want to get rid of that at some point.Fixes # (issue)
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Test Configuration:
Checklist:
Please delete options that are not relevant.