diff --git a/polaris-core/src/main/java/org/apache/polaris/core/auth/AuthenticatedPolarisPrincipal.java b/polaris-core/src/main/java/org/apache/polaris/core/auth/AuthenticatedPolarisPrincipal.java index 0e8ccf577..629e85468 100644 --- a/polaris-core/src/main/java/org/apache/polaris/core/auth/AuthenticatedPolarisPrincipal.java +++ b/polaris-core/src/main/java/org/apache/polaris/core/auth/AuthenticatedPolarisPrincipal.java @@ -18,55 +18,20 @@ */ package org.apache.polaris.core.auth; -import jakarta.annotation.Nonnull; -import java.util.List; import java.util.Set; -import org.apache.polaris.core.entity.PolarisEntity; -import org.apache.polaris.core.entity.PrincipalRoleEntity; /** Holds the results of request authentication. */ -public class AuthenticatedPolarisPrincipal implements java.security.Principal { - private final PolarisEntity principalEntity; - private final Set activatedPrincipalRoleNames; - // only known and set after the above set of principal role names have been resolved. Before - // this, this list is null - private List activatedPrincipalRoles; - - public AuthenticatedPolarisPrincipal( - @Nonnull PolarisEntity principalEntity, @Nonnull Set activatedPrincipalRoles) { - this.principalEntity = principalEntity; - this.activatedPrincipalRoleNames = activatedPrincipalRoles; - this.activatedPrincipalRoles = null; - } - - @Override - public String getName() { - return principalEntity.getName(); - } - - public PolarisEntity getPrincipalEntity() { - return principalEntity; - } - - public Set getActivatedPrincipalRoleNames() { - return activatedPrincipalRoleNames; - } - - public List getActivatedPrincipalRoles() { - return activatedPrincipalRoles; - } - - public void setActivatedPrincipalRoles(List activatedPrincipalRoles) { - this.activatedPrincipalRoles = activatedPrincipalRoles; - } - - @Override - public String toString() { - return "principalEntity=" - + getPrincipalEntity() - + ";activatedPrincipalRoleNames=" - + getActivatedPrincipalRoleNames() - + ";activatedPrincipalRoles=" - + getActivatedPrincipalRoles(); - } +public interface AuthenticatedPolarisPrincipal extends java.security.Principal { + + /** + * Principal entity ID obtained during request authentication (e.g. from the authorization token). + * + *

Negative values indicate that a principal ID was not provided in authenticated data, + * however, other authentic information about the principal (e.g. name, roles) may still be + * available. + */ + long getPrincipalEntityId(); + + /** A sub-set of the assigned roles that are deemed effective in requests using this principal. */ + Set getActivatedPrincipalRoleNames(); } diff --git a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java b/polaris-core/src/main/java/org/apache/polaris/core/auth/DefaultPolarisAuthorizer.java similarity index 90% rename from polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java rename to polaris-core/src/main/java/org/apache/polaris/core/auth/DefaultPolarisAuthorizer.java index 7b6e91e46..f5baec8c6 100644 --- a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java +++ b/polaris-core/src/main/java/org/apache/polaris/core/auth/DefaultPolarisAuthorizer.java @@ -101,12 +101,15 @@ import org.apache.polaris.core.PolarisConfigurationStore; import org.apache.polaris.core.context.CallContext; import org.apache.polaris.core.entity.PolarisBaseEntity; +import org.apache.polaris.core.entity.PolarisEntity; import org.apache.polaris.core.entity.PolarisEntityConstants; import org.apache.polaris.core.entity.PolarisEntityCore; +import org.apache.polaris.core.entity.PolarisEntityType; import org.apache.polaris.core.entity.PolarisGrantRecord; import org.apache.polaris.core.entity.PolarisPrivilege; import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper; import org.apache.polaris.core.persistence.ResolvedPolarisEntity; +import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -119,8 +122,8 @@ * the expanded roles of the calling Principal hold SERVICE_MANAGE_ACCESS on the "root" catalog, * which translates into a cross-catalog permission. */ -public class PolarisAuthorizerImpl implements PolarisAuthorizer { - private static final Logger LOGGER = LoggerFactory.getLogger(PolarisAuthorizerImpl.class); +public class DefaultPolarisAuthorizer implements PolarisAuthorizer { + private static final Logger LOGGER = LoggerFactory.getLogger(DefaultPolarisAuthorizer.class); private static final SetMultimap SUPER_PRIVILEGES = HashMultimap.create(); @@ -460,7 +463,7 @@ public class PolarisAuthorizerImpl implements PolarisAuthorizer { private final PolarisConfigurationStore featureConfig; - public PolarisAuthorizerImpl(PolarisConfigurationStore featureConfig) { + public DefaultPolarisAuthorizer(PolarisConfigurationStore featureConfig) { this.featureConfig = featureConfig; } @@ -485,71 +488,81 @@ public boolean matchesOrIsSubsumedBy( @Override public void authorizeOrThrow( - @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal, - @Nonnull Set activatedEntities, + @Nonnull PolarisResolutionManifest manifest, @Nonnull PolarisAuthorizableOperation authzOp, - @Nullable PolarisResolvedPathWrapper target, - @Nullable PolarisResolvedPathWrapper secondary) { - authorizeOrThrow( - authenticatedPrincipal, - activatedEntities, - authzOp, - target == null ? null : List.of(target), - secondary == null ? null : List.of(secondary)); - } + boolean considerCatalogRoles) { + + List targets = manifest.authorizationTargets(); + List secondaries = manifest.authorizationSecondaries(); + + PolarisEntity principal = manifest.getResolvedPolarisPrincipal(); + if (principal == null) { + AuthenticatedPolarisPrincipal authPrincipal = manifest.getAuthenticatedPrincipal(); + throw new ForbiddenException( + "Principal '%s' (ID: %s) could not be resolved", + authPrincipal.getName(), authPrincipal.getPrincipalEntityId()); + } + + Set activatedEntities = + considerCatalogRoles + ? manifest.getAllActivatedCatalogRoleAndPrincipalRoles() + : manifest.getAllActivatedPrincipalRoleEntities(); - @Override - public void authorizeOrThrow( - @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal, - @Nonnull Set activatedEntities, - @Nonnull PolarisAuthorizableOperation authzOp, - @Nullable List targets, - @Nullable List secondaries) { boolean enforceCredentialRotationRequiredState = featureConfig.getConfiguration( CallContext.getCurrentContext().getPolarisCallContext(), PolarisConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING); if (enforceCredentialRotationRequiredState - && authenticatedPrincipal - .getPrincipalEntity() + && principal .getInternalPropertiesAsMap() .containsKey(PolarisEntityConstants.PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE) && authzOp != PolarisAuthorizableOperation.ROTATE_CREDENTIALS) { throw new ForbiddenException( "Principal '%s' is not authorized for op %s due to PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE", - authenticatedPrincipal.getName(), authzOp); - } else if (!isAuthorized( - authenticatedPrincipal, activatedEntities, authzOp, targets, secondaries)) { + principal.getName(), authzOp); + } + + if (isPrincipalOwnCredentialReset(principal, authzOp, targets)) { + LOGGER + .atDebug() + .addKeyValue("principalName", principal.getName()) + .log("Allowing rotate own credentials"); + return; + } + + if (!isAuthorized(principal, activatedEntities, authzOp, targets, secondaries)) { throw new ForbiddenException( "Principal '%s' with activated PrincipalRoles '%s' and activated grants via '%s' is not authorized for op %s", - authenticatedPrincipal.getName(), - authenticatedPrincipal.getActivatedPrincipalRoleNames(), + principal.getName(), + manifest.getResolvedPolarisPrincipalRoleNames(), activatedEntities.stream().map(PolarisEntityCore::getName).collect(Collectors.toSet()), authzOp); } } /** - * Based on the required target/targetParent/secondary/secondaryParent privileges mapped from - * {@code authzOp}, determines whether the caller's set of activatedGranteeIds is authorized for - * the operation. + * Returns {@code true} if the operation is a reset or rotation of the principal's own secrets. In + * this case the operation is implicitly allowed without any specific permission checks. */ - public boolean isAuthorized( - @Nonnull AuthenticatedPolarisPrincipal authenticatedPolarisPrincipal, - @Nonnull Set activatedEntities, - @Nonnull PolarisAuthorizableOperation authzOp, - @Nullable PolarisResolvedPathWrapper target, - @Nullable PolarisResolvedPathWrapper secondary) { - return isAuthorized( - authenticatedPolarisPrincipal, - activatedEntities, - authzOp, - target == null ? null : List.of(target), - secondary == null ? null : List.of(secondary)); + private boolean isPrincipalOwnCredentialReset( + PolarisEntity principal, + PolarisAuthorizableOperation op, + List targets) { + if (op != PolarisAuthorizableOperation.ROTATE_CREDENTIALS + && op != PolarisAuthorizableOperation.RESET_CREDENTIALS) { + return false; + } + + if (targets.size() != 1) { + return false; + } + + PolarisEntity target = targets.get(0).getResolvedLeafEntity().getEntity(); + return target.getType() == PolarisEntityType.PRINCIPAL && target.getId() == principal.getId(); } public boolean isAuthorized( - @Nonnull AuthenticatedPolarisPrincipal authenticatedPolarisPrincipal, + @Nonnull PolarisEntity principal, @Nonnull Set activatedEntities, @Nonnull PolarisAuthorizableOperation authzOp, @Nullable List targets, @@ -564,8 +577,7 @@ public boolean isAuthorized( authzOp, privilegeOnTarget); for (PolarisResolvedPathWrapper target : targets) { - if (!hasTransitivePrivilege( - authenticatedPolarisPrincipal, entityIdSet, privilegeOnTarget, target)) { + if (!hasTransitivePrivilege(principal, entityIdSet, privilegeOnTarget, target)) { // TODO: Collect missing privileges to report all at the end and/or return to code // that throws NotAuthorizedException for more useful messages. return false; @@ -579,8 +591,7 @@ public boolean isAuthorized( authzOp, privilegeOnSecondary); for (PolarisResolvedPathWrapper secondary : secondaries) { - if (!hasTransitivePrivilege( - authenticatedPolarisPrincipal, entityIdSet, privilegeOnSecondary, secondary)) { + if (!hasTransitivePrivilege(principal, entityIdSet, privilegeOnSecondary, secondary)) { return false; } } @@ -598,7 +609,7 @@ public boolean isAuthorized( * errors/exceptions. */ public boolean hasTransitivePrivilege( - @Nonnull AuthenticatedPolarisPrincipal authenticatedPolarisPrincipal, + @Nonnull PolarisEntity principal, Set activatedGranteeIds, PolarisPrivilege desiredPrivilege, PolarisResolvedPathWrapper resolvedPath) { @@ -621,7 +632,7 @@ public boolean hasTransitivePrivilege( desiredPrivilege, grantRecord, resolvedSecurableEntity, - authenticatedPolarisPrincipal.getName(), + principal.getName(), activatedGranteeIds); return true; } @@ -632,7 +643,7 @@ public boolean hasTransitivePrivilege( LOGGER.debug( "Failed to satisfy privilege {} for principalName {} on resolvedPath {}", desiredPrivilege, - authenticatedPolarisPrincipal.getName(), + principal.getName(), resolvedPath); return false; } diff --git a/polaris-core/src/main/java/org/apache/polaris/core/auth/DefaultPolarisAuthorizerFactory.java b/polaris-core/src/main/java/org/apache/polaris/core/auth/DefaultPolarisAuthorizerFactory.java new file mode 100644 index 000000000..0c9ee0a6a --- /dev/null +++ b/polaris-core/src/main/java/org/apache/polaris/core/auth/DefaultPolarisAuthorizerFactory.java @@ -0,0 +1,29 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.core.auth; + +import org.apache.polaris.core.PolarisConfigurationStore; + +@SuppressWarnings("unused") // configured in polaris-server.yml +public class DefaultPolarisAuthorizerFactory implements PolarisAuthorizerFactory { + @Override + public PolarisAuthorizer createAuthorizer(PolarisConfigurationStore config) { + return new DefaultPolarisAuthorizer(config); + } +} diff --git a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java index 31e69b083..a6eec6d65 100644 --- a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java +++ b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java @@ -19,26 +19,28 @@ package org.apache.polaris.core.auth; import jakarta.annotation.Nonnull; -import jakarta.annotation.Nullable; -import java.util.List; -import java.util.Set; -import org.apache.polaris.core.entity.PolarisBaseEntity; -import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper; +import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest; /** Interface for invoking authorization checks. */ public interface PolarisAuthorizer { + /** + * Validates whether the requested operation is permitted based on the collection of entities + * (including principals, roles, and catalog objects) that are affected by the operation. + * + *

"activated" entities, "targets" and "secondaries" are contained within the provided + * manifest. The extra selector parameters merely define what sub-set of objects from the manifest + * should be considered as "targets", etc. + * + *

The effective principal information is also provided in the manifest. + * + * @param manifest defines the input for authorization checks. + * @param operation the operation being authorized. + * @param considerCatalogRoles whether catalog roles should be considered ({@code true}) or only + * principal roles ({@code false}). + */ void authorizeOrThrow( - @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal, - @Nonnull Set activatedEntities, - @Nonnull PolarisAuthorizableOperation authzOp, - @Nullable PolarisResolvedPathWrapper target, - @Nullable PolarisResolvedPathWrapper secondary); - - void authorizeOrThrow( - @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal, - @Nonnull Set activatedEntities, - @Nonnull PolarisAuthorizableOperation authzOp, - @Nullable List targets, - @Nullable List secondaries); + @Nonnull PolarisResolutionManifest manifest, + @Nonnull PolarisAuthorizableOperation operation, + boolean considerCatalogRoles); } diff --git a/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerFactory.java b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerFactory.java new file mode 100644 index 000000000..257f94937 --- /dev/null +++ b/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerFactory.java @@ -0,0 +1,31 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.core.auth; + +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import org.apache.polaris.core.PolarisConfigurationStore; + +/** + * A factory for creating {@link PolarisAuthorizer} instances configured via a {@link + * PolarisConfigurationStore} + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, property = "factory") +public interface PolarisAuthorizerFactory { + PolarisAuthorizer createAuthorizer(PolarisConfigurationStore config); +} diff --git a/polaris-core/src/main/java/org/apache/polaris/core/persistence/PolarisEntityManager.java b/polaris-core/src/main/java/org/apache/polaris/core/persistence/PolarisEntityManager.java index ba7398aaa..6ea33a876 100644 --- a/polaris-core/src/main/java/org/apache/polaris/core/persistence/PolarisEntityManager.java +++ b/polaris-core/src/main/java/org/apache/polaris/core/persistence/PolarisEntityManager.java @@ -66,7 +66,7 @@ public Resolver prepareResolver( return new Resolver( callContext.getPolarisCallContext(), metaStoreManager, - authenticatedPrincipal.getPrincipalEntity().getId(), + authenticatedPrincipal.getPrincipalEntityId(), null, /* callerPrincipalName */ authenticatedPrincipal.getActivatedPrincipalRoleNames().isEmpty() ? null diff --git a/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/PolarisResolutionManifest.java b/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/PolarisResolutionManifest.java index 629e282e1..ccabebd65 100644 --- a/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/PolarisResolutionManifest.java +++ b/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/PolarisResolutionManifest.java @@ -26,15 +26,18 @@ import java.util.List; import java.util.Map; import java.util.Set; +import java.util.function.Function; import java.util.stream.Collectors; +import javax.annotation.Nonnull; +import javax.annotation.Nullable; import org.apache.polaris.core.PolarisDiagnostics; import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal; import org.apache.polaris.core.context.CallContext; import org.apache.polaris.core.entity.PolarisBaseEntity; +import org.apache.polaris.core.entity.PolarisEntity; import org.apache.polaris.core.entity.PolarisEntityConstants; import org.apache.polaris.core.entity.PolarisEntitySubType; import org.apache.polaris.core.entity.PolarisEntityType; -import org.apache.polaris.core.entity.PrincipalRoleEntity; import org.apache.polaris.core.persistence.PolarisEntityManager; import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper; import org.apache.polaris.core.persistence.ResolvedPolarisEntity; @@ -65,6 +68,8 @@ public class PolarisResolutionManifest implements PolarisResolutionManifestCatal private final Multimap addedTopLevelNames = HashMultimap.create(); private final Map passthroughPaths = new HashMap<>(); + private final List primaryTargets = new ArrayList<>(); + private final List secondaryTargets = new ArrayList<>(); // For applicable operations, this represents the topmost root entity which services as an // authorization parent for all other entities that reside at the root level, such as @@ -97,6 +102,18 @@ public PolarisResolutionManifest( addTopLevelName(PolarisEntityConstants.getRootContainerName(), PolarisEntityType.ROOT, true); } + public List authorizationTargets() { + return primaryTargets.stream().map(g -> g.get(this)).collect(Collectors.toList()); + } + + public List authorizationSecondaries() { + return secondaryTargets.stream().map(g -> g.get(this)).collect(Collectors.toList()); + } + + public void addRootContainer(AuthorizationTargetType targetType) { + targetType.addTo(this, Getter.rootContainer()); + } + /** Adds a name of a top-level entity (Catalog, Principal, PrincipalRole) to be resolved. */ public void addTopLevelName(String entityName, PolarisEntityType entityType, boolean isOptional) { addedTopLevelNames.put(entityName, entityType); @@ -107,6 +124,15 @@ public void addTopLevelName(String entityName, PolarisEntityType entityType, boo } } + public void addTopLevelName( + AuthorizationTargetType targetType, + String entityName, + PolarisEntityType entityType, + boolean isOptional) { + addTopLevelName(entityName, entityType, isOptional); + targetType.addTo(this, Getter.topLevelEntity(entityName, entityType)); + } + /** * Adds a path that will be statically resolved with the primary Resolver when resolveAll() is * called, and which contributes to the resolution status of whether all paths have successfully @@ -122,6 +148,26 @@ public void addPath(ResolverPath path, Object key) { ++currentPathIndex; } + public void addPath(AuthorizationTargetType targetType, ResolverPath path, Object key) { + addPath(path, key); + targetType.addTo(this, Getter.path(key)); + } + + public void addPath( + AuthorizationTargetType targetType, ResolverPath path, Object key, Runnable notFoundHandler) { + addPath(path, key); + targetType.addTo(this, Getter.path(key, notFoundHandler)); + } + + public void addPath( + AuthorizationTargetType targetType, + ResolverPath path, + Object key, + PolarisEntitySubType subType) { + addPath(path, key); + targetType.addTo(this, Getter.path(key, subType)); + } + /** * Adds a path that is allowed to be dynamically resolved with a new Resolver when * getPassthroughResolvedPath is called. These paths are also included in the primary static @@ -132,6 +178,16 @@ public void addPassthroughPath(ResolverPath path, Object key) { passthroughPaths.put(key, path); } + public void addPassthroughPath( + AuthorizationTargetType targetType, + ResolverPath path, + Object key, + PolarisEntitySubType subType, + Runnable notFoundHandler) { + addPassthroughPath(path, key); + targetType.addTo(this, Getter.path(key, subType, notFoundHandler)); + } + public ResolverStatus resolveAll() { primaryResolverStatus = primaryResolver.resolveAll(); // TODO: This could be a race condition where a Principal is dropped after initial authn @@ -141,14 +197,6 @@ public ResolverStatus resolveAll() { != ResolverStatus.StatusEnum.CALLER_PRINCIPAL_DOES_NOT_EXIST, "caller_principal_does_not_exist_at_resolution_time"); - // activated principal roles are known, add them to the call context - if (primaryResolverStatus.getStatus() == ResolverStatus.StatusEnum.SUCCESS) { - List activatedPrincipalRoles = - primaryResolver.getResolvedCallerPrincipalRoles().stream() - .map(ce -> PrincipalRoleEntity.of(ce.getEntity())) - .collect(Collectors.toList()); - this.authenticatedPrincipal.setActivatedPrincipalRoles(activatedPrincipalRoles); - } return primaryResolverStatus; } @@ -256,6 +304,23 @@ public Set getAllActivatedCatalogRoleAndPrincipalRoles() { return activatedRoles; } + public AuthenticatedPolarisPrincipal getAuthenticatedPrincipal() { + return authenticatedPrincipal; + } + + @Nullable + public PolarisEntity getResolvedPolarisPrincipal() { + EntityCacheEntry entry = primaryResolver.getResolvedCallerPrincipal(); + return entry == null ? null : PolarisEntity.of(entry.getEntity()); + } + + @Nonnull + public List getResolvedPolarisPrincipalRoleNames() { + return primaryResolver.getResolvedCallerPrincipalRoles().stream() + .map(ce -> ce.getEntity().getName()) + .collect(Collectors.toList()); + } + public Set getAllActivatedPrincipalRoleEntities() { Set activatedEntities = new HashSet<>(); primaryResolver.getResolvedCallerPrincipalRoles().stream() @@ -409,4 +474,60 @@ public PolarisResolvedPathWrapper getResolvedTopLevelEntity( : new PolarisResolvedPathWrapper( List.of(resolvedRootContainerEntity, new ResolvedPolarisEntity(resolvedCacheEntry))); } + + public enum AuthorizationTargetType { + PRIMARY(m -> m.primaryTargets), + SECONDARY(m -> m.secondaryTargets), + ; + + private final Function> list; + + AuthorizationTargetType(Function> list) { + this.list = list; + } + + private void addTo(PolarisResolutionManifest manifest, Getter getter) { + list.apply(manifest).add(getter); + } + } + + private interface Getter { + PolarisResolvedPathWrapper get(PolarisResolutionManifest manifest); + + static Getter rootContainer() { + return PolarisResolutionManifest::getResolvedRootContainerEntityAsPath; + } + + static Getter topLevelEntity(String entityName, PolarisEntityType type) { + return m -> m.getResolvedTopLevelEntity(entityName, type); + } + + static Getter path(Object key, PolarisEntitySubType subType) { + return path(key, subType, () -> {}); + } + + static Getter path(Object key, PolarisEntitySubType subType, Runnable notFoundHandler) { + return manifest -> { + PolarisResolvedPathWrapper resolved = manifest.getResolvedPath(key, subType, true); + if (resolved == null) { + notFoundHandler.run(); + } + return resolved; + }; + } + + static Getter path(Object key) { + return path(key, () -> {}); + } + + static Getter path(Object key, Runnable notFoundHandler) { + return manifest -> { + PolarisResolvedPathWrapper resolved = manifest.getResolvedPath(key, true); + if (resolved == null) { + notFoundHandler.run(); + } + return resolved; + }; + } + } } diff --git a/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java b/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java index ebefa1582..c87dd5c76 100644 --- a/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java +++ b/polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/Resolver.java @@ -147,8 +147,6 @@ public Resolver( // validate inputs this.diagnostics.checkNotNull(polarisRemoteCache, "unexpected_null_polarisRemoteCache"); this.diagnostics.checkNotNull(cache, "unexpected_null_cache"); - this.diagnostics.check( - callerPrincipalId != 0 || callerPrincipalName != null, "principal_must_be_specified"); // paths to resolve this.pathsToResolve = new ArrayList<>(); @@ -269,7 +267,7 @@ public ResolverStatus resolveAll() { /** * @return the principal we resolved */ - public @Nonnull EntityCacheEntry getResolvedCallerPrincipal() { + public @Nullable EntityCacheEntry getResolvedCallerPrincipal() { // can only be called if the resolver has been called and was success this.diagnostics.checkNotNull(resolverStatus, "resolver_must_be_called_first"); this.diagnostics.check( @@ -409,12 +407,17 @@ private ResolverStatus runResolvePass() { List toValidate = new ArrayList<>(); // first resolve the principal and determine the set of activated principal roles - ResolverStatus status = - this.resolveCallerPrincipalAndPrincipalRoles( - toValidate, - this.callerPrincipalId, - this.callerPrincipalName, - this.callerPrincipalRoleNamesScope); + ResolverStatus status; + if (this.callerPrincipalId > 0 || this.callerPrincipalName != null) { + status = + this.resolveCallerPrincipalAndPrincipalRoles( + toValidate, + this.callerPrincipalId, + this.callerPrincipalName, + this.callerPrincipalRoleNamesScope); + } else { + status = new ResolverStatus(ResolverStatus.StatusEnum.SUCCESS); + } // if success, continue resolving if (status.getStatus() == ResolverStatus.StatusEnum.SUCCESS) { diff --git a/polaris-server.yml b/polaris-server.yml index e147d4d48..167912612 100644 --- a/polaris-server.yml +++ b/polaris-server.yml @@ -105,6 +105,9 @@ authenticator: # type: symmetric-key # secret: polaris +authorizer: + factory: org.apache.polaris.core.auth.DefaultPolarisAuthorizerFactory + cors: allowed-origins: - http://localhost:8080 diff --git a/polaris-service/src/main/java/org/apache/polaris/service/PolarisApplication.java b/polaris-service/src/main/java/org/apache/polaris/service/PolarisApplication.java index 89287a3e8..78e2403d6 100644 --- a/polaris-service/src/main/java/org/apache/polaris/service/PolarisApplication.java +++ b/polaris-service/src/main/java/org/apache/polaris/service/PolarisApplication.java @@ -76,7 +76,6 @@ import org.apache.polaris.core.PolarisConfigurationStore; import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal; import org.apache.polaris.core.auth.PolarisAuthorizer; -import org.apache.polaris.core.auth.PolarisAuthorizerImpl; import org.apache.polaris.core.context.CallContext; import org.apache.polaris.core.context.RealmContext; import org.apache.polaris.core.monitor.MetricRegistryAware; @@ -241,7 +240,7 @@ public void run(PolarisApplicationConfig configuration, Environment environment) new PolarisCallContextCatalogFactory( entityManagerFactory, metaStoreManagerFactory, taskExecutor, fileIOFactory); - PolarisAuthorizer authorizer = new PolarisAuthorizerImpl(configurationStore); + PolarisAuthorizer authorizer = configuration.createAuthorizer(); IcebergCatalogAdapter catalogAdapter = new IcebergCatalogAdapter( catalogFactory, entityManagerFactory, metaStoreManagerFactory, authorizer); diff --git a/polaris-service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java b/polaris-service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java index a80460018..b8219817e 100644 --- a/polaris-service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java +++ b/polaris-service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java @@ -18,6 +18,9 @@ */ package org.apache.polaris.service.admin; +import static org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest.AuthorizationTargetType.PRIMARY; +import static org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest.AuthorizationTargetType.SECONDARY; + import jakarta.annotation.Nonnull; import jakarta.annotation.Nullable; import java.util.ArrayList; @@ -153,15 +156,9 @@ private void authorizeBasicRootOperationOrThrow(PolarisAuthorizableOperation op) resolutionManifest = entityManager.prepareResolutionManifest( callContext, authenticatedPrincipal, null /* referenceCatalogName */); + resolutionManifest.addRootContainer(PRIMARY); resolutionManifest.resolveAll(); - PolarisResolvedPathWrapper rootContainerWrapper = - resolutionManifest.getResolvedRootContainerEntityAsPath(); - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedPrincipalRoleEntities(), - op, - rootContainerWrapper, - null /* secondary */); + authorizer.authorizeOrThrow(resolutionManifest, op, false); } private void authorizeBasicTopLevelEntityOperationOrThrow( @@ -180,33 +177,15 @@ private void authorizeBasicTopLevelEntityOperationOrThrow( resolutionManifest = entityManager.prepareResolutionManifest( callContext, authenticatedPrincipal, referenceCatalogName); - resolutionManifest.addTopLevelName(topLevelEntityName, entityType, false /* isOptional */); + resolutionManifest.addTopLevelName( + PRIMARY, topLevelEntityName, entityType, false /* isOptional */); ResolverStatus status = resolutionManifest.resolveAll(); if (status.getStatus() == ResolverStatus.StatusEnum.ENTITY_COULD_NOT_BE_RESOLVED) { throw new NotFoundException( "TopLevelEntity of type %s does not exist: %s", entityType, topLevelEntityName); } - PolarisResolvedPathWrapper topLevelEntityWrapper = - resolutionManifest.getResolvedTopLevelEntity(topLevelEntityName, entityType); - - // TODO: If we do add more "self" privilege operations for PRINCIPAL targets this should - // be extracted into an EnumSet and/or pushed down into PolarisAuthorizer. - if (topLevelEntityWrapper.getResolvedLeafEntity().getEntity().getId() - == authenticatedPrincipal.getPrincipalEntity().getId() - && (op.equals(PolarisAuthorizableOperation.ROTATE_CREDENTIALS) - || op.equals(PolarisAuthorizableOperation.RESET_CREDENTIALS))) { - LOGGER - .atDebug() - .addKeyValue("principalName", topLevelEntityName) - .log("Allowing rotate own credentials"); - return; - } - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - topLevelEntityWrapper, - null /* secondary */); + + authorizer.authorizeOrThrow(resolutionManifest, op, true); } private void authorizeBasicCatalogRoleOperationOrThrow( @@ -214,27 +193,23 @@ private void authorizeBasicCatalogRoleOperationOrThrow( resolutionManifest = entityManager.prepareResolutionManifest(callContext, authenticatedPrincipal, catalogName); resolutionManifest.addPath( + PRIMARY, new ResolverPath(List.of(catalogRoleName), PolarisEntityType.CATALOG_ROLE), - catalogRoleName); + catalogRoleName, + () -> { + throw new NotFoundException("CatalogRole does not exist: %s", catalogRoleName); + }); resolutionManifest.resolveAll(); - PolarisResolvedPathWrapper target = resolutionManifest.getResolvedPath(catalogRoleName, true); - if (target == null) { - throw new NotFoundException("CatalogRole does not exist: %s", catalogRoleName); - } - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - target, - null /* secondary */); + authorizer.authorizeOrThrow(resolutionManifest, op, true); } private void authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow( PolarisAuthorizableOperation op, String principalRoleName) { resolutionManifest = entityManager.prepareResolutionManifest(callContext, authenticatedPrincipal, null); + resolutionManifest.addRootContainer(PRIMARY); resolutionManifest.addTopLevelName( - principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, false /* isOptional */); + SECONDARY, principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, false /* isOptional */); ResolverStatus status = resolutionManifest.resolveAll(); if (status.getStatus() == ResolverStatus.StatusEnum.ENTITY_COULD_NOT_BE_RESOLVED) { @@ -245,18 +220,8 @@ private void authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow( // TODO: Merge this method into authorizeGrantOnTopLevelEntityToPrincipalRoleOperationOrThrow // once we remove any special handling logic for the rootContainer. - PolarisResolvedPathWrapper rootContainerWrapper = - resolutionManifest.getResolvedRootContainerEntityAsPath(); - PolarisResolvedPathWrapper principalRoleWrapper = - resolutionManifest.getResolvedTopLevelEntity( - principalRoleName, PolarisEntityType.PRINCIPAL_ROLE); - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - rootContainerWrapper, - principalRoleWrapper); + authorizer.authorizeOrThrow(resolutionManifest, op, true); } private void authorizeGrantOnTopLevelEntityToPrincipalRoleOperationOrThrow( @@ -267,9 +232,9 @@ private void authorizeGrantOnTopLevelEntityToPrincipalRoleOperationOrThrow( resolutionManifest = entityManager.prepareResolutionManifest(callContext, authenticatedPrincipal, null); resolutionManifest.addTopLevelName( - topLevelEntityName, topLevelEntityType, false /* isOptional */); + PRIMARY, topLevelEntityName, topLevelEntityType, false /* isOptional */); resolutionManifest.addTopLevelName( - principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, false /* isOptional */); + SECONDARY, principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, false /* isOptional */); ResolverStatus status = resolutionManifest.resolveAll(); if (status.getStatus() == ResolverStatus.StatusEnum.ENTITY_COULD_NOT_BE_RESOLVED) { @@ -281,18 +246,7 @@ private void authorizeGrantOnTopLevelEntityToPrincipalRoleOperationOrThrow( principalRoleName); } - PolarisResolvedPathWrapper topLevelEntityWrapper = - resolutionManifest.getResolvedTopLevelEntity(topLevelEntityName, topLevelEntityType); - PolarisResolvedPathWrapper principalRoleWrapper = - resolutionManifest.getResolvedTopLevelEntity( - principalRoleName, PolarisEntityType.PRINCIPAL_ROLE); - - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - topLevelEntityWrapper, - principalRoleWrapper); + authorizer.authorizeOrThrow(resolutionManifest, op, true); } private void authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow( @@ -300,9 +254,9 @@ private void authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow( resolutionManifest = entityManager.prepareResolutionManifest(callContext, authenticatedPrincipal, null); resolutionManifest.addTopLevelName( - principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, false /* isOptional */); + PRIMARY, principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, false /* isOptional */); resolutionManifest.addTopLevelName( - principalName, PolarisEntityType.PRINCIPAL, false /* isOptional */); + SECONDARY, principalName, PolarisEntityType.PRINCIPAL, false /* isOptional */); ResolverStatus status = resolutionManifest.resolveAll(); if (status.getStatus() == ResolverStatus.StatusEnum.ENTITY_COULD_NOT_BE_RESOLVED) { @@ -311,18 +265,7 @@ private void authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow( status.getFailedToResolvedEntityName(), principalRoleName, principalName); } - PolarisResolvedPathWrapper principalRoleWrapper = - resolutionManifest.getResolvedTopLevelEntity( - principalRoleName, PolarisEntityType.PRINCIPAL_ROLE); - PolarisResolvedPathWrapper principalWrapper = - resolutionManifest.getResolvedTopLevelEntity(principalName, PolarisEntityType.PRINCIPAL); - - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - principalRoleWrapper, - principalWrapper); + authorizer.authorizeOrThrow(resolutionManifest, op, true); } private void authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow( @@ -333,10 +276,11 @@ private void authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow( resolutionManifest = entityManager.prepareResolutionManifest(callContext, authenticatedPrincipal, catalogName); resolutionManifest.addPath( + PRIMARY, new ResolverPath(List.of(catalogRoleName), PolarisEntityType.CATALOG_ROLE), catalogRoleName); resolutionManifest.addTopLevelName( - principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, false /* isOptional */); + SECONDARY, principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, false /* isOptional */); ResolverStatus status = resolutionManifest.resolveAll(); if (status.getStatus() == ResolverStatus.StatusEnum.ENTITY_COULD_NOT_BE_RESOLVED) { @@ -349,18 +293,7 @@ private void authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow( status.getFailedToResolvePath(), catalogName, catalogRoleName, principalRoleName); } - PolarisResolvedPathWrapper principalRoleWrapper = - resolutionManifest.getResolvedTopLevelEntity( - principalRoleName, PolarisEntityType.PRINCIPAL_ROLE); - PolarisResolvedPathWrapper catalogRoleWrapper = - resolutionManifest.getResolvedPath(catalogRoleName, true); - - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - catalogRoleWrapper, - principalRoleWrapper); + authorizer.authorizeOrThrow(resolutionManifest, op, true); } private void authorizeGrantOnCatalogOperationOrThrow( @@ -368,8 +301,9 @@ private void authorizeGrantOnCatalogOperationOrThrow( resolutionManifest = entityManager.prepareResolutionManifest(callContext, authenticatedPrincipal, catalogName); resolutionManifest.addTopLevelName( - catalogName, PolarisEntityType.CATALOG, false /* isOptional */); + PRIMARY, catalogName, PolarisEntityType.CATALOG, false /* isOptional */); resolutionManifest.addPath( + SECONDARY, new ResolverPath(List.of(catalogRoleName), PolarisEntityType.CATALOG_ROLE), catalogRoleName); ResolverStatus status = resolutionManifest.resolveAll(); @@ -380,16 +314,7 @@ private void authorizeGrantOnCatalogOperationOrThrow( throw new NotFoundException("CatalogRole not found: %s.%s", catalogName, catalogRoleName); } - PolarisResolvedPathWrapper catalogWrapper = - resolutionManifest.getResolvedTopLevelEntity(catalogName, PolarisEntityType.CATALOG); - PolarisResolvedPathWrapper catalogRoleWrapper = - resolutionManifest.getResolvedPath(catalogRoleName, true); - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - catalogWrapper, - catalogRoleWrapper); + authorizer.authorizeOrThrow(resolutionManifest, op, true); } private void authorizeGrantOnNamespaceOperationOrThrow( @@ -400,9 +325,11 @@ private void authorizeGrantOnNamespaceOperationOrThrow( resolutionManifest = entityManager.prepareResolutionManifest(callContext, authenticatedPrincipal, catalogName); resolutionManifest.addPath( + PRIMARY, new ResolverPath(Arrays.asList(namespace.levels()), PolarisEntityType.NAMESPACE), namespace); resolutionManifest.addPath( + SECONDARY, new ResolverPath(List.of(catalogRoleName), PolarisEntityType.CATALOG_ROLE), catalogRoleName); ResolverStatus status = resolutionManifest.resolveAll(); @@ -418,17 +345,7 @@ private void authorizeGrantOnNamespaceOperationOrThrow( } } - PolarisResolvedPathWrapper namespaceWrapper = - resolutionManifest.getResolvedPath(namespace, true); - PolarisResolvedPathWrapper catalogRoleWrapper = - resolutionManifest.getResolvedPath(catalogRoleName, true); - - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - namespaceWrapper, - catalogRoleWrapper); + authorizer.authorizeOrThrow(resolutionManifest, op, true); } private void authorizeGrantOnTableLikeOperationOrThrow( @@ -440,10 +357,13 @@ private void authorizeGrantOnTableLikeOperationOrThrow( resolutionManifest = entityManager.prepareResolutionManifest(callContext, authenticatedPrincipal, catalogName); resolutionManifest.addPath( + PRIMARY, new ResolverPath( PolarisCatalogHelpers.tableIdentifierToList(identifier), PolarisEntityType.TABLE_LIKE), - identifier); + identifier, + subType); resolutionManifest.addPath( + SECONDARY, new ResolverPath(List.of(catalogRoleName), PolarisEntityType.CATALOG_ROLE), catalogRoleName); ResolverStatus status = resolutionManifest.resolveAll(); @@ -462,17 +382,7 @@ private void authorizeGrantOnTableLikeOperationOrThrow( } } - PolarisResolvedPathWrapper tableLikeWrapper = - resolutionManifest.getResolvedPath(identifier, subType, true); - PolarisResolvedPathWrapper catalogRoleWrapper = - resolutionManifest.getResolvedPath(catalogRoleName, true); - - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - tableLikeWrapper, - catalogRoleWrapper); + authorizer.authorizeOrThrow(resolutionManifest, op, true); } /** Get all locations where data for a `CatalogEntity` may be stored */ diff --git a/polaris-service/src/main/java/org/apache/polaris/service/auth/AllowAllAuthorizerFactory.java b/polaris-service/src/main/java/org/apache/polaris/service/auth/AllowAllAuthorizerFactory.java new file mode 100644 index 000000000..eafdadb37 --- /dev/null +++ b/polaris-service/src/main/java/org/apache/polaris/service/auth/AllowAllAuthorizerFactory.java @@ -0,0 +1,36 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.service.auth; + +import org.apache.polaris.core.PolarisConfigurationStore; +import org.apache.polaris.core.auth.PolarisAuthorizer; +import org.apache.polaris.core.auth.PolarisAuthorizerFactory; + +/** + * Makes a {@link PolarisAuthorizer} that allows all operations regardless of the principal and role + * assignments. + */ +public class AllowAllAuthorizerFactory implements PolarisAuthorizerFactory { + @Override + public PolarisAuthorizer createAuthorizer(PolarisConfigurationStore config) { + return (manifest, operation, considerCatalogRoles) -> { + // all operations are permitted + }; + } +} diff --git a/polaris-service/src/main/java/org/apache/polaris/service/auth/AnonymousPolarisAuthenticator.java b/polaris-service/src/main/java/org/apache/polaris/service/auth/AnonymousPolarisAuthenticator.java new file mode 100644 index 000000000..eed40423f --- /dev/null +++ b/polaris-service/src/main/java/org/apache/polaris/service/auth/AnonymousPolarisAuthenticator.java @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.service.auth; + +import java.util.Optional; +import java.util.Set; +import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal; +import org.apache.polaris.core.persistence.MetaStoreManagerFactory; + +/** + * An authenticator implementation that does not validate actor's identity, but always produce an + * "anonymous" principal. + */ +@SuppressWarnings("unused") +public class AnonymousPolarisAuthenticator + implements DiscoverableAuthenticator { + + private static final AuthenticatedPolarisPrincipal ANONYMOUS = + new AuthenticatedPolarisPrincipalImpl(-1, "anonymous", Set.of()); + + @Override + public Optional authenticate(String s) { + return Optional.of(ANONYMOUS); + } + + @Override + public void setMetaStoreManagerFactory(MetaStoreManagerFactory metaStoreManagerFactory) { + // nop + } +} diff --git a/polaris-service/src/main/java/org/apache/polaris/service/auth/AuthenticatedPolarisPrincipalImpl.java b/polaris-service/src/main/java/org/apache/polaris/service/auth/AuthenticatedPolarisPrincipalImpl.java new file mode 100644 index 000000000..6dd2d37c2 --- /dev/null +++ b/polaris-service/src/main/java/org/apache/polaris/service/auth/AuthenticatedPolarisPrincipalImpl.java @@ -0,0 +1,49 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.service.auth; + +import java.util.Set; +import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal; + +public final class AuthenticatedPolarisPrincipalImpl implements AuthenticatedPolarisPrincipal { + private final long id; + private final String name; + private final Set roles; + + public AuthenticatedPolarisPrincipalImpl(long id, String name, Set roles) { + this.id = id; + this.name = name; + this.roles = roles; + } + + @Override + public String getName() { + return name; + } + + @Override + public long getPrincipalEntityId() { + return id; + } + + @Override + public Set getActivatedPrincipalRoleNames() { + return roles; + } +} diff --git a/polaris-service/src/main/java/org/apache/polaris/service/auth/BasePolarisAuthenticator.java b/polaris-service/src/main/java/org/apache/polaris/service/auth/BasePolarisAuthenticator.java index c06f17d86..0ef42f7a3 100644 --- a/polaris-service/src/main/java/org/apache/polaris/service/auth/BasePolarisAuthenticator.java +++ b/polaris-service/src/main/java/org/apache/polaris/service/auth/BasePolarisAuthenticator.java @@ -22,16 +22,10 @@ import java.util.HashSet; import java.util.Optional; import java.util.Set; -import org.apache.commons.lang3.exception.ExceptionUtils; -import org.apache.iceberg.exceptions.NotAuthorizedException; import org.apache.polaris.core.PolarisCallContext; import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal; import org.apache.polaris.core.context.CallContext; import org.apache.polaris.core.context.RealmContext; -import org.apache.polaris.core.entity.PolarisEntity; -import org.apache.polaris.core.entity.PolarisEntitySubType; -import org.apache.polaris.core.entity.PolarisEntityType; -import org.apache.polaris.core.entity.PrincipalEntity; import org.apache.polaris.core.persistence.MetaStoreManagerFactory; import org.apache.polaris.core.persistence.PolarisMetaStoreManager; import org.slf4j.Logger; @@ -63,37 +57,7 @@ public PolarisCallContext getCurrentPolarisContext() { } protected Optional getPrincipal(DecodedToken tokenInfo) { - LOGGER.debug("Resolving principal for tokenInfo client_id={}", tokenInfo.getClientId()); - RealmContext realmContext = CallContext.getCurrentContext().getRealmContext(); - PolarisMetaStoreManager metaStoreManager = - metaStoreManagerFactory.getOrCreateMetaStoreManager(realmContext); - PolarisEntity principal; - try { - principal = - tokenInfo.getPrincipalId() > 0 - ? PolarisEntity.of( - metaStoreManager.loadEntity( - getCurrentPolarisContext(), 0L, tokenInfo.getPrincipalId())) - : PolarisEntity.of( - metaStoreManager.readEntityByName( - getCurrentPolarisContext(), - null, - PolarisEntityType.PRINCIPAL, - PolarisEntitySubType.NULL_SUBTYPE, - tokenInfo.getSub())); - } catch (Exception e) { - LOGGER - .atError() - .addKeyValue("errMsg", e.getMessage()) - .addKeyValue("stackTrace", ExceptionUtils.getStackTrace(e)) - .log("Unable to authenticate user with token"); - throw new NotAuthorizedException("Unable to authenticate"); - } - if (principal == null) { - LOGGER.warn( - "Failed to resolve principal from tokenInfo client_id={}", tokenInfo.getClientId()); - throw new NotAuthorizedException("Unable to authenticate"); - } + LOGGER.debug("Making principal from tokenInfo client_id={}", tokenInfo.getClientId()); Set activatedPrincipalRoles = new HashSet<>(); // TODO: Consolidate the divergent "scopes" logic between test-bearer-token and token-exchange. @@ -108,11 +72,14 @@ protected Optional getPrincipal(DecodedToken toke .toList()); } - LOGGER.debug("Resolved principal: {}", principal); - AuthenticatedPolarisPrincipal authenticatedPrincipal = - new AuthenticatedPolarisPrincipal(new PrincipalEntity(principal), activatedPrincipalRoles); - LOGGER.debug("Populating authenticatedPrincipal into CallContext: {}", authenticatedPrincipal); + new AuthenticatedPolarisPrincipalImpl( + tokenInfo.getPrincipalId(), tokenInfo.getSub(), activatedPrincipalRoles); + LOGGER.debug( + "Populating authenticatedPrincipal into CallContext: {}, {}, {}", + authenticatedPrincipal.getPrincipalEntityId(), + authenticatedPrincipal.getName(), + authenticatedPrincipal.getActivatedPrincipalRoleNames()); CallContext.getCurrentContext() .contextVariables() .put(CallContext.AUTHENTICATED_PRINCIPAL, authenticatedPrincipal); diff --git a/polaris-service/src/main/java/org/apache/polaris/service/catalog/PolarisCatalogHandlerWrapper.java b/polaris-service/src/main/java/org/apache/polaris/service/catalog/PolarisCatalogHandlerWrapper.java index 3d12f75a7..b7c62b599 100644 --- a/polaris-service/src/main/java/org/apache/polaris/service/catalog/PolarisCatalogHandlerWrapper.java +++ b/polaris-service/src/main/java/org/apache/polaris/service/catalog/PolarisCatalogHandlerWrapper.java @@ -18,6 +18,9 @@ */ package org.apache.polaris.service.catalog; +import static org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest.AuthorizationTargetType.PRIMARY; +import static org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest.AuthorizationTargetType.SECONDARY; + import com.google.common.base.Preconditions; import com.google.common.collect.Maps; import java.io.Closeable; @@ -29,7 +32,6 @@ import java.util.HashSet; import java.util.List; import java.util.Map; -import java.util.Optional; import java.util.Set; import java.util.function.Supplier; import java.util.stream.Collectors; @@ -188,8 +190,12 @@ private void authorizeBasicNamespaceOperationOrThrow( resolutionManifest = entityManager.prepareResolutionManifest(callContext, authenticatedPrincipal, catalogName); resolutionManifest.addPath( + PRIMARY, new ResolverPath(Arrays.asList(namespace.levels()), PolarisEntityType.NAMESPACE), - namespace); + namespace, + () -> { + throw new NoSuchNamespaceException("Namespace does not exist: %s", namespace); + }); if (extraPassthroughNamespaces != null) { for (Namespace ns : extraPassthroughNamespaces) { @@ -210,16 +216,7 @@ private void authorizeBasicNamespaceOperationOrThrow( } } resolutionManifest.resolveAll(); - PolarisResolvedPathWrapper target = resolutionManifest.getResolvedPath(namespace, true); - if (target == null) { - throw new NoSuchNamespaceException("Namespace does not exist: %s", namespace); - } - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - target, - null /* secondary */); + authorizer.authorizeOrThrow(resolutionManifest, op, true); initializeCatalog(); } @@ -231,8 +228,12 @@ private void authorizeCreateNamespaceUnderNamespaceOperationOrThrow( Namespace parentNamespace = PolarisCatalogHelpers.getParentNamespace(namespace); resolutionManifest.addPath( + PRIMARY, new ResolverPath(Arrays.asList(parentNamespace.levels()), PolarisEntityType.NAMESPACE), - parentNamespace); + parentNamespace, + () -> { + throw new NoSuchNamespaceException("Namespace does not exist: %s", parentNamespace); + }); // When creating an entity under a namespace, the authz target is the parentNamespace, but we // must also add the actual path that will be created as an "optional" passthrough resolution @@ -243,16 +244,7 @@ private void authorizeCreateNamespaceUnderNamespaceOperationOrThrow( Arrays.asList(namespace.levels()), PolarisEntityType.NAMESPACE, true /* optional */), namespace); resolutionManifest.resolveAll(); - PolarisResolvedPathWrapper target = resolutionManifest.getResolvedPath(parentNamespace, true); - if (target == null) { - throw new NoSuchNamespaceException("Namespace does not exist: %s", parentNamespace); - } - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - target, - null /* secondary */); + authorizer.authorizeOrThrow(resolutionManifest, op, true); initializeCatalog(); } @@ -264,8 +256,12 @@ private void authorizeCreateTableLikeUnderNamespaceOperationOrThrow( resolutionManifest = entityManager.prepareResolutionManifest(callContext, authenticatedPrincipal, catalogName); resolutionManifest.addPath( + PRIMARY, new ResolverPath(Arrays.asList(namespace.levels()), PolarisEntityType.NAMESPACE), - namespace); + namespace, + () -> { + throw new NoSuchNamespaceException("Namespace does not exist: %s", namespace); + }); // When creating an entity under a namespace, the authz target is the namespace, but we must // also @@ -280,16 +276,7 @@ private void authorizeCreateTableLikeUnderNamespaceOperationOrThrow( true /* optional */), identifier); resolutionManifest.resolveAll(); - PolarisResolvedPathWrapper target = resolutionManifest.getResolvedPath(namespace, true); - if (target == null) { - throw new NoSuchNamespaceException("Namespace does not exist: %s", namespace); - } - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - target, - null /* secondary */); + authorizer.authorizeOrThrow(resolutionManifest, op, true); initializeCatalog(); } @@ -301,27 +288,22 @@ private void authorizeBasicTableLikeOperationOrThrow( // The underlying Catalog is also allowed to fetch "fresh" versions of the target entity. resolutionManifest.addPassthroughPath( + PRIMARY, new ResolverPath( PolarisCatalogHelpers.tableIdentifierToList(identifier), PolarisEntityType.TABLE_LIKE, true /* optional */), - identifier); + identifier, + subType, + () -> { + if (subType == PolarisEntitySubType.TABLE) { + throw new NoSuchTableException("Table does not exist: %s", identifier); + } else { + throw new NoSuchViewException("View does not exist: %s", identifier); + } + }); resolutionManifest.resolveAll(); - PolarisResolvedPathWrapper target = - resolutionManifest.getResolvedPath(identifier, subType, true); - if (target == null) { - if (subType == PolarisEntitySubType.TABLE) { - throw new NoSuchTableException("Table does not exist: %s", identifier); - } else { - throw new NoSuchViewException("View does not exist: %s", identifier); - } - } - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - target, - null /* secondary */); + authorizer.authorizeOrThrow(resolutionManifest, op, true); initializeCatalog(); } @@ -335,10 +317,17 @@ private void authorizeCollectionOfTableLikeOperationOrThrow( ids.forEach( identifier -> resolutionManifest.addPassthroughPath( + PRIMARY, new ResolverPath( PolarisCatalogHelpers.tableIdentifierToList(identifier), PolarisEntityType.TABLE_LIKE), - identifier)); + identifier, + subType, + () -> { + throw subType == PolarisEntitySubType.TABLE + ? new NoSuchTableException("Table does not exist: %s", identifier) + : new NoSuchViewException("View does not exist: %s", identifier); + })); ResolverStatus status = resolutionManifest.resolveAll(); @@ -355,26 +344,7 @@ private void authorizeCollectionOfTableLikeOperationOrThrow( } } - List targets = - ids.stream() - .map( - identifier -> - Optional.ofNullable( - resolutionManifest.getResolvedPath(identifier, subType, true)) - .orElseThrow( - () -> - subType == PolarisEntitySubType.TABLE - ? new NoSuchTableException( - "Table does not exist: %s", identifier) - : new NoSuchViewException( - "View does not exist: %s", identifier))) - .toList(); - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - targets, - null /* secondaries */); + authorizer.authorizeOrThrow(resolutionManifest, op, true); initializeCatalog(); } @@ -388,10 +358,13 @@ private void authorizeRenameTableLikeOperationOrThrow( entityManager.prepareResolutionManifest(callContext, authenticatedPrincipal, catalogName); // Add src, dstParent, and dst(optional) resolutionManifest.addPath( + PRIMARY, new ResolverPath( PolarisCatalogHelpers.tableIdentifierToList(src), PolarisEntityType.TABLE_LIKE), - src); + src, + subType); resolutionManifest.addPath( + SECONDARY, new ResolverPath(Arrays.asList(dst.namespace().levels()), PolarisEntityType.NAMESPACE), dst.namespace()); resolutionManifest.addPath( @@ -426,15 +399,7 @@ private void authorizeRenameTableLikeOperationOrThrow( throw new AlreadyExistsException("Cannot rename %s to %s. View already exists", src, dst); } - PolarisResolvedPathWrapper target = resolutionManifest.getResolvedPath(src, subType, true); - PolarisResolvedPathWrapper secondary = - resolutionManifest.getResolvedPath(dst.namespace(), true); - authorizer.authorizeOrThrow( - authenticatedPrincipal, - resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(), - op, - target, - secondary); + authorizer.authorizeOrThrow(resolutionManifest, op, true); initializeCatalog(); } diff --git a/polaris-service/src/main/java/org/apache/polaris/service/config/PolarisApplicationConfig.java b/polaris-service/src/main/java/org/apache/polaris/service/config/PolarisApplicationConfig.java index 7d5fd8fdf..f3230dc36 100644 --- a/polaris-service/src/main/java/org/apache/polaris/service/config/PolarisApplicationConfig.java +++ b/polaris-service/src/main/java/org/apache/polaris/service/config/PolarisApplicationConfig.java @@ -33,6 +33,8 @@ import org.apache.commons.lang3.StringUtils; import org.apache.polaris.core.PolarisConfigurationStore; import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal; +import org.apache.polaris.core.auth.PolarisAuthorizer; +import org.apache.polaris.core.auth.PolarisAuthorizerFactory; import org.apache.polaris.core.persistence.MetaStoreManagerFactory; import org.apache.polaris.service.auth.DiscoverableAuthenticator; import org.apache.polaris.service.catalog.io.FileIOFactory; @@ -54,6 +56,7 @@ public class PolarisApplicationConfig extends Configuration { private RealmContextResolver realmContextResolver; private CallContextResolver callContextResolver; private DiscoverableAuthenticator polarisAuthenticator; + private PolarisAuthorizerFactory authorizerFactory; private CorsConfiguration corsConfiguration = new CorsConfiguration(); private TaskHandlerConfiguration taskHandler = new TaskHandlerConfiguration(); private Map globalFeatureConfiguration = Map.of(); @@ -100,6 +103,15 @@ public void setPolarisAuthenticator( return polarisAuthenticator; } + @JsonProperty("authorizer") + public void setAuthorizer(PolarisAuthorizerFactory factory) { + this.authorizerFactory = factory; + } + + public PolarisAuthorizer createAuthorizer() { + return authorizerFactory.createAuthorizer(getConfigurationStore()); + } + public RealmContextResolver getRealmContextResolver() { realmContextResolver.setDefaultRealm(this.defaultRealm); return realmContextResolver; diff --git a/polaris-service/src/test/java/org/apache/polaris/service/admin/PolarisAdminServiceAuthzTest.java b/polaris-service/src/test/java/org/apache/polaris/service/admin/PolarisAdminServiceAuthzTest.java index f695148c2..210834072 100644 --- a/polaris-service/src/test/java/org/apache/polaris/service/admin/PolarisAdminServiceAuthzTest.java +++ b/polaris-service/src/test/java/org/apache/polaris/service/admin/PolarisAdminServiceAuthzTest.java @@ -32,6 +32,7 @@ import org.apache.polaris.core.entity.PolarisPrivilege; import org.apache.polaris.core.entity.PrincipalEntity; import org.apache.polaris.core.entity.PrincipalRoleEntity; +import org.apache.polaris.service.auth.AuthenticatedPolarisPrincipalImpl; import org.assertj.core.api.Assertions; import org.junit.jupiter.api.Test; @@ -42,7 +43,8 @@ private PolarisAdminService newTestAdminService() { private PolarisAdminService newTestAdminService(Set activatedPrincipalRoles) { final AuthenticatedPolarisPrincipal authenticatedPrincipal = - new AuthenticatedPolarisPrincipal(principalEntity, activatedPrincipalRoles); + new AuthenticatedPolarisPrincipalImpl( + principalEntity.getId(), principalEntity.getName(), activatedPrincipalRoles); return new PolarisAdminService( callContext, entityManager, metaStoreManager, authenticatedPrincipal, polarisAuthorizer); } diff --git a/polaris-service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java b/polaris-service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java index ce28d4b54..e7afe7a36 100644 --- a/polaris-service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java +++ b/polaris-service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java @@ -49,8 +49,8 @@ import org.apache.polaris.core.admin.model.PrincipalWithCredentialsCredentials; import org.apache.polaris.core.admin.model.StorageConfigInfo; import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal; +import org.apache.polaris.core.auth.DefaultPolarisAuthorizer; import org.apache.polaris.core.auth.PolarisAuthorizer; -import org.apache.polaris.core.auth.PolarisAuthorizerImpl; import org.apache.polaris.core.context.CallContext; import org.apache.polaris.core.context.RealmContext; import org.apache.polaris.core.entity.CatalogEntity; @@ -66,6 +66,7 @@ import org.apache.polaris.core.persistence.PolarisMetaStoreManager; import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest; import org.apache.polaris.core.storage.cache.StorageCredentialCache; +import org.apache.polaris.service.auth.AuthenticatedPolarisPrincipalImpl; import org.apache.polaris.service.catalog.BasePolarisCatalog; import org.apache.polaris.service.catalog.PolarisPassthroughResolutionView; import org.apache.polaris.service.catalog.io.DefaultFileIOFactory; @@ -131,7 +132,7 @@ public abstract class PolarisAuthzTestBase { required(3, "id", Types.IntegerType.get(), "unique ID 🤪"), required(4, "data", Types.StringType.get())); protected final PolarisAuthorizer polarisAuthorizer = - new PolarisAuthorizerImpl( + new DefaultPolarisAuthorizer( new DefaultConfigurationStore( Map.of( PolarisConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING.key, @@ -191,7 +192,8 @@ public void before() { "root") .getEntity())); - this.authenticatedRoot = new AuthenticatedPolarisPrincipal(rootEntity, Set.of()); + this.authenticatedRoot = + new AuthenticatedPolarisPrincipalImpl(rootEntity.getId(), rootEntity.getName(), Set.of()); this.adminService = new PolarisAdminService( diff --git a/polaris-service/src/test/java/org/apache/polaris/service/auth/AnonymousAuthIntegrationTest.java b/polaris-service/src/test/java/org/apache/polaris/service/auth/AnonymousAuthIntegrationTest.java new file mode 100644 index 000000000..3e6e34ab6 --- /dev/null +++ b/polaris-service/src/test/java/org/apache/polaris/service/auth/AnonymousAuthIntegrationTest.java @@ -0,0 +1,123 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.polaris.service.auth; + +import static org.apache.polaris.service.context.DefaultContextResolver.REALM_PROPERTY_KEY; +import static org.assertj.core.api.Assertions.assertThat; + +import io.dropwizard.testing.ConfigOverride; +import io.dropwizard.testing.ResourceHelpers; +import io.dropwizard.testing.junit5.DropwizardAppExtension; +import io.dropwizard.testing.junit5.DropwizardExtensionsSupport; +import jakarta.ws.rs.client.Client; +import jakarta.ws.rs.client.Entity; +import jakarta.ws.rs.core.Response; +import java.io.IOException; +import java.net.URI; +import java.util.List; +import java.util.Map; +import java.util.UUID; +import org.apache.iceberg.catalog.Namespace; +import org.apache.iceberg.rest.RESTCatalog; +import org.apache.polaris.core.admin.model.Catalog; +import org.apache.polaris.core.admin.model.CatalogProperties; +import org.apache.polaris.core.admin.model.FileStorageConfigInfo; +import org.apache.polaris.core.admin.model.PolarisCatalog; +import org.apache.polaris.core.admin.model.StorageConfigInfo; +import org.apache.polaris.service.PolarisApplication; +import org.apache.polaris.service.config.PolarisApplicationConfig; +import org.apache.polaris.service.test.PolarisConnectionExtension; +import org.apache.polaris.service.test.PolarisRealm; +import org.apache.polaris.service.test.TestEnvironment; +import org.apache.polaris.service.test.TestEnvironmentExtension; +import org.assertj.core.api.Assertions; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; + +@ExtendWith({ + DropwizardExtensionsSupport.class, + PolarisConnectionExtension.class, + TestEnvironmentExtension.class +}) +public class AnonymousAuthIntegrationTest { + private static final DropwizardAppExtension EXT = + new DropwizardAppExtension<>( + PolarisApplication.class, + ResourceHelpers.resourceFilePath("polaris-server-anonymous.yml"), + ConfigOverride.config( + "authenticator.class", + "org.apache.polaris.service.auth.AnonymousPolarisAuthenticator"), + ConfigOverride.config("authorizer.factory", AllowAllAuthorizerFactory.class.getName()), + // Bind to random port to support parallelism + ConfigOverride.config("server.applicationConnectors[0].port", "0"), + // Bind to random port to support parallelism + ConfigOverride.config("server.adminConnectors[0].port", "0")); + + private RESTCatalog restCatalog; + + @BeforeEach + public void before(TestEnvironment testEnv, @PolarisRealm String realm) { + String catalogName = "test-no-auth-" + UUID.randomUUID(); + + Catalog catalog = + PolarisCatalog.builder() + .setType(Catalog.TypeEnum.INTERNAL) + .setName(catalogName) + .setProperties(new CatalogProperties("file:///tmp")) + .setStorageConfigInfo( + new FileStorageConfigInfo( + StorageConfigInfo.StorageTypeEnum.FILE, List.of("file://"))) + .build(); + + URI baseUrl = testEnv.baseUri(); + Client client = EXT.client(); + + try (Response response = + client + .target(String.format("%s/api/management/v1/catalogs", baseUrl)) + .request("application/json") + .header(REALM_PROPERTY_KEY, realm) + // Note: the Authorization must still be present, but its value is irrelevant + .header("Authorization", "Bearer test-token") + .post(Entity.json(catalog))) { + assertThat(response).returns(Response.Status.CREATED.getStatusCode(), Response::getStatus); + } + + restCatalog = new RESTCatalog(); + // Note: the fake token is not validated by AnonymousPolarisAuthenticator + restCatalog.initialize( + "test", + Map.of( + "uri", + String.format("%s/api/catalog", baseUrl), + "token", + "test-token", + "warehouse", + catalogName, + "header." + REALM_PROPERTY_KEY, + realm)); + } + + @Test + public void testBasicRequest() throws IOException { + Assertions.assertThatCode(() -> restCatalog.listNamespaces(Namespace.empty())) + .doesNotThrowAnyException(); + } +} diff --git a/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogTest.java b/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogTest.java index 704c7a4ef..ea76d7e7a 100644 --- a/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogTest.java +++ b/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogTest.java @@ -65,7 +65,7 @@ import org.apache.polaris.core.admin.model.AwsStorageConfigInfo; import org.apache.polaris.core.admin.model.StorageConfigInfo; import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal; -import org.apache.polaris.core.auth.PolarisAuthorizerImpl; +import org.apache.polaris.core.auth.DefaultPolarisAuthorizer; import org.apache.polaris.core.auth.PolarisSecretsManager.PrincipalSecretsResult; import org.apache.polaris.core.context.CallContext; import org.apache.polaris.core.context.RealmContext; @@ -88,6 +88,7 @@ import org.apache.polaris.core.storage.aws.AwsStorageConfigurationInfo; import org.apache.polaris.core.storage.cache.StorageCredentialCache; import org.apache.polaris.service.admin.PolarisAdminService; +import org.apache.polaris.service.auth.AuthenticatedPolarisPrincipalImpl; import org.apache.polaris.service.catalog.io.DefaultFileIOFactory; import org.apache.polaris.service.catalog.io.FileIOFactory; import org.apache.polaris.service.catalog.io.TestFileIOFactory; @@ -174,7 +175,8 @@ public void before() { "root") .getEntity())); - authenticatedRoot = new AuthenticatedPolarisPrincipal(rootEntity, Set.of()); + authenticatedRoot = + new AuthenticatedPolarisPrincipalImpl(rootEntity.getId(), rootEntity.getName(), Set.of()); adminService = new PolarisAdminService( @@ -182,7 +184,7 @@ public void before() { entityManager, metaStoreManager, authenticatedRoot, - new PolarisAuthorizerImpl(new PolarisConfigurationStore() {})); + new DefaultPolarisAuthorizer(new PolarisConfigurationStore() {})); String storageLocation = "s3://my-bucket/path/to/data"; storageConfigModel = AwsStorageConfigInfo.builder() diff --git a/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogViewTest.java b/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogViewTest.java index 6385cd94b..e80524216 100644 --- a/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogViewTest.java +++ b/polaris-service/src/test/java/org/apache/polaris/service/catalog/BasePolarisCatalogViewTest.java @@ -39,7 +39,7 @@ import org.apache.polaris.core.admin.model.FileStorageConfigInfo; import org.apache.polaris.core.admin.model.StorageConfigInfo; import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal; -import org.apache.polaris.core.auth.PolarisAuthorizerImpl; +import org.apache.polaris.core.auth.DefaultPolarisAuthorizer; import org.apache.polaris.core.context.CallContext; import org.apache.polaris.core.context.RealmContext; import org.apache.polaris.core.entity.CatalogEntity; @@ -51,6 +51,7 @@ import org.apache.polaris.core.persistence.PolarisMetaStoreManager; import org.apache.polaris.core.storage.cache.StorageCredentialCache; import org.apache.polaris.service.admin.PolarisAdminService; +import org.apache.polaris.service.auth.AuthenticatedPolarisPrincipalImpl; import org.apache.polaris.service.catalog.io.DefaultFileIOFactory; import org.apache.polaris.service.persistence.InMemoryPolarisMetaStoreManagerFactory; import org.apache.polaris.service.storage.PolarisStorageIntegrationProviderImpl; @@ -106,7 +107,7 @@ public void before() { "root") .getEntity())); AuthenticatedPolarisPrincipal authenticatedRoot = - new AuthenticatedPolarisPrincipal(rootEntity, Set.of()); + new AuthenticatedPolarisPrincipalImpl(rootEntity.getId(), rootEntity.getName(), Set.of()); PolarisAdminService adminService = new PolarisAdminService( @@ -114,7 +115,7 @@ public void before() { entityManager, metaStoreManager, authenticatedRoot, - new PolarisAuthorizerImpl(new PolarisConfigurationStore() {})); + new DefaultPolarisAuthorizer(new PolarisConfigurationStore() {})); adminService.createCatalog( new CatalogEntity.Builder() .setName(CATALOG_NAME) diff --git a/polaris-service/src/test/java/org/apache/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java b/polaris-service/src/test/java/org/apache/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java index 091bff21a..002cd0c96 100644 --- a/polaris-service/src/test/java/org/apache/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java +++ b/polaris-service/src/test/java/org/apache/polaris/service/catalog/PolarisCatalogHandlerWrapperAuthzTest.java @@ -61,6 +61,7 @@ import org.apache.polaris.core.persistence.PolarisMetaStoreManager; import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest; import org.apache.polaris.service.admin.PolarisAuthzTestBase; +import org.apache.polaris.service.auth.AuthenticatedPolarisPrincipalImpl; import org.apache.polaris.service.catalog.io.DefaultFileIOFactory; import org.apache.polaris.service.config.RealmEntityManagerFactory; import org.apache.polaris.service.context.PolarisCallContextCatalogFactory; @@ -86,7 +87,8 @@ private PolarisCatalogHandlerWrapper newWrapper( String catalogName, PolarisCallContextCatalogFactory factory) { final AuthenticatedPolarisPrincipal authenticatedPrincipal = - new AuthenticatedPolarisPrincipal(principalEntity, activatedPrincipalRoles); + new AuthenticatedPolarisPrincipalImpl( + principalEntity.getId(), principalEntity.getName(), activatedPrincipalRoles); return new PolarisCatalogHandlerWrapper( callContext, entityManager, @@ -213,6 +215,7 @@ public void testInsufficientPermissionsPriorToSecretRotation() { metaStoreManager.createPrincipal( callContext.getPolarisCallContext(), new PrincipalEntity.Builder() + .setId(123) .setName(principalName) .setCreateTimestamp(Instant.now().toEpochMilli()) .setCredentialRotationRequiredState() @@ -221,8 +224,8 @@ public void testInsufficientPermissionsPriorToSecretRotation() { adminService.assignPrincipalRole(principalName, PRINCIPAL_ROLE2); final AuthenticatedPolarisPrincipal authenticatedPrincipal = - new AuthenticatedPolarisPrincipal( - PrincipalEntity.of(newPrincipal.getPrincipal()), Set.of()); + new AuthenticatedPolarisPrincipalImpl( + newPrincipal.getPrincipal().getId(), newPrincipal.getPrincipal().getName(), Set.of()); PolarisCatalogHandlerWrapper wrapper = new PolarisCatalogHandlerWrapper( callContext, @@ -253,7 +256,8 @@ public void testInsufficientPermissionsPriorToSecretRotation() { rotateAndRefreshPrincipal( metaStoreManager, principalName, credentials, callContext.getPolarisCallContext()); final AuthenticatedPolarisPrincipal authenticatedPrincipal1 = - new AuthenticatedPolarisPrincipal(PrincipalEntity.of(refreshPrincipal), Set.of()); + new AuthenticatedPolarisPrincipalImpl( + refreshPrincipal.getId(), refreshPrincipal.getName(), Set.of()); PolarisCatalogHandlerWrapper refreshedWrapper = new PolarisCatalogHandlerWrapper( callContext, diff --git a/polaris-service/src/test/resources/polaris-server-anonymous.yml b/polaris-service/src/test/resources/polaris-server-anonymous.yml new file mode 100644 index 000000000..1d33a3a52 --- /dev/null +++ b/polaris-service/src/test/resources/polaris-server-anonymous.yml @@ -0,0 +1,158 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +server: + # Maximum number of threads. + maxThreads: 200 + + # Minimum number of thread to keep alive. + minThreads: 10 + applicationConnectors: + # HTTP-specific options. + - type: http + + # The port on which the HTTP server listens for service requests. + port: 8181 + + adminConnectors: + - type: http + port: 8182 + + # The hostname of the interface to which the HTTP server socket wil be found. If omitted, the + # socket will listen on all interfaces. + #bindHost: localhost + + # ssl: + # keyStore: ./example.keystore + # keyStorePassword: example + # + # keyStoreType: JKS # (optional, JKS is default) + + # HTTP request log settings + requestLog: + appenders: + # Settings for logging to stdout. + - type: console + + # Settings for logging to a file. + - type: file + + # The file to which statements will be logged. + currentLogFilename: ./logs/request.log + + # When the log file rolls over, the file will be archived to requests-2012-03-15.log.gz, + # requests.log will be truncated, and new statements written to it. + archivedLogFilenamePattern: ./logs/requests-%d.log.gz + + # The maximum number of log files to archive. + archivedFileCount: 14 + + # Enable archiving if the request log entries go to the their own file + archive: true + +featureConfiguration: + ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING: true + ALLOW_WILDCARD_LOCATION: true + ALLOW_SPECIFYING_FILE_IO_IMPL: true + SKIP_CREDENTIAL_SUBSCOPING_INDIRECTION: true + ALLOW_OVERLAPPING_CATALOG_URLS: true + ALLOW_EXTERNAL_CATALOG_CREDENTIAL_VENDING: false + SUPPORTED_CATALOG_STORAGE_TYPES: + - FILE + - S3 + - GCS + - AZURE + +metaStoreManager: + type: in-memory + +io: + factoryType: default + +oauth2: + type: default + tokenBroker: + type: symmetric-key + secret: polaris + +authenticator: + class: org.apache.polaris.service.auth.AnonymousPolarisAuthenticator + + +callContextResolver: + type: default + +realmContextResolver: + type: default + +defaultRealm: POLARIS + +cors: + allowed-origins: + - localhost + + # Logging settings. +logging: + + # The default level of all loggers. Can be OFF, ERROR, WARN, INFO, DEBUG, TRACE, or ALL. + level: INFO + + # Logger-specific levels. + loggers: + org.apache.polaris: DEBUG + + appenders: + + - type: console + # If true, write log statements to stdout. + # enabled: true + # Do not display log statements below this threshold to stdout. + threshold: ALL + # Custom Logback PatternLayout with threadname. + logFormat: "%-5p [%d{ISO8601} - %-6r] [%t] [%X{aid}%X{sid}%X{tid}%X{wid}%X{oid}%X{srv}%X{job}%X{rid}] %c{30}: %m %kvp%n%ex" + + # Settings for logging to a file. + - type: file + # If true, write log statements to a file. + # enabled: true + # Do not write log statements below this threshold to the file. + threshold: ALL + # Custom Logback PatternLayout with threadname. + logFormat: "%-5p [%d{ISO8601} - %-6r] [%t] [%X{aid}%X{sid}%X{tid}%X{wid}%X{oid}%X{srv}%X{job}%X{rid}] %c: %m %kvp%n%ex" + + # when using json logging, you must use a format like this, else the + # mdc section of the json log will be incorrect + # logFormat: "%-5p [%d{ISO8601} - %-6r] [%t] [%X] %c: %m%n%ex" + + # The file to which statements will be logged. + currentLogFilename: ./logs/iceberg-rest.log + # When the log file rolls over, the file will be archived to polaris-2012-03-15.log.gz, + # polaris.log will be truncated, and new statements written to it. + archivedLogFilenamePattern: ./logs/iceberg-rest-%d.log.gz + # The maximum number of log files to archive. + archivedFileCount: 14 + +# Limits the size of request bodies sent to Polaris. -1 means no limit. +maxRequestBodyBytes: 1000000 + +# Limits the request rate per realm +rateLimiter: + type: realm-token-bucket + requestsPerSecond: 9999 + windowSeconds: 10 diff --git a/polaris-service/src/test/resources/polaris-server-integrationtest.yml b/polaris-service/src/test/resources/polaris-server-integrationtest.yml index b3c8289a7..8a0f352f6 100644 --- a/polaris-service/src/test/resources/polaris-server-integrationtest.yml +++ b/polaris-service/src/test/resources/polaris-server-integrationtest.yml @@ -97,6 +97,8 @@ authenticator: type: symmetric-key secret: polaris +authorizer: + factory: org.apache.polaris.core.auth.DefaultPolarisAuthorizerFactory callContextResolver: type: default