apache · dimas-b · Nov 29, 2024 · Nov 29, 2024 · Nov 29, 2024 · Nov 29, 2024
@@ -18,55 +18,20 @@
  */
 package org.apache.polaris.core.auth;
 
-import jakarta.annotation.Nonnull;
-import java.util.List;
 import java.util.Set;
-import org.apache.polaris.core.entity.PolarisEntity;
-import org.apache.polaris.core.entity.PrincipalRoleEntity;
 
 /** Holds the results of request authentication. */
-public class AuthenticatedPolarisPrincipal implements java.security.Principal {
-  private final PolarisEntity principalEntity;
-  private final Set<String> activatedPrincipalRoleNames;
-  // only known and set after the above set of principal role names have been resolved. Before
-  // this, this list is null
-  private List<PrincipalRoleEntity> activatedPrincipalRoles;
-
-  public AuthenticatedPolarisPrincipal(
-      @Nonnull PolarisEntity principalEntity, @Nonnull Set<String> activatedPrincipalRoles) {
-    this.principalEntity = principalEntity;
-    this.activatedPrincipalRoleNames = activatedPrincipalRoles;
-    this.activatedPrincipalRoles = null;
-  }
-
-  @Override
-  public String getName() {
-    return principalEntity.getName();
-  }
-
-  public PolarisEntity getPrincipalEntity() {
-    return principalEntity;
-  }
-
-  public Set<String> getActivatedPrincipalRoleNames() {
-    return activatedPrincipalRoleNames;
-  }
-
-  public List<PrincipalRoleEntity> getActivatedPrincipalRoles() {
-    return activatedPrincipalRoles;
-  }
-
-  public void setActivatedPrincipalRoles(List<PrincipalRoleEntity> activatedPrincipalRoles) {
-    this.activatedPrincipalRoles = activatedPrincipalRoles;
-  }
-
-  @Override
-  public String toString() {
-    return "principalEntity="
-        + getPrincipalEntity()
-        + ";activatedPrincipalRoleNames="
-        + getActivatedPrincipalRoleNames()
-        + ";activatedPrincipalRoles="
-        + getActivatedPrincipalRoles();
-  }
+public interface AuthenticatedPolarisPrincipal extends java.security.Principal {
+
+  /**
+   * Principal entity ID obtained during request authentication (e.g. from the authorization token).
+   *
+   * <p>Negative values indicate that a principal ID was not provided in authenticated data,
+   * however, other authentic information about the principal (e.g. name, roles) may still be
+   * available.
+   */
+  long getPrincipalEntityId();
+
+  /** A sub-set of the assigned roles that are deemed effective in requests using this principal. */
+  Set<String> getActivatedPrincipalRoleNames();
 }
@@ -101,12 +101,15 @@
 import org.apache.polaris.core.PolarisConfigurationStore;
 import org.apache.polaris.core.context.CallContext;
 import org.apache.polaris.core.entity.PolarisBaseEntity;
+import org.apache.polaris.core.entity.PolarisEntity;
 import org.apache.polaris.core.entity.PolarisEntityConstants;
 import org.apache.polaris.core.entity.PolarisEntityCore;
+import org.apache.polaris.core.entity.PolarisEntityType;
 import org.apache.polaris.core.entity.PolarisGrantRecord;
 import org.apache.polaris.core.entity.PolarisPrivilege;
 import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
 import org.apache.polaris.core.persistence.ResolvedPolarisEntity;
+import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -119,8 +122,8 @@
  * the expanded roles of the calling Principal hold SERVICE_MANAGE_ACCESS on the "root" catalog,
  * which translates into a cross-catalog permission.
  */
-public class PolarisAuthorizerImpl implements PolarisAuthorizer {
-  private static final Logger LOGGER = LoggerFactory.getLogger(PolarisAuthorizerImpl.class);
+public class DefaultPolarisAuthorizer implements PolarisAuthorizer {
+  private static final Logger LOGGER = LoggerFactory.getLogger(DefaultPolarisAuthorizer.class);
 
   private static final SetMultimap<PolarisPrivilege, PolarisPrivilege> SUPER_PRIVILEGES =
       HashMultimap.create();
@@ -460,7 +463,7 @@ public class PolarisAuthorizerImpl implements PolarisAuthorizer {
 
   private final PolarisConfigurationStore featureConfig;
 
-  public PolarisAuthorizerImpl(PolarisConfigurationStore featureConfig) {
+  public DefaultPolarisAuthorizer(PolarisConfigurationStore featureConfig) {
     this.featureConfig = featureConfig;
   }
 
@@ -485,71 +488,81 @@ public boolean matchesOrIsSubsumedBy(
 
   @Override
   public void authorizeOrThrow(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
-      @Nonnull Set<PolarisBaseEntity> activatedEntities,
+      @Nonnull PolarisResolutionManifest manifest,
       @Nonnull PolarisAuthorizableOperation authzOp,
-      @Nullable PolarisResolvedPathWrapper target,
-      @Nullable PolarisResolvedPathWrapper secondary) {
-    authorizeOrThrow(
-        authenticatedPrincipal,
-        activatedEntities,
-        authzOp,
-        target == null ? null : List.of(target),
-        secondary == null ? null : List.of(secondary));
-  }
+      boolean considerCatalogRoles) {
+
+    List<PolarisResolvedPathWrapper> targets = manifest.authorizationTargets();
+    List<PolarisResolvedPathWrapper> secondaries = manifest.authorizationSecondaries();
+
+    PolarisEntity principal = manifest.getResolvedPolarisPrincipal();
+    if (principal == null) {
+      AuthenticatedPolarisPrincipal authPrincipal = manifest.getAuthenticatedPrincipal();
+      throw new ForbiddenException(
+          "Principal '%s' (ID: %s) could not be resolved",
+          authPrincipal.getName(), authPrincipal.getPrincipalEntityId());
+    }
+
+    Set<PolarisBaseEntity> activatedEntities =
+        considerCatalogRoles
+            ? manifest.getAllActivatedCatalogRoleAndPrincipalRoles()
+            : manifest.getAllActivatedPrincipalRoleEntities();
 
-  @Override
-  public void authorizeOrThrow(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
-      @Nonnull Set<PolarisBaseEntity> activatedEntities,
-      @Nonnull PolarisAuthorizableOperation authzOp,
-      @Nullable List<PolarisResolvedPathWrapper> targets,
-      @Nullable List<PolarisResolvedPathWrapper> secondaries) {
     boolean enforceCredentialRotationRequiredState =
         featureConfig.getConfiguration(
             CallContext.getCurrentContext().getPolarisCallContext(),
             PolarisConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING);
     if (enforceCredentialRotationRequiredState
-        && authenticatedPrincipal
-            .getPrincipalEntity()
+        && principal
             .getInternalPropertiesAsMap()
             .containsKey(PolarisEntityConstants.PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE)
         && authzOp != PolarisAuthorizableOperation.ROTATE_CREDENTIALS) {
       throw new ForbiddenException(
           "Principal '%s' is not authorized for op %s due to PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE",
-          authenticatedPrincipal.getName(), authzOp);
-    } else if (!isAuthorized(
-        authenticatedPrincipal, activatedEntities, authzOp, targets, secondaries)) {
+          principal.getName(), authzOp);
+    }
+
+    if (isPrincipalOwnCredentialReset(principal, authzOp, targets)) {
+      LOGGER
+          .atDebug()
+          .addKeyValue("principalName", principal.getName())
+          .log("Allowing rotate own credentials");
+      return;
+    }
+
+    if (!isAuthorized(principal, activatedEntities, authzOp, targets, secondaries)) {
       throw new ForbiddenException(
           "Principal '%s' with activated PrincipalRoles '%s' and activated grants via '%s' is not authorized for op %s",
-          authenticatedPrincipal.getName(),
-          authenticatedPrincipal.getActivatedPrincipalRoleNames(),
+          principal.getName(),
+          manifest.getResolvedPolarisPrincipalRoleNames(),
           activatedEntities.stream().map(PolarisEntityCore::getName).collect(Collectors.toSet()),
           authzOp);
     }
   }
 
   /**
-   * Based on the required target/targetParent/secondary/secondaryParent privileges mapped from
-   * {@code authzOp}, determines whether the caller's set of activatedGranteeIds is authorized for
-   * the operation.
+   * Returns {@code true} if the operation is a reset or rotation of the principal's own secrets. In
+   * this case the operation is implicitly allowed without any specific permission checks.
    */
-  public boolean isAuthorized(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPolarisPrincipal,
-      @Nonnull Set<PolarisBaseEntity> activatedEntities,
-      @Nonnull PolarisAuthorizableOperation authzOp,
-      @Nullable PolarisResolvedPathWrapper target,
-      @Nullable PolarisResolvedPathWrapper secondary) {
-    return isAuthorized(
-        authenticatedPolarisPrincipal,
-        activatedEntities,
-        authzOp,
-        target == null ? null : List.of(target),
-        secondary == null ? null : List.of(secondary));
+  private boolean isPrincipalOwnCredentialReset(
+      PolarisEntity principal,
+      PolarisAuthorizableOperation op,
+      List<PolarisResolvedPathWrapper> targets) {
+    if (op != PolarisAuthorizableOperation.ROTATE_CREDENTIALS
+        && op != PolarisAuthorizableOperation.RESET_CREDENTIALS) {
+      return false;
+    }
+
+    if (targets.size() != 1) {
+      return false;
+    }
+
+    PolarisEntity target = targets.get(0).getResolvedLeafEntity().getEntity();
+    return target.getType() == PolarisEntityType.PRINCIPAL && target.getId() == principal.getId();
   }
 
   public boolean isAuthorized(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPolarisPrincipal,
+      @Nonnull PolarisEntity principal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable List<PolarisResolvedPathWrapper> targets,
@@ -564,8 +577,7 @@ public boolean isAuthorized(
           authzOp,
           privilegeOnTarget);
       for (PolarisResolvedPathWrapper target : targets) {
-        if (!hasTransitivePrivilege(
-            authenticatedPolarisPrincipal, entityIdSet, privilegeOnTarget, target)) {
+        if (!hasTransitivePrivilege(principal, entityIdSet, privilegeOnTarget, target)) {
           // TODO: Collect missing privileges to report all at the end and/or return to code
           // that throws NotAuthorizedException for more useful messages.
           return false;
@@ -579,8 +591,7 @@ public boolean isAuthorized(
           authzOp,
           privilegeOnSecondary);
       for (PolarisResolvedPathWrapper secondary : secondaries) {
-        if (!hasTransitivePrivilege(
-            authenticatedPolarisPrincipal, entityIdSet, privilegeOnSecondary, secondary)) {
+        if (!hasTransitivePrivilege(principal, entityIdSet, privilegeOnSecondary, secondary)) {
           return false;
         }
       }
@@ -598,7 +609,7 @@ public boolean isAuthorized(
    * errors/exceptions.
    */
   public boolean hasTransitivePrivilege(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPolarisPrincipal,
+      @Nonnull PolarisEntity principal,
       Set<Long> activatedGranteeIds,
       PolarisPrivilege desiredPrivilege,
       PolarisResolvedPathWrapper resolvedPath) {
@@ -621,7 +632,7 @@ public boolean hasTransitivePrivilege(
                 desiredPrivilege,
                 grantRecord,
                 resolvedSecurableEntity,
-                authenticatedPolarisPrincipal.getName(),
+                principal.getName(),
                 activatedGranteeIds);
             return true;
           }
@@ -632,7 +643,7 @@ public boolean hasTransitivePrivilege(
     LOGGER.debug(
         "Failed to satisfy privilege {} for principalName {} on resolvedPath {}",
         desiredPrivilege,
-        authenticatedPolarisPrincipal.getName(),
+        principal.getName(),
         resolvedPath);
     return false;
   }

@@ -0,0 +1,29 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.core.auth;
+
+import org.apache.polaris.core.PolarisConfigurationStore;
+
+@SuppressWarnings("unused") // configured in polaris-server.yml
+public class DefaultPolarisAuthorizerFactory implements PolarisAuthorizerFactory {
+  @Override
+  public PolarisAuthorizer createAuthorizer(PolarisConfigurationStore config) {
+    return new DefaultPolarisAuthorizer(config);
+  }
+}
@@ -19,26 +19,28 @@
 package org.apache.polaris.core.auth;
 
 import jakarta.annotation.Nonnull;
-import jakarta.annotation.Nullable;
-import java.util.List;
-import java.util.Set;
-import org.apache.polaris.core.entity.PolarisBaseEntity;
-import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
+import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest;
 
 /** Interface for invoking authorization checks. */
 public interface PolarisAuthorizer {
 
+  /**
+   * Validates whether the requested operation is permitted based on the collection of entities
+   * (including principals, roles, and catalog objects) that are affected by the operation.
+   *
+   * <p>"activated" entities, "targets" and "secondaries" are contained within the provided
+   * manifest. The extra selector parameters merely define what sub-set of objects from the manifest
+   * should be considered as "targets", etc.
+   *
+   * <p>The effective principal information is also provided in the manifest.
+   *
+   * @param manifest defines the input for authorization checks.
+   * @param operation the operation being authorized.
+   * @param considerCatalogRoles whether catalog roles should be considered ({@code true}) or only
+   *     principal roles ({@code false}).
+   */
   void authorizeOrThrow(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
-      @Nonnull Set<PolarisBaseEntity> activatedEntities,
-      @Nonnull PolarisAuthorizableOperation authzOp,
-      @Nullable PolarisResolvedPathWrapper target,
-      @Nullable PolarisResolvedPathWrapper secondary);
-
-  void authorizeOrThrow(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
-      @Nonnull Set<PolarisBaseEntity> activatedEntities,
-      @Nonnull PolarisAuthorizableOperation authzOp,
-      @Nullable List<PolarisResolvedPathWrapper> targets,
-      @Nullable List<PolarisResolvedPathWrapper> secondaries);
+      @Nonnull PolarisResolutionManifest manifest,
+      @Nonnull PolarisAuthorizableOperation operation,
+      boolean considerCatalogRoles);
 }
@@ -0,0 +1,31 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.core.auth;
+
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import org.apache.polaris.core.PolarisConfigurationStore;
+
+/**
+ * A factory for creating {@link PolarisAuthorizer} instances configured via a {@link
+ * PolarisConfigurationStore}
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, property = "factory")
+public interface PolarisAuthorizerFactory {
+  PolarisAuthorizer createAuthorizer(PolarisConfigurationStore config);
+}
@@ -66,7 +66,7 @@ public Resolver prepareResolver(
     return new Resolver(
         callContext.getPolarisCallContext(),
         metaStoreManager,
-        authenticatedPrincipal.getPrincipalEntity().getId(),
+        authenticatedPrincipal.getPrincipalEntityId(),
         null, /* callerPrincipalName */
         authenticatedPrincipal.getActivatedPrincipalRoleNames().isEmpty()
             ? null