Make ResolverFactory + ResolutionManifestFactory request-scoped (#2540)

this avoids passing around the `CallContext` parameter

note that ideally the `SecurityContext` would also be injected from
the request however our tests around `PolarisAuthzTestBase` are
written in a way that does not easily support this currently.

Author: XN137

polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/PolarisResolutionManifest.java

@@ -30,7 +30,7 @@
 import java.util.Set;
 import org.apache.polaris.core.PolarisDiagnostics;
 import org.apache.polaris.core.auth.PolarisPrincipal;
-import org.apache.polaris.core.context.CallContext;
+import org.apache.polaris.core.context.RealmContext;
 import org.apache.polaris.core.entity.PolarisBaseEntity;
 import org.apache.polaris.core.entity.PolarisEntityConstants;
 import org.apache.polaris.core.entity.PolarisEntitySubType;
@@ -52,8 +52,8 @@ public class PolarisResolutionManifest implements PolarisResolutionManifestCatal
   private static final Logger LOGGER = LoggerFactory.getLogger(PolarisResolutionManifest.class);
 
   private final ResolverFactory resolverFactory;
-  private final CallContext callContext;
   private final SecurityContext securityContext;
+  private final RealmContext realmContext;
   private final String catalogName;
   private final Resolver primaryResolver;
   private final PolarisDiagnostics diagnostics;
@@ -71,15 +71,14 @@ public class PolarisResolutionManifest implements PolarisResolutionManifestCatal
 
   public PolarisResolutionManifest(
       PolarisDiagnostics diagnostics,
-      CallContext callContext,
+      RealmContext realmContext,
       ResolverFactory resolverFactory,
       SecurityContext securityContext,
       String catalogName) {
-    this.callContext = callContext;
+    this.realmContext = realmContext;
     this.resolverFactory = resolverFactory;
     this.catalogName = catalogName;
-    this.primaryResolver =
-        resolverFactory.createResolver(callContext, securityContext, catalogName);
+    this.primaryResolver = resolverFactory.createResolver(securityContext, catalogName);
     this.diagnostics = diagnostics;
     this.diagnostics.checkNotNull(securityContext, "null_security_context_for_resolution_manifest");
     this.securityContext = securityContext;
@@ -187,8 +186,7 @@ public PolarisResolvedPathWrapper getPassthroughResolvedPath(Object key) {
     ResolverPath requestedPath = passthroughPaths.get(key);
 
     // Run a single-use Resolver for this path.
-    Resolver passthroughResolver =
-        resolverFactory.createResolver(callContext, securityContext, catalogName);
+    Resolver passthroughResolver = resolverFactory.createResolver(securityContext, catalogName);
     passthroughResolver.addPath(requestedPath);
     ResolverStatus status = passthroughResolver.resolveAll();
 
@@ -273,7 +271,7 @@ public Set<PolarisBaseEntity> getAllActivatedPrincipalRoleEntities() {
     if (resolvedEntity == null) {
       LOGGER.warn(
           "Failed to find rootContainer for realm: {} and catalog: {}",
-          callContext.getRealmContext().getRealmIdentifier(),
+          realmContext.getRealmIdentifier(),
           catalogName);
     }
     return resolvedEntity;

polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/ResolutionManifestFactory.java

@@ -22,13 +22,10 @@
 import jakarta.annotation.Nonnull;
 import jakarta.annotation.Nullable;
 import jakarta.ws.rs.core.SecurityContext;
-import org.apache.polaris.core.context.CallContext;
 
 public interface ResolutionManifestFactory {
 
   @Nonnull
   PolarisResolutionManifest createResolutionManifest(
-      @Nonnull CallContext callContext,
-      @Nonnull SecurityContext securityContext,
-      @Nullable String referenceCatalogName);
+      @Nonnull SecurityContext securityContext, @Nullable String referenceCatalogName);
 }

polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/ResolutionManifestFactoryImpl.java

@@ -23,26 +23,28 @@
 import jakarta.annotation.Nullable;
 import jakarta.ws.rs.core.SecurityContext;
 import org.apache.polaris.core.PolarisDiagnostics;
-import org.apache.polaris.core.context.CallContext;
+import org.apache.polaris.core.context.RealmContext;
 
 public class ResolutionManifestFactoryImpl implements ResolutionManifestFactory {
 
   private final PolarisDiagnostics diagnostics;
+  private final RealmContext realmContext;
   private final ResolverFactory resolverFactory;
 
   public ResolutionManifestFactoryImpl(
-      @Nonnull PolarisDiagnostics diagnostics, @Nonnull ResolverFactory resolverFactory) {
+      @Nonnull PolarisDiagnostics diagnostics,
+      @Nonnull RealmContext realmContext,
+      @Nonnull ResolverFactory resolverFactory) {
     this.diagnostics = diagnostics;
+    this.realmContext = realmContext;
     this.resolverFactory = resolverFactory;
   }
 
   @Nonnull
   @Override
   public PolarisResolutionManifest createResolutionManifest(
-      @Nonnull CallContext callContext,
-      @Nonnull SecurityContext securityContext,
-      @Nullable String referenceCatalogName) {
+      @Nonnull SecurityContext securityContext, @Nullable String referenceCatalogName) {
     return new PolarisResolutionManifest(
-        diagnostics, callContext, resolverFactory, securityContext, referenceCatalogName);
+        diagnostics, realmContext, resolverFactory, securityContext, referenceCatalogName);
   }
 }

polaris-core/src/main/java/org/apache/polaris/core/persistence/resolver/ResolverFactory.java

@@ -22,11 +22,8 @@
 import jakarta.annotation.Nonnull;
 import jakarta.annotation.Nullable;
 import jakarta.ws.rs.core.SecurityContext;
-import org.apache.polaris.core.context.CallContext;
 
 public interface ResolverFactory {
   Resolver createResolver(
-      @Nonnull CallContext callContext,
-      @Nonnull SecurityContext securityContext,
-      @Nullable String referenceCatalogName);
+      @Nonnull SecurityContext securityContext, @Nullable String referenceCatalogName);
 }

runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java

@@ -190,6 +190,10 @@ private UserSecretsManager getUserSecretsManager() {
     return userSecretsManager;
   }
 
+  private PolarisResolutionManifest newResolutionManifest(@Nullable String catalogName) {
+    return resolutionManifestFactory.createResolutionManifest(securityContext, catalogName);
+  }
+
   private Optional<CatalogEntity> currentCatalog() {
     return Optional.ofNullable(resolutionManifest.getResolvedReferenceCatalogEntity())
         .map(path -> CatalogEntity.of(path.getRawLeafEntity()));
@@ -213,9 +217,7 @@ private Optional<CatalogRoleEntity> findCatalogRoleByName(String catalogName, St
   }
 
   private void authorizeBasicRootOperationOrThrow(PolarisAuthorizableOperation op) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, null /* referenceCatalogName */);
+    resolutionManifest = newResolutionManifest(null);
     resolutionManifest.resolveAll();
     PolarisResolvedPathWrapper rootContainerWrapper =
         resolutionManifest.getResolvedRootContainerEntityAsPath();
@@ -240,9 +242,7 @@ private void authorizeBasicTopLevelEntityOperationOrThrow(
       String topLevelEntityName,
       PolarisEntityType entityType,
       @Nullable String referenceCatalogName) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, referenceCatalogName);
+    resolutionManifest = newResolutionManifest(referenceCatalogName);
     resolutionManifest.addTopLevelName(topLevelEntityName, entityType, false /* isOptional */);
     ResolverStatus status = resolutionManifest.resolveAll();
     if (status.getStatus() == ResolverStatus.StatusEnum.ENTITY_COULD_NOT_BE_RESOLVED) {
@@ -293,9 +293,7 @@ private static boolean isSelfOperation(PolarisAuthorizableOperation op) {
 
   private void authorizeBasicCatalogRoleOperationOrThrow(
       PolarisAuthorizableOperation op, String catalogName, String catalogRoleName) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest(catalogName);
     resolutionManifest.addPath(
         new ResolverPath(List.of(catalogRoleName), PolarisEntityType.CATALOG_ROLE),
         catalogRoleName);
@@ -314,8 +312,7 @@ private void authorizeBasicCatalogRoleOperationOrThrow(
 
   private void authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow(
       PolarisAuthorizableOperation op, String principalRoleName) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(callContext, securityContext, null);
+    resolutionManifest = newResolutionManifest(null);
     resolutionManifest.addTopLevelName(
         principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, false /* isOptional */);
     ResolverStatus status = resolutionManifest.resolveAll();
@@ -342,8 +339,7 @@ private void authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow(
 
   private void authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow(
       PolarisAuthorizableOperation op, String principalRoleName, String principalName) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(callContext, securityContext, null);
+    resolutionManifest = newResolutionManifest(null);
     resolutionManifest.addTopLevelName(
         principalRoleName, PolarisEntityType.PRINCIPAL_ROLE, false /* isOptional */);
     resolutionManifest.addTopLevelName(
@@ -375,9 +371,7 @@ private void authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow(
       String catalogName,
       String catalogRoleName,
       String principalRoleName) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest(catalogName);
     resolutionManifest.addPath(
         new ResolverPath(List.of(catalogRoleName), PolarisEntityType.CATALOG_ROLE),
         catalogRoleName);
@@ -411,9 +405,7 @@ private void authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow(
 
   private void authorizeGrantOnCatalogOperationOrThrow(
       PolarisAuthorizableOperation op, String catalogName, String catalogRoleName) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest(catalogName);
     resolutionManifest.addTopLevelName(
         catalogName, PolarisEntityType.CATALOG, false /* isOptional */);
     resolutionManifest.addPath(
@@ -444,9 +436,7 @@ private void authorizeGrantOnNamespaceOperationOrThrow(
       String catalogName,
       Namespace namespace,
       String catalogRoleName) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest(catalogName);
     resolutionManifest.addPassthroughPath(
         new ResolverPath(Arrays.asList(namespace.levels()), PolarisEntityType.NAMESPACE),
         namespace);
@@ -485,9 +475,7 @@ private void authorizeGrantOnTableLikeOperationOrThrow(
       List<PolarisEntitySubType> subTypes,
       TableIdentifier identifier,
       String catalogRoleName) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest(catalogName);
     resolutionManifest.addPassthroughPath(
         new ResolverPath(
             Arrays.asList(identifier.namespace().levels()), PolarisEntityType.NAMESPACE),
@@ -544,9 +532,7 @@ private void authorizeGrantOnPolicyOperationOrThrow(
       String catalogName,
       PolicyIdentifier identifier,
       String catalogRoleName) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest(catalogName);
     resolutionManifest.addPath(
         new ResolverPath(
             PolarisCatalogHelpers.identifierToList(identifier.getNamespace(), identifier.getName()),

runtime/service/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandler.java

@@ -102,6 +102,10 @@ protected UserSecretsManager getUserSecretsManager() {
     return userSecretsManager;
   }
 
+  protected PolarisResolutionManifest newResolutionManifest() {
+    return resolutionManifestFactory.createResolutionManifest(securityContext, catalogName);
+  }
+
   /** Initialize the catalog once authorized. Called after all `authorize...` methods. */
   protected abstract void initializeCatalog();
 
@@ -116,9 +120,7 @@ protected void authorizeBasicNamespaceOperationOrThrow(
       List<Namespace> extraPassthroughNamespaces,
       List<TableIdentifier> extraPassthroughTableLikes,
       List<PolicyIdentifier> extraPassThroughPolicies) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest();
     resolutionManifest.addPath(
         new ResolverPath(Arrays.asList(namespace.levels()), PolarisEntityType.NAMESPACE),
         namespace);
@@ -170,9 +172,7 @@ protected void authorizeBasicNamespaceOperationOrThrow(
 
   protected void authorizeCreateNamespaceUnderNamespaceOperationOrThrow(
       PolarisAuthorizableOperation op, Namespace namespace) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest();
 
     Namespace parentNamespace = PolarisCatalogHelpers.getParentNamespace(namespace);
     resolutionManifest.addPath(
@@ -206,9 +206,7 @@ protected void authorizeCreateTableLikeUnderNamespaceOperationOrThrow(
       PolarisAuthorizableOperation op, TableIdentifier identifier) {
     Namespace namespace = identifier.namespace();
 
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest();
     resolutionManifest.addPath(
         new ResolverPath(Arrays.asList(namespace.levels()), PolarisEntityType.NAMESPACE),
         namespace);
@@ -242,9 +240,7 @@ protected void authorizeCreateTableLikeUnderNamespaceOperationOrThrow(
 
   protected void authorizeBasicTableLikeOperationOrThrow(
       PolarisAuthorizableOperation op, PolarisEntitySubType subType, TableIdentifier identifier) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest();
 
     // The underlying Catalog is also allowed to fetch "fresh" versions of the target entity.
     resolutionManifest.addPassthroughPath(
@@ -273,9 +269,7 @@ protected void authorizeCollectionOfTableLikeOperationOrThrow(
       PolarisAuthorizableOperation op,
       final PolarisEntitySubType subType,
       List<TableIdentifier> ids) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest();
     ids.forEach(
         identifier ->
             resolutionManifest.addPassthroughPath(
@@ -325,9 +319,7 @@ protected void authorizeRenameTableLikeOperationOrThrow(
       PolarisEntitySubType subType,
       TableIdentifier src,
       TableIdentifier dst) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest();
     // Add src, dstParent, and dst(optional)
     resolutionManifest.addPath(
         new ResolverPath(

runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalog.java

@@ -1231,7 +1231,7 @@ private <T extends PolarisEntity & LocationBasedEntity> void validateNoLocationO
     PolarisResolutionManifest resolutionManifest =
         new PolarisResolutionManifest(
             diagnostics,
-            callContext,
+            callContext.getRealmContext(),
             resolverFactory,
             securityContext,
             parentPath.getFirst().getName());

runtime/service/src/main/java/org/apache/polaris/service/catalog/iceberg/IcebergCatalogAdapter.java

@@ -800,7 +800,7 @@ public Response getConfig(
     if (warehouse == null) {
       throw new BadRequestException("Please specify a warehouse");
     }
-    Resolver resolver = resolverFactory.createResolver(callContext, securityContext, warehouse);
+    Resolver resolver = resolverFactory.createResolver(securityContext, warehouse);
     ResolverStatus resolverStatus = resolver.resolveAll();
     if (!resolverStatus.getStatus().equals(ResolverStatus.StatusEnum.SUCCESS)) {
       throw new NotFoundException("Unable to find warehouse %s", warehouse);

runtime/service/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java

@@ -165,9 +165,7 @@ public GetApplicablePoliciesResponse getApplicablePolicies(
 
   private void authorizeBasicPolicyOperationOrThrow(
       PolarisAuthorizableOperation op, PolicyIdentifier identifier) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest();
     resolutionManifest.addPassthroughPath(
         new ResolverPath(
             PolarisCatalogHelpers.identifierToList(identifier.getNamespace(), identifier.getName()),
@@ -215,9 +213,7 @@ private void authorizeGetApplicablePoliciesOperationOrThrow(
   }
 
   private void authorizeBasicCatalogOperationOrThrow(PolarisAuthorizableOperation op) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest();
     resolutionManifest.resolveAll();
 
     PolarisResolvedPathWrapper targetCatalog =
@@ -237,9 +233,7 @@ private void authorizeBasicCatalogOperationOrThrow(PolarisAuthorizableOperation
 
   private void authorizePolicyMappingOperationOrThrow(
       PolicyIdentifier identifier, PolicyAttachmentTarget target, boolean isAttach) {
-    resolutionManifest =
-        resolutionManifestFactory.createResolutionManifest(
-            callContext, securityContext, catalogName);
+    resolutionManifest = newResolutionManifest();
     resolutionManifest.addPassthroughPath(
         new ResolverPath(
             PolarisCatalogHelpers.identifierToList(identifier.getNamespace(), identifier.getName()),