Make PolarisAuthorizer RequestScoped (#2340)

all methods in `PolarisAuthorizer` currently have a `CallContext`
parameter.
in its only implementation only `CallContext.getRealmConfig` is getting
used.

so since `PolarisAuthorizer` cant be used outside a request, we can
simply make it request-scoped and inject the request-scoped `RealmConfig`
directly.

Author: XN137

polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java

@@ -22,23 +22,20 @@
 import jakarta.annotation.Nullable;
 import java.util.List;
 import java.util.Set;
-import org.apache.polaris.core.context.CallContext;
 import org.apache.polaris.core.entity.PolarisBaseEntity;
 import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
 
 /** Interface for invoking authorization checks. */
 public interface PolarisAuthorizer {
 
   void authorizeOrThrow(
-      @Nonnull CallContext callContext,
       @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable PolarisResolvedPathWrapper target,
       @Nullable PolarisResolvedPathWrapper secondary);
 
   void authorizeOrThrow(
-      @Nonnull CallContext callContext,
       @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,

polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java

@@ -114,7 +114,7 @@
 import java.util.stream.Collectors;
 import org.apache.iceberg.exceptions.ForbiddenException;
 import org.apache.polaris.core.config.FeatureConfiguration;
-import org.apache.polaris.core.context.CallContext;
+import org.apache.polaris.core.config.RealmConfig;
 import org.apache.polaris.core.entity.PolarisBaseEntity;
 import org.apache.polaris.core.entity.PolarisEntityConstants;
 import org.apache.polaris.core.entity.PolarisEntityCore;
@@ -530,8 +530,12 @@ public class PolarisAuthorizerImpl implements PolarisAuthorizer {
         List.of(TABLE_DETACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
   }
 
+  private final RealmConfig realmConfig;
+
   @Inject
-  public PolarisAuthorizerImpl() {}
+  public PolarisAuthorizerImpl(RealmConfig realmConfig) {
+    this.realmConfig = realmConfig;
+  }
 
   /**
    * Checks whether the {@code grantedPrivilege} is sufficient to confer {@code desiredPrivilege},
@@ -554,14 +558,12 @@ public boolean matchesOrIsSubsumedBy(
 
   @Override
   public void authorizeOrThrow(
-      @Nonnull CallContext callContext,
       @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable PolarisResolvedPathWrapper target,
       @Nullable PolarisResolvedPathWrapper secondary) {
     authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         activatedEntities,
         authzOp,
@@ -571,17 +573,14 @@ public void authorizeOrThrow(
 
   @Override
   public void authorizeOrThrow(
-      @Nonnull CallContext callContext,
       @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable List<PolarisResolvedPathWrapper> targets,
       @Nullable List<PolarisResolvedPathWrapper> secondaries) {
     boolean enforceCredentialRotationRequiredState =
-        callContext
-            .getRealmConfig()
-            .getConfig(
-                FeatureConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING);
+        realmConfig.getConfig(
+            FeatureConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING);
     if (enforceCredentialRotationRequiredState
         && authenticatedPrincipal
             .getPrincipalEntity()

runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java

@@ -251,7 +251,6 @@ private void authorizeBasicRootOperationOrThrow(PolarisAuthorizableOperation op)
     PolarisResolvedPathWrapper rootContainerWrapper =
         resolutionManifest.getResolvedRootContainerEntityAsPath();
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedPrincipalRoleEntities(),
         op,
@@ -297,7 +296,6 @@ private void authorizeBasicTopLevelEntityOperationOrThrow(
       return;
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -319,7 +317,6 @@ private void authorizeBasicCatalogRoleOperationOrThrow(
       throw new NotFoundException("CatalogRole does not exist: %s", catalogRoleName);
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -350,7 +347,6 @@ private void authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow(
             principalRoleName, PolarisEntityType.PRINCIPAL_ROLE);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -387,7 +383,6 @@ private void authorizeGrantOnTopLevelEntityToPrincipalRoleOperationOrThrow(
             principalRoleName, PolarisEntityType.PRINCIPAL_ROLE);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -418,7 +413,6 @@ private void authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow(
         resolutionManifest.getResolvedTopLevelEntity(principalName, PolarisEntityType.PRINCIPAL);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -458,7 +452,6 @@ private void authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow(
         resolutionManifest.getResolvedPath(catalogRoleName, true);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -489,7 +482,6 @@ private void authorizeGrantOnCatalogOperationOrThrow(
     PolarisResolvedPathWrapper catalogRoleWrapper =
         resolutionManifest.getResolvedPath(catalogRoleName, true);
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -530,7 +522,6 @@ private void authorizeGrantOnNamespaceOperationOrThrow(
         resolutionManifest.getResolvedPath(catalogRoleName, true);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -577,7 +568,6 @@ private void authorizeGrantOnTableLikeOperationOrThrow(
         resolutionManifest.getResolvedPath(catalogRoleName, true);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -617,7 +607,6 @@ private void authorizeGrantOnPolicyOperationOrThrow(
         resolutionManifest.getResolvedPath(catalogRoleName, true);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,

runtime/service/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandler.java

@@ -142,7 +142,6 @@ protected void authorizeBasicNamespaceOperationOrThrow(
       throw new NoSuchNamespaceException("Namespace does not exist: %s", namespace);
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -177,7 +176,6 @@ protected void authorizeCreateNamespaceUnderNamespaceOperationOrThrow(
       throw new NoSuchNamespaceException("Namespace does not exist: %s", parentNamespace);
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -216,7 +214,6 @@ protected void authorizeCreateTableLikeUnderNamespaceOperationOrThrow(
       throw new NoSuchNamespaceException("Namespace does not exist: %s", namespace);
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -246,7 +243,6 @@ protected void authorizeBasicTableLikeOperationOrThrow(
       throwNotFoundExceptionForTableLikeEntity(identifier, List.of(subType));
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -298,7 +294,6 @@ protected void authorizeCollectionOfTableLikeOperationOrThrow(
                                         "View does not exist: %s", identifier)))
             .toList();
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -368,7 +363,6 @@ protected void authorizeRenameTableLikeOperationOrThrow(
     PolarisResolvedPathWrapper secondary =
         resolutionManifest.getResolvedPath(dst.namespace(), true);
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,

runtime/service/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java

@@ -167,7 +167,6 @@ private void authorizeBasicPolicyOperationOrThrow(
     }
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -212,7 +211,6 @@ private void authorizeBasicCatalogOperationOrThrow(PolarisAuthorizableOperation
       throw new NotFoundException("Catalog not found");
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -272,7 +270,6 @@ private void authorizePolicyMappingOperationOrThrow(
         determinePolicyMappingOperation(target, targetWrapper, isAttach);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,

runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java

@@ -133,12 +133,6 @@ public ResolutionManifestFactory resolutionManifestFactory(ResolverFactory resol
     return new ResolutionManifestFactoryImpl(resolverFactory);
   }
 
-  @Produces
-  @ApplicationScoped
-  public PolarisAuthorizer polarisAuthorizer() {
-    return new PolarisAuthorizerImpl();
-  }
-
   @Produces
   @Singleton
   public PolarisDiagnostics polarisDiagnostics() {
@@ -170,6 +164,12 @@ public RealmConfig realmConfig(CallContext callContext) {
     return callContext.getRealmConfig();
   }
 
+  @Produces
+  @RequestScoped
+  public PolarisAuthorizer polarisAuthorizer(RealmConfig realmConfig) {
+    return new PolarisAuthorizerImpl(realmConfig);
+  }
+
   // Polaris service beans - selected from @Identifier-annotated beans
 
   @Produces

runtime/service/src/test/java/org/apache/polaris/service/admin/ManagementServiceTest.java

@@ -201,7 +201,7 @@ public String getAuthenticationScheme() {
             return "";
           }
         },
-        new PolarisAuthorizerImpl(),
+        new PolarisAuthorizerImpl(callContext.getRealmConfig()),
         new ReservedProperties() {
           @Override
           public List<String> prefixes() {

runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java

@@ -228,8 +228,6 @@ public void before(TestInfo testInfo) {
     metaStoreManager = managerFactory.getOrCreateMetaStoreManager(realmContext);
     userSecretsManager = userSecretsManagerFactory.getOrCreateUserSecretsManager(realmContext);
 
-    polarisAuthorizer = new PolarisAuthorizerImpl();
-
     polarisContext =
         new PolarisCallContext(
             realmContext,
@@ -240,6 +238,8 @@ public void before(TestInfo testInfo) {
     callContext = polarisContext;
     realmConfig = polarisContext.getRealmConfig();
 
+    polarisAuthorizer = new PolarisAuthorizerImpl(polarisContext.getRealmConfig());
+
     PrincipalEntity rootPrincipal =
         metaStoreManager.findRootPrincipal(polarisContext).orElseThrow();
     this.authenticatedRoot = new AuthenticatedPolarisPrincipal(rootPrincipal, Set.of());

runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogTest.java

@@ -313,7 +313,7 @@ public void before(TestInfo testInfo) {
             metaStoreManager,
             userSecretsManager,
             securityContext,
-            new PolarisAuthorizerImpl(),
+            new PolarisAuthorizerImpl(polarisContext.getRealmConfig()),
             reservedProperties);
 
     String storageLocation = "s3://my-bucket/path/to/data";

runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogViewTest.java

@@ -182,7 +182,7 @@ public void before(TestInfo testInfo) {
             metaStoreManager,
             userSecretsManager,
             securityContext,
-            new PolarisAuthorizerImpl(),
+            new PolarisAuthorizerImpl(polarisContext.getRealmConfig()),
             reservedProperties);
     adminService.createCatalog(
         new CreateCatalogRequest(