Make PolarisAuthorizer RequestScoped

polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java

@@ -22,23 +22,20 @@
 import jakarta.annotation.Nullable;
 import java.util.List;
 import java.util.Set;
-import org.apache.polaris.core.context.CallContext;
 import org.apache.polaris.core.entity.PolarisBaseEntity;
 import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
 
 /** Interface for invoking authorization checks. */
 public interface PolarisAuthorizer {
 
   void authorizeOrThrow(
-      @Nonnull CallContext callContext,
       @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable PolarisResolvedPathWrapper target,
       @Nullable PolarisResolvedPathWrapper secondary);
 
   void authorizeOrThrow(
-      @Nonnull CallContext callContext,
       @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,

polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java

@@ -114,7 +114,7 @@
 import java.util.stream.Collectors;
 import org.apache.iceberg.exceptions.ForbiddenException;
 import org.apache.polaris.core.config.FeatureConfiguration;
-import org.apache.polaris.core.context.CallContext;
+import org.apache.polaris.core.config.RealmConfig;
 import org.apache.polaris.core.entity.PolarisBaseEntity;
 import org.apache.polaris.core.entity.PolarisEntityConstants;
 import org.apache.polaris.core.entity.PolarisEntityCore;
@@ -530,8 +530,12 @@ public class PolarisAuthorizerImpl implements PolarisAuthorizer {
         List.of(TABLE_DETACH_POLICY, CATALOG_MANAGE_METADATA, CATALOG_MANAGE_CONTENT));
   }
 
+  private final RealmConfig realmConfig;
+
   @Inject
-  public PolarisAuthorizerImpl() {}
+  public PolarisAuthorizerImpl(RealmConfig realmConfig) {
+    this.realmConfig = realmConfig;
+  }
 
   /**
    * Checks whether the {@code grantedPrivilege} is sufficient to confer {@code desiredPrivilege},
@@ -554,14 +558,12 @@ public boolean matchesOrIsSubsumedBy(
 
   @Override
   public void authorizeOrThrow(
-      @Nonnull CallContext callContext,
       @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable PolarisResolvedPathWrapper target,
       @Nullable PolarisResolvedPathWrapper secondary) {
     authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         activatedEntities,
         authzOp,
@@ -571,17 +573,14 @@ public void authorizeOrThrow(
 
   @Override
   public void authorizeOrThrow(
-      @Nonnull CallContext callContext,
       @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable List<PolarisResolvedPathWrapper> targets,
       @Nullable List<PolarisResolvedPathWrapper> secondaries) {
     boolean enforceCredentialRotationRequiredState =
-        callContext
-            .getRealmConfig()
-            .getConfig(
-                FeatureConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING);
+        realmConfig.getConfig(
+            FeatureConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING);
     if (enforceCredentialRotationRequiredState
         && authenticatedPrincipal
             .getPrincipalEntity()

runtime/service/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java

@@ -250,7 +250,6 @@ private void authorizeBasicRootOperationOrThrow(PolarisAuthorizableOperation op)
     PolarisResolvedPathWrapper rootContainerWrapper =
         resolutionManifest.getResolvedRootContainerEntityAsPath();
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedPrincipalRoleEntities(),
         op,
@@ -296,7 +295,6 @@ private void authorizeBasicTopLevelEntityOperationOrThrow(
       return;
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -318,7 +316,6 @@ private void authorizeBasicCatalogRoleOperationOrThrow(
       throw new NotFoundException("CatalogRole does not exist: %s", catalogRoleName);
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -349,7 +346,6 @@ private void authorizeGrantOnRootContainerToPrincipalRoleOperationOrThrow(
             principalRoleName, PolarisEntityType.PRINCIPAL_ROLE);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -386,7 +382,6 @@ private void authorizeGrantOnTopLevelEntityToPrincipalRoleOperationOrThrow(
             principalRoleName, PolarisEntityType.PRINCIPAL_ROLE);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -417,7 +412,6 @@ private void authorizeGrantOnPrincipalRoleToPrincipalOperationOrThrow(
         resolutionManifest.getResolvedTopLevelEntity(principalName, PolarisEntityType.PRINCIPAL);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -457,7 +451,6 @@ private void authorizeGrantOnCatalogRoleToPrincipalRoleOperationOrThrow(
         resolutionManifest.getResolvedPath(catalogRoleName, true);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -488,7 +481,6 @@ private void authorizeGrantOnCatalogOperationOrThrow(
     PolarisResolvedPathWrapper catalogRoleWrapper =
         resolutionManifest.getResolvedPath(catalogRoleName, true);
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -529,7 +521,6 @@ private void authorizeGrantOnNamespaceOperationOrThrow(
         resolutionManifest.getResolvedPath(catalogRoleName, true);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -576,7 +567,6 @@ private void authorizeGrantOnTableLikeOperationOrThrow(
         resolutionManifest.getResolvedPath(catalogRoleName, true);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -616,7 +606,6 @@ private void authorizeGrantOnPolicyOperationOrThrow(
         resolutionManifest.getResolvedPath(catalogRoleName, true);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,

runtime/service/src/main/java/org/apache/polaris/service/catalog/common/CatalogHandler.java

@@ -142,7 +142,6 @@ protected void authorizeBasicNamespaceOperationOrThrow(
       throw new NoSuchNamespaceException("Namespace does not exist: %s", namespace);
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -177,7 +176,6 @@ protected void authorizeCreateNamespaceUnderNamespaceOperationOrThrow(
       throw new NoSuchNamespaceException("Namespace does not exist: %s", parentNamespace);
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -216,7 +214,6 @@ protected void authorizeCreateTableLikeUnderNamespaceOperationOrThrow(
       throw new NoSuchNamespaceException("Namespace does not exist: %s", namespace);
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -246,7 +243,6 @@ protected void authorizeBasicTableLikeOperationOrThrow(
       throwNotFoundExceptionForTableLikeEntity(identifier, List.of(subType));
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -298,7 +294,6 @@ protected void authorizeCollectionOfTableLikeOperationOrThrow(
                                         "View does not exist: %s", identifier)))
             .toList();
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -368,7 +363,6 @@ protected void authorizeRenameTableLikeOperationOrThrow(
     PolarisResolvedPathWrapper secondary =
         resolutionManifest.getResolvedPath(dst.namespace(), true);
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,

runtime/service/src/main/java/org/apache/polaris/service/catalog/policy/PolicyCatalogHandler.java

@@ -167,7 +167,6 @@ private void authorizeBasicPolicyOperationOrThrow(
     }
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -212,7 +211,6 @@ private void authorizeBasicCatalogOperationOrThrow(PolarisAuthorizableOperation
       throw new NotFoundException("Catalog not found");
     }
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,
@@ -272,7 +270,6 @@ private void authorizePolicyMappingOperationOrThrow(
         determinePolicyMappingOperation(target, targetWrapper, isAttach);
 
     authorizer.authorizeOrThrow(
-        callContext,
         authenticatedPrincipal,
         resolutionManifest.getAllActivatedCatalogRoleAndPrincipalRoles(),
         op,

runtime/service/src/main/java/org/apache/polaris/service/config/ServiceProducers.java

@@ -133,12 +133,6 @@ public ResolutionManifestFactory resolutionManifestFactory(ResolverFactory resol
     return new ResolutionManifestFactoryImpl(resolverFactory);
   }
 
-  @Produces
-  @ApplicationScoped
-  public PolarisAuthorizer polarisAuthorizer() {
-    return new PolarisAuthorizerImpl();
-  }
-
   @Produces
   @Singleton
   public PolarisDiagnostics polarisDiagnostics() {
@@ -170,6 +164,12 @@ public RealmConfig realmConfig(CallContext callContext) {
     return callContext.getRealmConfig();
   }
 
+  @Produces
+  @RequestScoped
+  public PolarisAuthorizer polarisAuthorizer(RealmConfig realmConfig) {
+    return new PolarisAuthorizerImpl(realmConfig);
+  }
+
   // Polaris service beans - selected from @Identifier-annotated beans
 
   @Produces

runtime/service/src/test/java/org/apache/polaris/service/admin/ManagementServiceTest.java

@@ -201,7 +201,7 @@ public String getAuthenticationScheme() {
             return "";
           }
         },
-        new PolarisAuthorizerImpl(),
+        new PolarisAuthorizerImpl(callContext.getRealmConfig()),
         new ReservedProperties() {
           @Override
           public List<String> prefixes() {

runtime/service/src/test/java/org/apache/polaris/service/admin/PolarisAuthzTestBase.java

@@ -224,8 +224,6 @@ public void before(TestInfo testInfo) {
     metaStoreManager = managerFactory.getOrCreateMetaStoreManager(realmContext);
     userSecretsManager = userSecretsManagerFactory.getOrCreateUserSecretsManager(realmContext);
 
-    polarisAuthorizer = new PolarisAuthorizerImpl();
-
     polarisContext =
         new PolarisCallContext(
             realmContext,
@@ -235,6 +233,8 @@ public void before(TestInfo testInfo) {
 
     callContext = polarisContext;
 
+    polarisAuthorizer = new PolarisAuthorizerImpl(polarisContext.getRealmConfig());
+
     PrincipalEntity rootPrincipal =
         metaStoreManager.findRootPrincipal(polarisContext).orElseThrow();
     this.authenticatedRoot = new AuthenticatedPolarisPrincipal(rootPrincipal, Set.of());

runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogTest.java

@@ -311,7 +311,7 @@ public void before(TestInfo testInfo) {
             metaStoreManager,
             userSecretsManager,
             securityContext,
-            new PolarisAuthorizerImpl(),
+            new PolarisAuthorizerImpl(polarisContext.getRealmConfig()),
             reservedProperties);
 
     String storageLocation = "s3://my-bucket/path/to/data";

runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractIcebergCatalogViewTest.java

@@ -179,7 +179,7 @@ public void before(TestInfo testInfo) {
             metaStoreManager,
             userSecretsManager,
             securityContext,
-            new PolarisAuthorizerImpl(),
+            new PolarisAuthorizerImpl(polarisContext.getRealmConfig()),
             reservedProperties);
     adminService.createCatalog(
         new CreateCatalogRequest(

runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolarisGenericTableCatalogTest.java

@@ -170,7 +170,7 @@ public void before(TestInfo testInfo) {
             metaStoreManager,
             userSecretsManager,
             securityContext,
-            new PolarisAuthorizerImpl(),
+            new PolarisAuthorizerImpl(polarisContext.getRealmConfig()),
             reservedProperties);
 
     String storageLocation = "s3://my-bucket/path/to/data";

runtime/service/src/test/java/org/apache/polaris/service/catalog/AbstractPolicyCatalogTest.java

@@ -195,7 +195,7 @@ public void before(TestInfo testInfo) {
             metaStoreManager,
             userSecretsManager,
             securityContext,
-            new PolarisAuthorizerImpl(),
+            new PolarisAuthorizerImpl(callContext.getRealmConfig()),
             reservedProperties);
 
     String storageLocation = "s3://my-bucket/path/to/data";