Implement OpaPolarisAuthorizer

[sungwy]

Resolves #138

RFC: https://docs.google.com/document/d/1HadMFygjbuZathZZPanO6cFVorx0Ju0FopkICxX1tCE/edit?tab=t.0
Mailing list discussion: https://lists.apache.org/thread/54qdbsxs3j7wwhv3tsccqj6qng5lqgmz

Some followup items highlighted as a part of this PR review:

• introduce OpaHttpClientFactory that utilizes PoolingHttpClientConnectionManager to get opa-http-client to be more production ready
• publish user-facing docs on OPA authorization
• publish json schema for docs and opa server checks
• introduce per-realm configuration support

[adutra]

Thanks @sungwy for this draft PR, I couldn't resist and took a look 😄

This is really interesting imho and a very nice addition to Polaris. We need to start thinking about ways to make Polaris RBAC fully pluggable.

[dimas-b]

Very interesting idea! Just some preliminary comments below :)

[flyrain]

Thanks for working on it @sungwy ! Looking forward to the RFC/design doc!

[dimas-b]

technically this is still racy since cachedToken is volatile... it is not likely to materialize as a bug, but the code pattern looks a bit worrisome 😅 why not load the value into a local var, check and return from local?

e.g. return Preconditions.checkNotNull(cachedToken, "Bearer token is unexpectedly empty ...")

[snazy]

I guess this is outdated now with the new commits.

[snazy]

One nit, everything else beside int-tests LGTM.

For integration-tests, I'm thinking of having non-Quarkus integration tests against an OPA testcontainer in the "main" OPA module.

I've prepared some stuff for tests in this commit (here as well):

• Add a starter for an integration test in the "main" module
• Updated the existing int tests

Idea is to have the majority of integration-tests in the "main" module and only a smoke-test in runtime-service.

I think we can then get rid of the opa-tests module and can move the "main" module one directory level up.

BTW: Please add an entry for the "main" module to :polaris-bom.

WDYT?

[snazy]

I guess this is outdated now with the new commits.

[sungwy]

For integration-tests, I'm thinking of having non-Quarkus integration tests against an OPA testcontainer in the "main" OPA module.

I've prepared some stuff for tests in this commit (here as well):

• Add a starter for an integration test in the "main" module
• Updated the existing int tests

Idea is to have the majority of integration-tests in the "main" module and only a smoke-test in runtime-service.

I think we can then get rid of the opa-tests module and can move the "main" module one directory level up.

Thanks again @snazy :) Let me take a look at your draft PR and see if I can get rid of the test module and bring impl back up to main. I had some trouble achieving this because of the dependency on :polaris-runtime-service.

Just so I'm clear: is your suggestion to move the QuarkusIntegrationTest annotated tests back into polaris-runtime-service?

[snazy]

Just so I'm clear: is your suggestion to move the QuarkusIntegrationTest annotated tests back into polaris-runtime-service?

Yes and no ;)

Have non-Quarkus integration tests (like OpaAuthorizerIT) in the "main" OPA module and have a minimal set of OPA integration tests in polaris-runtime-service just to verify the integration with Quarkus. I suspect we don't need that many ITs in runtime-service, probably more or less just a "smoke test".
I'm not really familiar with what's worth being integration tested in the non-Quarkus ITs.
Test coverage for the OPA factory and the authorizer itself is pretty good.

[dimas-b]

Nice reuse of existing functionality 🚀

[dimas-b]

optional: I do not want to disturb the impl. at this stage as it looks pretty solid to me... but I suppose it could be simplified this way:

• keep a volatile reference to a CompletionStage with token data
• getToken always calls .get() with a timeout
• the initial ref. to the CompletionStage is make in the constructor by scheduling a refresh task
• when refresh completes it will update the CompletionStage and reschedule
• the CompletionStage will be "complete" in all cases but the initial refresh, so .get() calls will not wait except possibly on the first call.
• we have less fields and less ifs (hopefully) in this class (only refreshTask and the CompletionStage)

WDYT?

[dimas-b]

IIRC, we had some prior discussions about avoiding CDI annotations in core as a convention...

If it's required only for @Identifier("internal") on DefaultPolarisAuthorizerFactory, I'd propose remove the annotation from the class and make a producer method for it in ServiceProducers.

Alternatively, we could remove DefaultPolarisAuthorizerFactory completely and update ServiceProducers to "manually" use PolarisAuthorizerImpl if Instance<PolarisAuthorizerFactory> is not resolvable in CDI.

WDYT?

[sungwy]

Thanks @dimas-b these are great suggestions. Thank you for giving me the background context on the package discussions.

I've added a Producer method in ServiceProducers and removed the cdi dependency from polaris-core

[sungwy]

I suspect we don't need that many ITs in runtime-service, probably more or less just a "smoke test".
I'm not really familiar with what's worth being integration tested in the non-Quarkus ITs.

I actually found it very helpful to have the Quarkus integration tests because it helped verify the smallrye Configs. Maybe that's a matter of me being new to CDIs but I think it's still helpful to have that coverage.

@dimas-b - I would love to get your thoughts on this suggestion as well

[sungwy]

BTW: Please add an entry for the "main" module to :polaris-bom.

I've added the polaris-extensions-auth-opa module to :polaris-bom. I also noticed that the other extensions polaris-extensions-federation-hive and polaris-extensions-federation-hadoop are missing. Should these be added as well? (maybe in a separate PR)

[flyrain]

I've added the polaris-extensions-auth-opa module to :polaris-bom. I also noticed that the other extensions polaris-extensions-federation-hive and polaris-extensions-federation-hadoop are missing. Should these be added as well? (maybe in a separate PR)

Yes, we will need them in BOM as well. A separate PR sounds good to me.

[dimas-b]

Sorry about the delay. This PR LGTM in its current state, except the dep. on CDI annotations in polaris-core.

The current tests layout LGTM. So, if @snazy is ok with that, I think we're pretty close to merging.

Re: CDI in core, we can probably discuss that on the dev ML if you prefer to keep the annotation. The reason I flagged it is not my personal objection, but the fact that IIRC it was discussed before and the agreement in the community was to avoid CDI-specific annotations in core.

[sungwy]

@dimas-b - I've addressed the concern regarding the polaris-core dependency. Appreciate the review!

[dimas-b]

LGTM 👍 @sungwy : Many thanks for the contribution and for bearing with the long review process 😉

[dimas-b]

Let's give some more time to @flyrain, @adutra and @snazy for final thoughts / comments. I suppose we could also follow up with test adjustments relocations after merging this PR (it's been in review for a long time 😅 )

[sungwy]

Woohoo!

Thank you @dimas-b ! And @snazy @flyrain and @adutra for the reviews as well.

This was a great way for me to get up to speed with the project, so thanks for your interest and patience in reviewing this PR as well.

I'll be following this up with some more PRs (docs, schema, etc) and we'll start integrating this into our platform.

[flyrain]

Why do we need this dependency? Is this only for test?

[sungwy]

I believe this actually is the CDI implementation of polaris-async-api AsyncExec that's optimized for Quarkus applications. Hence, we need it as a runtimeOnly dependency in polaris-runtime-service

[flyrain]

I’m good with using the Vert.x async executor since we’re already on Quarkus. The polaris-async-vertx module currently lives under /persistence/nosql, but it’s really part of the async infrastructure rather than a NoSQL implementation detail. We could consider moving it out of that directory, though it doesn’t need to be done in this PR.

[flyrain]

Thanks a lot for working on it, @sungwy ! Thanks @snazy @dimas-b @jbonofre for the review.