Update PolarisAuthorizerImpl to use PolarisGrantManager interface and add EntityCache based PolarisGrantManager impl

dropwizard/service/src/main/java/org/apache/polaris/service/dropwizard/PolarisApplication.java

@@ -60,6 +60,7 @@
 import io.opentelemetry.semconv.ServiceAttributes;
 import io.prometheus.metrics.exporter.servlet.jakarta.PrometheusMetricsServlet;
 import jakarta.inject.Inject;
+import jakarta.inject.Named;
 import jakarta.inject.Provider;
 import jakarta.inject.Singleton;
 import jakarta.servlet.DispatcherType;
@@ -93,6 +94,7 @@
 import org.apache.polaris.core.persistence.MetaStoreManagerFactory;
 import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
 import org.apache.polaris.core.persistence.cache.EntityCache;
+import org.apache.polaris.core.persistence.cache.EntityCacheGrantManager;
 import org.apache.polaris.core.persistence.cache.PolarisRemoteCache;
 import org.apache.polaris.service.admin.PolarisServiceImpl;
 import org.apache.polaris.service.admin.api.PolarisCatalogsApi;
@@ -302,7 +304,12 @@ protected void configure() {
                 // manager
                 bindFactory(PolarisMetaStoreManagerFactory.class)
                     .in(RealmScoped.class)
+                    .named("delegateGrantManager")
                     .to(PolarisGrantManager.class);
+                bindFactory(EntityCacheGrantManagerFactory.class)
+                    .in(RealmScoped.class)
+                    .to(PolarisGrantManager.class)
+                    .ranked(100);
                 polarisMetricRegistry.init(
                     IcebergRestCatalogApi.class,
                     IcebergRestConfigurationApi.class,
@@ -527,6 +534,23 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
     }
   }
 
+  private static class EntityCacheGrantManagerFactory implements Factory<PolarisGrantManager> {
+    @Inject
+    @Named("delegateGrantManager")
+    PolarisGrantManager grantManager;
+
+    @Inject EntityCache entityCache;
+
+    @RealmScoped
+    @Override
+    public PolarisGrantManager provide() {
+      return new EntityCacheGrantManager(grantManager, entityCache);
+    }
+
+    @Override
+    public void dispose(PolarisGrantManager instance) {}
+  }
+
   /** Factory to create a CallContext based on the request contents. */
   @RequestScoped
   private static class CallContextFactory implements Factory<CallContext> {

dropwizard/service/src/test/java/org/apache/polaris/service/dropwizard/admin/PolarisAuthzTestBase.java

@@ -65,6 +65,7 @@
 import org.apache.polaris.core.persistence.PolarisEntityManager;
 import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
 import org.apache.polaris.core.persistence.cache.EntityCache;
+import org.apache.polaris.core.persistence.cache.EntityCacheGrantManager;
 import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest;
 import org.apache.polaris.core.storage.cache.StorageCredentialCache;
 import org.apache.polaris.service.admin.PolarisAdminService;
@@ -132,12 +133,7 @@ public abstract class PolarisAuthzTestBase {
       new Schema(
           required(3, "id", Types.IntegerType.get(), "unique ID 🤪"),
           required(4, "data", Types.StringType.get()));
-  protected final PolarisAuthorizer polarisAuthorizer =
-      new PolarisAuthorizerImpl(
-          new DefaultConfigurationStore(
-              Map.of(
-                  PolarisConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING.key,
-                  true)));
+  protected PolarisAuthorizer polarisAuthorizer;
 
   protected BasePolarisCatalog baseCatalog;
   protected PolarisAdminService adminService;
@@ -164,6 +160,7 @@ public void before() {
     Map<String, Object> configMap =
         Map.of(
             "ALLOW_SPECIFYING_FILE_IO_IMPL", true, "ALLOW_EXTERNAL_METADATA_FILE_LOCATION", true);
+
     PolarisCallContext polarisContext =
         new PolarisCallContext(
             metaStoreManagerFactory.getOrCreateSessionSupplier(realmContext).get(),
@@ -183,6 +180,19 @@ public void before() {
     callContext = CallContext.of(realmContext, polarisContext);
     CallContext.setCurrentContext(callContext);
 
+    EntityCache entityCache = new EntityCache(metaStoreManager);
+    polarisAuthorizer =
+        new PolarisAuthorizerImpl(
+            new DefaultConfigurationStore(
+                Map.of(
+                    PolarisConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING
+                        .key,
+                    true)),
+            () -> new EntityCacheGrantManager(metaStoreManager, entityCache));
+    this.entityManager =
+        new PolarisEntityManager(metaStoreManager, new StorageCredentialCache(), entityCache);
+    this.metaStoreManager = metaStoreManager;
+
     PrincipalEntity rootEntity =
         new PrincipalEntity(
             PolarisEntity.of(

dropwizard/service/src/test/java/org/apache/polaris/service/dropwizard/catalog/BasePolarisCatalogTest.java

@@ -81,6 +81,7 @@
 import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
 import org.apache.polaris.core.persistence.PolarisMetaStoreSession;
 import org.apache.polaris.core.persistence.cache.EntityCache;
+import org.apache.polaris.core.persistence.cache.EntityCacheGrantManager;
 import org.apache.polaris.core.storage.PolarisCredentialProperty;
 import org.apache.polaris.core.storage.PolarisStorageIntegration;
 import org.apache.polaris.core.storage.PolarisStorageIntegrationProvider;
@@ -158,9 +159,9 @@ public void before() {
               }
             },
             Clock.systemDefaultZone());
+    EntityCache entityCache = new EntityCache(metaStoreManager);
     entityManager =
-        new PolarisEntityManager(
-            metaStoreManager, new StorageCredentialCache(), new EntityCache(metaStoreManager));
+        new PolarisEntityManager(metaStoreManager, new StorageCredentialCache(), entityCache);
 
     CallContext callContext = CallContext.of(realmContext, polarisContext);
     CallContext.setCurrentContext(callContext);
@@ -185,7 +186,10 @@ public void before() {
             entityManager,
             metaStoreManager,
             authenticatedRoot,
-            new PolarisAuthorizerImpl(new PolarisConfigurationStore() {}));
+            new PolarisAuthorizerImpl(
+                new PolarisConfigurationStore() {},
+                () -> new EntityCacheGrantManager(metaStoreManager, entityCache)));
+
     String storageLocation = "s3://my-bucket/path/to/data";
     storageConfigModel =
         AwsStorageConfigInfo.builder()

dropwizard/service/src/test/java/org/apache/polaris/service/dropwizard/catalog/BasePolarisCatalogViewTest.java

@@ -50,6 +50,7 @@
 import org.apache.polaris.core.persistence.PolarisEntityManager;
 import org.apache.polaris.core.persistence.PolarisMetaStoreManager;
 import org.apache.polaris.core.persistence.cache.EntityCache;
+import org.apache.polaris.core.persistence.cache.EntityCacheGrantManager;
 import org.apache.polaris.core.storage.cache.StorageCredentialCache;
 import org.apache.polaris.service.admin.PolarisAdminService;
 import org.apache.polaris.service.catalog.BasePolarisCatalog;
@@ -90,9 +91,9 @@ public void before() {
             },
             Clock.systemDefaultZone());
 
+    EntityCache entityCache = new EntityCache(metaStoreManager);
     PolarisEntityManager entityManager =
-        new PolarisEntityManager(
-            metaStoreManager, new StorageCredentialCache(), new EntityCache(metaStoreManager));
+        new PolarisEntityManager(metaStoreManager, new StorageCredentialCache(), entityCache);
 
     CallContext callContext = CallContext.of(null, polarisContext);
     CallContext.setCurrentContext(callContext);
@@ -117,7 +118,9 @@ public void before() {
             entityManager,
             metaStoreManager,
             authenticatedRoot,
-            new PolarisAuthorizerImpl(new PolarisConfigurationStore() {}));
+            new PolarisAuthorizerImpl(
+                new PolarisConfigurationStore() {},
+                () -> new EntityCacheGrantManager(metaStoreManager, entityCache)));
     adminService.createCatalog(
         new CatalogEntity.Builder()
             .setName(CATALOG_NAME)

polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizerImpl.java

@@ -94,20 +94,22 @@
 import jakarta.annotation.Nonnull;
 import jakarta.annotation.Nullable;
 import jakarta.inject.Inject;
+import jakarta.inject.Provider;
 import java.util.List;
 import java.util.Set;
 import java.util.stream.Collectors;
 import org.apache.iceberg.exceptions.ForbiddenException;
+import org.apache.polaris.core.PolarisCallContext;
 import org.apache.polaris.core.PolarisConfiguration;
 import org.apache.polaris.core.PolarisConfigurationStore;
 import org.apache.polaris.core.context.CallContext;
 import org.apache.polaris.core.entity.PolarisBaseEntity;
+import org.apache.polaris.core.entity.PolarisEntity;
 import org.apache.polaris.core.entity.PolarisEntityConstants;
 import org.apache.polaris.core.entity.PolarisEntityCore;
 import org.apache.polaris.core.entity.PolarisGrantRecord;
 import org.apache.polaris.core.entity.PolarisPrivilege;
 import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
-import org.apache.polaris.core.persistence.ResolvedPolarisEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -460,10 +462,13 @@ public class PolarisAuthorizerImpl implements PolarisAuthorizer {
   }
 
   private final PolarisConfigurationStore featureConfig;
+  private final Provider<PolarisGrantManager> grantManagerFactory;
 
   @Inject
-  public PolarisAuthorizerImpl(PolarisConfigurationStore featureConfig) {
+  public PolarisAuthorizerImpl(
+      PolarisConfigurationStore featureConfig, Provider<PolarisGrantManager> grantManagerFactory) {
     this.featureConfig = featureConfig;
+    this.grantManagerFactory = grantManagerFactory;
   }
 
   /**
@@ -604,15 +609,23 @@ public boolean hasTransitivePrivilege(
       Set<Long> activatedGranteeIds,
       PolarisPrivilege desiredPrivilege,
       PolarisResolvedPathWrapper resolvedPath) {
+    PolarisGrantManager grantManager = grantManagerFactory.get();
+    PolarisCallContext callContext = CallContext.getCurrentContext().getPolarisCallContext();
 
     // Iterate starting at the parent, since the most common case should be to manage grants as
     // high up in the resource hierarchy as possible, so we expect earlier termination.
-    for (ResolvedPolarisEntity resolvedSecurableEntity : resolvedPath.getResolvedFullPath()) {
-      Preconditions.checkState(
-          resolvedSecurableEntity.getGrantRecordsAsSecurable() != null,
-          "Got null grantRecordsAsSecurable for resolvedSecurableEntity %s",
-          resolvedSecurableEntity);
-      for (PolarisGrantRecord grantRecord : resolvedSecurableEntity.getGrantRecordsAsSecurable()) {
+    for (PolarisEntity resolvedSecurableEntity : resolvedPath.getRawFullPath()) {
+      PolarisGrantManager.LoadGrantsResult grantsResult =
+          grantManager.loadGrantsOnSecurable(
+              callContext, resolvedSecurableEntity.getCatalogId(), resolvedSecurableEntity.getId());
+      callContext
+          .getDiagServices()
+          .check(
+              grantsResult.isSuccess(),
+              "no_grants_for_securable",
+              "unable to load grants for securable %s",
+              resolvedSecurableEntity.getId());
+      for (PolarisGrantRecord grantRecord : grantsResult.getGrantRecords()) {
         if (matchesOrIsSubsumedBy(
             desiredPrivilege, PolarisPrivilege.fromCode(grantRecord.getPrivilegeCode()))) {
           // Found a potential candidate for satisfying our authz goal.

polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisGrantManager.java

@@ -35,6 +35,7 @@
 
 /** Manage grants for Polaris entities. */
 public interface PolarisGrantManager {
+
   /**
    * Grant usage on a role to a grantee, for example granting usage on a catalog role to a principal
    * role or granting a principal role to a principal.

polaris-core/src/main/java/org/apache/polaris/core/persistence/PolarisEntityManager.java

@@ -20,15 +20,10 @@
 
 import jakarta.annotation.Nonnull;
 import jakarta.annotation.Nullable;
-import java.util.List;
 import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal;
 import org.apache.polaris.core.context.CallContext;
 import org.apache.polaris.core.entity.PolarisEntity;
-import org.apache.polaris.core.entity.PolarisEntityConstants;
-import org.apache.polaris.core.entity.PolarisEntitySubType;
 import org.apache.polaris.core.entity.PolarisEntityType;
-import org.apache.polaris.core.entity.PolarisGrantRecord;
-import org.apache.polaris.core.entity.PolarisPrivilege;
 import org.apache.polaris.core.persistence.cache.EntityCache;
 import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest;
 import org.apache.polaris.core.persistence.resolver.Resolver;
@@ -45,8 +40,18 @@ public class PolarisEntityManager {
 
   private final StorageCredentialCache credentialCache;
 
-  // Lazily instantiated only a single time per entity manager.
-  private ResolvedPolarisEntity implicitResolvedRootContainerEntity = null;
+  // For now, the root container is only implicit and doesn't exist in the entity store, and only
+  // the service_admin PrincipalRole has the SERVICE_MANAGE_ACCESS grant on this entity. If it
+  // becomes possible to grant other PrincipalRoles with SERVICE_MANAGE_ACCESS or other privileges
+  // on this root entity, then we must actually create a representation of this root entity in the
+  // entity store itself.
+  private final PolarisEntity implicitResolvedRootContainerEntity =
+      new PolarisEntity.Builder()
+          .setId(0L)
+          .setCatalogId(0L)
+          .setType(PolarisEntityType.ROOT)
+          .setName("root")
+          .build();
 
   /**
    * @param metaStoreManager the metastore manager for the current realm
@@ -85,60 +90,10 @@ public PolarisResolutionManifest prepareResolutionManifest(
     PolarisResolutionManifest manifest =
         new PolarisResolutionManifest(
             callContext, this, authenticatedPrincipal, referenceCatalogName);
-    manifest.setSimulatedResolvedRootContainerEntity(
-        getSimulatedResolvedRootContainerEntity(callContext));
+    manifest.setSimulatedResolvedRootContainerEntity(implicitResolvedRootContainerEntity);
     return manifest;
   }
 
-  /**
-   * Returns a ResolvedPolarisEntity representing the realm-level "root" entity that is the implicit
-   * parent container of all things in this realm.
-   */
-  private synchronized ResolvedPolarisEntity getSimulatedResolvedRootContainerEntity(
-      CallContext callContext) {
-    if (implicitResolvedRootContainerEntity == null) {
-      // For now, the root container is only implicit and doesn't exist in the entity store, and
-      // only
-      // the service_admin PrincipalRole has the SERVICE_MANAGE_ACCESS grant on this entity. If it
-      // becomes
-      // possible to grant other PrincipalRoles with SERVICE_MANAGE_ACCESS or other privileges on
-      // this
-      // root entity, then we must actually create a representation of this root entity in the
-      // entity store itself.
-      PolarisEntity serviceAdminPrincipalRole =
-          PolarisEntity.of(
-              metaStoreManager
-                  .readEntityByName(
-                      callContext.getPolarisCallContext(),
-                      null,
-                      PolarisEntityType.PRINCIPAL_ROLE,
-                      PolarisEntitySubType.NULL_SUBTYPE,
-                      PolarisEntityConstants.getNameOfPrincipalServiceAdminRole())
-                  .getEntity());
-      if (serviceAdminPrincipalRole == null) {
-        throw new IllegalStateException("Failed to resolve service_admin PrincipalRole");
-      }
-      PolarisEntity rootContainerEntity =
-          new PolarisEntity.Builder()
-              .setId(0L)
-              .setCatalogId(0L)
-              .setType(PolarisEntityType.ROOT)
-              .setName("root")
-              .build();
-      PolarisGrantRecord serviceAdminGrant =
-          new PolarisGrantRecord(
-              0L,
-              0L,
-              serviceAdminPrincipalRole.getCatalogId(),
-              serviceAdminPrincipalRole.getId(),
-              PolarisPrivilege.SERVICE_MANAGE_ACCESS.getCode());
-
-      implicitResolvedRootContainerEntity =
-          new ResolvedPolarisEntity(rootContainerEntity, null, List.of(serviceAdminGrant));
-    }
-    return implicitResolvedRootContainerEntity;
-  }
-
   public StorageCredentialCache getCredentialCache() {
     return credentialCache;
   }