core: Authorization SPI Refactor (Draft)

extensions/auth/opa/impl/src/main/java/org/apache/polaris/extension/auth/opa/OpaPolarisAuthorizer.java

@@ -26,6 +26,7 @@
 import java.io.IOException;
 import java.net.URI;
 import java.util.ArrayList;
+import java.util.EnumSet;
 import java.util.List;
 import java.util.Set;
 import java.util.UUID;
@@ -41,11 +42,17 @@
 import org.apache.hc.core5.http.io.entity.EntityUtils;
 import org.apache.hc.core5.http.io.entity.StringEntity;
 import org.apache.iceberg.exceptions.ForbiddenException;
+import org.apache.polaris.core.auth.AuthorizationCallContext;
+import org.apache.polaris.core.auth.AuthorizationRequest;
 import org.apache.polaris.core.auth.PolarisAuthorizableOperation;
 import org.apache.polaris.core.auth.PolarisAuthorizer;
 import org.apache.polaris.core.auth.PolarisPrincipal;
+import org.apache.polaris.core.auth.PolarisSecurable;
 import org.apache.polaris.core.entity.PolarisBaseEntity;
+import org.apache.polaris.core.entity.PolarisEntityType;
 import org.apache.polaris.core.persistence.PolarisResolvedPathWrapper;
+import org.apache.polaris.core.persistence.resolver.PolarisResolutionManifest;
+import org.apache.polaris.core.persistence.resolver.Resolvable;
 import org.apache.polaris.extension.auth.opa.model.ImmutableActor;
 import org.apache.polaris.extension.auth.opa.model.ImmutableContext;
 import org.apache.polaris.extension.auth.opa.model.ImmutableOpaAuthorizationInput;
@@ -107,6 +114,46 @@ public OpaPolarisAuthorizer(
    * @param secondary the secondary entity (if any)
    * @throws ForbiddenException if authorization is denied by OPA
    */
+  @Override
+  public void preAuthorize(
+      @Nonnull AuthorizationCallContext ctx, @Nonnull AuthorizationRequest request) {
+    PolarisResolutionManifest manifest = ctx.getResolutionManifest();
+    if (manifest.hasResolution()) {
+      return;
+    }
+    // Resolve requested entities without RBAC role resolution.
+    manifest.resolveSelections(
+        EnumSet.of(
+            Resolvable.REFERENCE_CATALOG,
+            Resolvable.REQUESTED_PATHS,
+            Resolvable.TOP_LEVEL_ENTITIES));
+  }
+
+  @Override
+  public void authorize(
+      @Nonnull AuthorizationCallContext ctx, @Nonnull AuthorizationRequest request) {
+    if (request.getOperation().isRbacAdminOperation()) {
+      throw new ForbiddenException("OPA denied admin operation");
+    }
+    boolean allowed =
+        queryOpaIntent(
+            request.getPrincipal(),
+            request.getOperation(),
+            request.getTargets(),
+            request.getSecondaries());
+    if (!allowed) {
+      throw new ForbiddenException(
+          "Principal '%s' is not authorized for op %s",
+          request.getPrincipal().getName(), request.getOperation());
+    }
+  }
+
+  @Override
+  public void authorizeOrThrow(
+      @Nonnull AuthorizationCallContext ctx, @Nonnull AuthorizationRequest request) {
+    authorize(ctx, request);
+  }
+
   @Override
   public void authorizeOrThrow(
       @Nonnull PolarisPrincipal polarisPrincipal,
@@ -192,6 +239,31 @@ private boolean queryOpa(
     }
   }
 
+  private boolean queryOpaIntent(
+      PolarisPrincipal principal,
+      PolarisAuthorizableOperation op,
+      List<PolarisSecurable> targets,
+      List<PolarisSecurable> secondaries) {
+    try {
+      String inputJson = buildOpaInputJson(principal, op, targets, secondaries);
+
+      HttpPost httpPost = new HttpPost(policyUri);
+      httpPost.setHeader("Content-Type", "application/json");
+
+      if (tokenProvider != null) {
+        String token = tokenProvider.getToken();
+        if (token != null && !token.isEmpty()) {
+          httpPost.setHeader(HttpHeaders.AUTHORIZATION, "Bearer " + token);
+        }
+      }
+
+      httpPost.setEntity(new StringEntity(inputJson, ContentType.APPLICATION_JSON));
+      return httpClientExecute(httpPost, this::queryOpaCheckResponse);
+    } catch (HttpException | IOException e) {
+      throw new RuntimeException("OPA query failed", e);
+    }
+  }
+
   @VisibleForTesting
   <T> T httpClientExecute(
       ClassicHttpRequest request, HttpClientResponseHandler<? extends T> responseHandler)
@@ -295,6 +367,54 @@ private String buildOpaInputJson(
     return objectMapper.writeValueAsString(request);
   }
 
+  private String buildOpaInputJson(
+      PolarisPrincipal principal,
+      PolarisAuthorizableOperation op,
+      List<PolarisSecurable> targets,
+      List<PolarisSecurable> secondaries)
+      throws IOException {
+
+    var actor =
+        ImmutableActor.builder()
+            .principal(principal.getName())
+            .addAllRoles(principal.getRoles())
+            .build();
+
+    List<ResourceEntity> targetEntities = new ArrayList<>();
+    if (targets != null) {
+      for (PolarisSecurable target : targets) {
+        ResourceEntity entity = buildResourceEntity(target);
+        if (entity != null) {
+          targetEntities.add(entity);
+        }
+      }
+    }
+
+    List<ResourceEntity> secondaryEntities = new ArrayList<>();
+    if (secondaries != null) {
+      for (PolarisSecurable secondary : secondaries) {
+        ResourceEntity entity = buildResourceEntity(secondary);
+        if (entity != null) {
+          secondaryEntities.add(entity);
+        }
+      }
+    }
+
+    var resource =
+        ImmutableResource.builder().targets(targetEntities).secondaries(secondaryEntities).build();
+    var context = ImmutableContext.builder().requestId(UUID.randomUUID().toString()).build();
+    var input =
+        ImmutableOpaAuthorizationInput.builder()
+            .actor(actor)
+            .action(op.name())
+            .resource(resource)
+            .context(context)
+            .build();
+    var request = ImmutableOpaRequest.builder().input(input).build();
+
+    return objectMapper.writeValueAsString(request);
+  }
+
   /**
    * Builds a resource entity from a resolved path wrapper.
    *
@@ -332,4 +452,38 @@ private ResourceEntity buildResourceEntity(@Nullable PolarisResolvedPathWrapper
 
     return builder.build();
   }
+
+  @Nullable
+  private ResourceEntity buildResourceEntity(@Nullable PolarisSecurable securable) {
+    if (securable == null) {
+      return null;
+    }
+
+    var builder =
+        ImmutableResourceEntity.builder()
+            .type(securable.getEntityType().name())
+            .name(
+                securable.getNameParts().isEmpty()
+                    ? ""
+                    : securable.getNameParts().get(securable.getNameParts().size() - 1));
+
+    List<String> parts = securable.getNameParts();
+    if (parts.size() > 1) {
+      List<ResourceEntity> parents = new ArrayList<>();
+      PolarisEntityType parentType =
+          switch (securable.getEntityType()) {
+            case TABLE_LIKE, POLICY, NAMESPACE -> PolarisEntityType.NAMESPACE;
+            default -> null;
+          };
+      if (parentType != null) {
+        for (int i = 0; i < parts.size() - 1; i++) {
+          parents.add(
+              ImmutableResourceEntity.builder().type(parentType.name()).name(parts.get(i)).build());
+        }
+        builder.parents(parents);
+      }
+    }
+
+    return builder.build();
+  }
 }

extensions/auth/opa/tests/build.gradle.kts

@@ -41,6 +41,10 @@ dependencies {
   intTestImplementation("io.quarkus:quarkus-junit5")
   intTestImplementation("io.rest-assured:rest-assured")
   intTestImplementation(project(":polaris-api-management-model"))
+  intTestImplementation(project(":polaris-runtime-service"))
+  intTestImplementation(project(":polaris-core"))
+  intTestImplementation("io.quarkus:quarkus-security")
+  intTestImplementation(libs.auth0.jwt)
   intTestImplementation(platform(libs.iceberg.bom))
   intTestImplementation("org.apache.iceberg:iceberg-api")
   intTestImplementation("org.apache.iceberg:iceberg-core")

extensions/auth/opa/tests/src/intTest/java/org/apache/polaris/extension/auth/opa/test/NoVerifyAuthenticationMechanism.java

@@ -0,0 +1,112 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.extension.auth.opa.test;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import io.netty.handler.codec.http.HttpHeaderNames;
+import io.netty.handler.codec.http.HttpResponseStatus;
+import io.quarkus.security.AuthenticationFailedException;
+import io.quarkus.security.identity.IdentityProviderManager;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.runtime.QuarkusSecurityIdentity;
+import io.quarkus.vertx.http.runtime.security.ChallengeData;
+import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
+import io.quarkus.vertx.http.runtime.security.HttpCredentialTransport;
+import io.smallrye.mutiny.Uni;
+import io.vertx.ext.web.RoutingContext;
+import jakarta.enterprise.context.ApplicationScoped;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Set;
+import org.apache.polaris.core.auth.PolarisPrincipal;
+import org.apache.polaris.service.auth.PolarisCredential;
+
+@ApplicationScoped
+public class NoVerifyAuthenticationMechanism implements HttpAuthenticationMechanism {
+
+  private static final String BEARER = "Bearer";
+  private static final String EXTERNAL_ISSUER = "external-idp";
+
+  @Override
+  public int getPriority() {
+    return HttpAuthenticationMechanism.DEFAULT_PRIORITY + 200;
+  }
+
+  @Override
+  public Uni<SecurityIdentity> authenticate(
+      RoutingContext context, IdentityProviderManager identityProviderManager) {
+    String authHeader = context.request().getHeader("Authorization");
+    if (authHeader == null) {
+      return Uni.createFrom().nullItem();
+    }
+
+    int spaceIdx = authHeader.indexOf(' ');
+    if (spaceIdx <= 0 || !authHeader.substring(0, spaceIdx).equalsIgnoreCase(BEARER)) {
+      return Uni.createFrom().nullItem();
+    }
+
+    String token = authHeader.substring(spaceIdx + 1);
+    DecodedJWT decoded;
+    try {
+      decoded = JWT.decode(token);
+    } catch (Exception e) {
+      return Uni.createFrom().nullItem();
+    }
+
+    if (!EXTERNAL_ISSUER.equals(decoded.getIssuer())) {
+      return Uni.createFrom().nullItem();
+    }
+
+    String principalName = decoded.getSubject();
+    if (principalName == null || principalName.isBlank()) {
+      return Uni.createFrom().failure(new AuthenticationFailedException("Missing subject"));
+    }
+
+    PolarisCredential credential = PolarisCredential.of(null, principalName, Set.of(), token);
+    PolarisPrincipal principal = PolarisPrincipal.of(principalName, Map.of(), Set.of());
+    SecurityIdentity identity =
+        QuarkusSecurityIdentity.builder()
+            .setAnonymous(false)
+            .setPrincipal(principal)
+            .addCredential(credential)
+            .build();
+    return Uni.createFrom().item(identity);
+  }
+
+  @Override
+  public Uni<ChallengeData> getChallenge(RoutingContext context) {
+    ChallengeData result =
+        new ChallengeData(
+            HttpResponseStatus.UNAUTHORIZED.code(), HttpHeaderNames.WWW_AUTHENTICATE, BEARER);
+    return Uni.createFrom().item(result);
+  }
+
+  @Override
+  public Set<Class<? extends io.quarkus.security.identity.request.AuthenticationRequest>>
+      getCredentialTypes() {
+    return Collections.emptySet();
+  }
+
+  @Override
+  public Uni<HttpCredentialTransport> getCredentialTransport(RoutingContext context) {
+    return Uni.createFrom()
+        .item(new HttpCredentialTransport(HttpCredentialTransport.Type.AUTHORIZATION, BEARER));
+  }
+}