Merge branch 'apache:main' into chore/bump-s3mock-from-3.11.0-to-4.7.0

Author: Artur Rakhmatulin

build.gradle.kts

@@ -60,11 +60,15 @@ if (System.getProperty("idea.sync.active").toBoolean()) {
 eclipse { project { name = ideName } }
 
 tasks.named<RatTask>("rat").configure {
-  // These are Gradle file pattern syntax
+  // Gradle
   excludes.add("**/build/**")
+  excludes.add("gradle/wrapper/gradle-wrapper*")
+  excludes.add(".gradle")
+  excludes.add("**/kotlin-compiler*")
+  excludes.add("**/build-logic/.kotlin/**")
 
-  excludes.add("docs/CNAME")
-  excludes.add("docs/index.html")
+  excludes.add("ide-name.txt")
+  excludes.add("version.txt")
 
   excludes.add("DISCLAIMER_WIP")
   excludes.add("LICENSE")
@@ -85,60 +89,56 @@ tasks.named<RatTask>("rat").configure {
   // Manifest files do not allow comments
   excludes.add("tools/version/src/jarTest/resources/META-INF/FAKE_MANIFEST.MF")
 
-  excludes.add("ide-name.txt")
-  excludes.add("version.txt")
+  // Git & GitHub
   excludes.add(".git")
-  excludes.add(".gradle")
-  excludes.add(".idea")
-  excludes.add(".java-version")
-  excludes.add("**/.keep")
-  excludes.add("**/poetry.lock")
-
   excludes.add(".github/pull_request_template.md")
 
-  excludes.add("spec/docs.yaml")
-  excludes.add("spec/index.yml")
-
-  excludes.add("gradle/wrapper/gradle-wrapper*")
-
+  // Misc build artifacts
+  excludes.add(".java-version")
+  excludes.add("**/.keep")
   excludes.add("logs/**")
+  excludes.add("**/*.lock")
+
+  // Polaris service startup banner
   excludes.add("runtime/service/src/**/banner.txt")
 
+  // Web site
+  excludes.add("**/go.sum")
   excludes.add("site/node_modules/**")
   excludes.add("site/layouts/robots.txt")
   // Ignore generated stuff, when the Hugo is run w/o Docker
   excludes.add("site/public/**")
   excludes.add("site/resources/_gen/**")
   excludes.add("node_modules/**")
 
+  // Python
+  excludes.add("**/.venv/**")
   excludes.add("**/polaris-venv/**")
-
+  excludes.add("**/poetry.lock")
+  excludes.add("**/.ruff_cache/**")
+  excludes.add("**/.mypy_cache/**")
   excludes.add("**/.pytest_cache/**")
+  excludes.add("client/python/.openapi-generator/**")
+
+  // Jupyter
+  excludes.add("**/*.ipynb")
+
+  // regtests
   excludes.add("regtests/**/py.typed")
   excludes.add("regtests/**/*.ref")
   excludes.add("regtests/.env")
   excludes.add("regtests/derby.log")
   excludes.add("regtests/metastore_db/**")
-  excludes.add("client/python/.openapi-generator/**")
   excludes.add("regtests/output/**")
+  excludes.add("plugins/**/*.ref")
 
-  excludes.add("**/*.ipynb")
+  // IntelliJ
+  excludes.add(".idea")
   excludes.add("**/*.iml")
   excludes.add("**/*.iws")
 
+  // Rat can't scan binary images
   excludes.add("**/*.png")
-  excludes.add("**/*.svg")
-
-  excludes.add("**/*.lock")
-
-  excludes.add("**/*.env*")
-
-  excludes.add("**/go.sum")
-
-  excludes.add("**/kotlin-compiler*")
-  excludes.add("**/build-logic/.kotlin/**")
-
-  excludes.add("plugins/**/*.ref")
 }
 
 tasks.register<Exec>("regeneratePythonClient") {

gradle/libs.versions.toml

@@ -40,7 +40,7 @@ swagger = "1.6.16"
 antlr4-runtime = { module = "org.antlr:antlr4-runtime", version.strictly = "4.9.3" } # spark integration tests
 assertj-core = { module = "org.assertj:assertj-core", version = "3.27.4" }
 auth0-jwt = { module = "com.auth0:java-jwt", version = "4.5.0" }
-awssdk-bom = { module = "software.amazon.awssdk:bom", version = "2.32.19" }
+awssdk-bom = { module = "software.amazon.awssdk:bom", version = "2.32.24" }
 awaitility = { module = "org.awaitility:awaitility", version = "4.3.0" }
 azuresdk-bom = { module = "com.azure:azure-sdk-bom", version = "1.2.37" }
 caffeine = { module = "com.github.ben-manes.caffeine:caffeine", version = "3.2.2" }

polaris-core/src/main/java/org/apache/polaris/core/auth/AuthenticatedPolarisPrincipal.java

@@ -29,14 +29,14 @@
 public interface PolarisAuthorizer {
 
   void authorizeOrThrow(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
+      @Nonnull PolarisPrincipal polarisPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable PolarisResolvedPathWrapper target,
       @Nullable PolarisResolvedPathWrapper secondary);
 
   void authorizeOrThrow(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
+      @Nonnull PolarisPrincipal polarisPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable List<PolarisResolvedPathWrapper> targets,

polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisAuthorizer.java

@@ -558,13 +558,13 @@ public boolean matchesOrIsSubsumedBy(
 
   @Override
   public void authorizeOrThrow(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
+      @Nonnull PolarisPrincipal polarisPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable PolarisResolvedPathWrapper target,
       @Nullable PolarisResolvedPathWrapper secondary) {
     authorizeOrThrow(
-        authenticatedPrincipal,
+        polarisPrincipal,
         activatedEntities,
         authzOp,
         target == null ? null : List.of(target),
@@ -573,7 +573,7 @@ public void authorizeOrThrow(
 
   @Override
   public void authorizeOrThrow(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPrincipal,
+      @Nonnull PolarisPrincipal polarisPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable List<PolarisResolvedPathWrapper> targets,
@@ -582,20 +582,18 @@ public void authorizeOrThrow(
         realmConfig.getConfig(
             FeatureConfiguration.ENFORCE_PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_CHECKING);
     if (enforceCredentialRotationRequiredState
-        && authenticatedPrincipal
-            .getPrincipalEntity()
-            .getInternalPropertiesAsMap()
+        && polarisPrincipal
+            .getProperties()
             .containsKey(PolarisEntityConstants.PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE)
         && authzOp != PolarisAuthorizableOperation.ROTATE_CREDENTIALS) {
       throw new ForbiddenException(
           "Principal '%s' is not authorized for op %s due to PRINCIPAL_CREDENTIAL_ROTATION_REQUIRED_STATE",
-          authenticatedPrincipal.getName(), authzOp);
-    } else if (!isAuthorized(
-        authenticatedPrincipal, activatedEntities, authzOp, targets, secondaries)) {
+          polarisPrincipal.getName(), authzOp);
+    } else if (!isAuthorized(polarisPrincipal, activatedEntities, authzOp, targets, secondaries)) {
       throw new ForbiddenException(
           "Principal '%s' with activated PrincipalRoles '%s' and activated grants via '%s' is not authorized for op %s",
-          authenticatedPrincipal.getName(),
-          authenticatedPrincipal.getActivatedPrincipalRoleNames(),
+          polarisPrincipal.getName(),
+          polarisPrincipal.getRoles(),
           activatedEntities.stream().map(PolarisEntityCore::getName).collect(Collectors.toSet()),
           authzOp);
     }
@@ -607,21 +605,21 @@ public void authorizeOrThrow(
    * the operation.
    */
   public boolean isAuthorized(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPolarisPrincipal,
+      @Nonnull PolarisPrincipal polarisPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable PolarisResolvedPathWrapper target,
       @Nullable PolarisResolvedPathWrapper secondary) {
     return isAuthorized(
-        authenticatedPolarisPrincipal,
+        polarisPrincipal,
         activatedEntities,
         authzOp,
         target == null ? null : List.of(target),
         secondary == null ? null : List.of(secondary));
   }
 
   public boolean isAuthorized(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPolarisPrincipal,
+      @Nonnull PolarisPrincipal polarisPrincipal,
       @Nonnull Set<PolarisBaseEntity> activatedEntities,
       @Nonnull PolarisAuthorizableOperation authzOp,
       @Nullable List<PolarisResolvedPathWrapper> targets,
@@ -636,8 +634,7 @@ public boolean isAuthorized(
           authzOp,
           privilegeOnTarget);
       for (PolarisResolvedPathWrapper target : targets) {
-        if (!hasTransitivePrivilege(
-            authenticatedPolarisPrincipal, entityIdSet, privilegeOnTarget, target)) {
+        if (!hasTransitivePrivilege(polarisPrincipal, entityIdSet, privilegeOnTarget, target)) {
           // TODO: Collect missing privileges to report all at the end and/or return to code
           // that throws NotAuthorizedException for more useful messages.
           return false;
@@ -652,7 +649,7 @@ public boolean isAuthorized(
           privilegeOnSecondary);
       for (PolarisResolvedPathWrapper secondary : secondaries) {
         if (!hasTransitivePrivilege(
-            authenticatedPolarisPrincipal, entityIdSet, privilegeOnSecondary, secondary)) {
+            polarisPrincipal, entityIdSet, privilegeOnSecondary, secondary)) {
           return false;
         }
       }
@@ -670,7 +667,7 @@ public boolean isAuthorized(
    * errors/exceptions.
    */
   public boolean hasTransitivePrivilege(
-      @Nonnull AuthenticatedPolarisPrincipal authenticatedPolarisPrincipal,
+      @Nonnull PolarisPrincipal polarisPrincipal,
       Set<Long> activatedGranteeIds,
       PolarisPrivilege desiredPrivilege,
       PolarisResolvedPathWrapper resolvedPath) {
@@ -693,7 +690,7 @@ public boolean hasTransitivePrivilege(
                 desiredPrivilege,
                 grantRecord,
                 resolvedSecurableEntity,
-                authenticatedPolarisPrincipal.getName(),
+                polarisPrincipal.getName(),
                 activatedGranteeIds);
             return true;
           }
@@ -704,7 +701,7 @@ public boolean hasTransitivePrivilege(
     LOGGER.debug(
         "Failed to satisfy privilege {} for principalName {} on resolvedPath {}",
         desiredPrivilege,
-        authenticatedPolarisPrincipal.getName(),
+        polarisPrincipal.getName(),
         resolvedPath);
     return false;
   }