Package org.apache.polaris.persistence.nosql.authz.api

Interface PrivilegeCheck

public interface PrivilegeCheck

  • Method Summary

    Modifier and Type
    Method
    Description
    PrivilegeSet
    effectivePrivilegeSet(AclChain aclChain)
    Retrieve the effective privileges, which is the set of all granted privileges minus the set of all restricted privileges, for the given ACL and all its parent ACLs.

  • Method Details

    • effectivePrivilegeSet

      PrivilegeSet effectivePrivilegeSet(@Nonnull AclChain aclChain)
      Retrieve the effective privileges, which is the set of all granted privileges minus the set of all restricted privileges, for the given ACL and all its parent ACLs.

      The set of granted privileges contains all privileges that are granted to any of the role IDs for this privilege check instance. A privilege is granted if it is granted to any role in the given ACL or any of its parents. See note on non-inheritable privileges below.

      The set of restricted privileges contains all privileges that are restricted for any of the role IDs for this privilege check instance. A privilege is restricted if it is restricted to any role in the given ACL or any of its parents. See note on non-inheritable privileges below.

      Non-inheritable privileges are only effective on the "top" (first) ACL of the given ACL chain, but are ignored on any of the parents. For example, a non-inheritable privilege NON_INHERIT that is granted on the entity's parent, will not be returned as an effective privilege. Similarly, non-inheritable privileges that are restricted on a parent, are not "subtracted" from the set of effective privileges.

      A privilege is effective if it is granted and not restricted.

      Parameters:
      aclChain - Represents the chain of ACLs to check. The ACL for the entity must be the first one in the chain.