Package org.apache.polaris.service.auth

Class DefaultAuthenticator

java.lang.Object
org.apache.polaris.service.auth.DefaultAuthenticator
All Implemented Interfaces:
Authenticator
@RequestScoped @Identifier("default") public class DefaultAuthenticator extends Object implements Authenticator
The default Authenticator.

This implementation resolves the principal entity based on the provided credentials, extracts the requested roles, and loads the principal's grants to determine which roles are currently active for the principal.

It supports a pseudo-role "PRINCIPAL_ROLE:ALL" that allows requesting all roles the principal has been granted in the system.

This authenticator is used in both internal and external authentication scenarios. For now, it does not support federated principals that are not managed by Polaris.

  • Field Details

    • PRINCIPAL_ROLE_ALL

      public static final String PRINCIPAL_ROLE_ALL
      The pseudo-role that resolves to all roles the principal has been granted in the system.

      This role is not a valid role and is not stored in the database; it may be used in incoming credentials to explicitly indicate that the principal is requesting that all its roles be activated upon authentication, without needing to specify each role individually.

      See Also:

    • PRINCIPAL_ROLE_PREFIX

      public static final String PRINCIPAL_ROLE_PREFIX
      The prefix for the roles in incoming credentials that are used to indicate that the principal is requesting that specific roles be activated upon authentication.

      If the incoming credentials contain roles prefixed with this string, the authenticator will attempt to resolve those roles from the principal's grants. Only those roles will be activated.

      If the incoming credentials contain roles that do not match this prefix, they will be ignored during the authentication process. If necessary, use PrincipalRolesMapper to convert roles from the identity to Polaris-specific roles.

      See Also:

  • Constructor Details

    • DefaultAuthenticator

      public DefaultAuthenticator()

  • Method Details

    • authenticate

      public org.apache.polaris.core.auth.PolarisPrincipal authenticate(PolarisCredential credentials)
      Description copied from interface: Authenticator
      Authenticates the given PolarisCredential and returns an authenticated PolarisPrincipal.

      If the credentials are not valid or if the authentication fails, implementations MUST throw NotAuthorizedException.

      Specified by:
      authenticate in interface Authenticator
      Parameters:
      credentials - the credentials to authenticate
      Returns:
      the authenticated principal

    • resolvePrincipalEntity

      protected org.apache.polaris.core.entity.PrincipalEntity resolvePrincipalEntity(PolarisCredential credentials)
      Resolves the principal entity based on the provided credentials.

      This method attempts to load the principal entity using either the principal ID or the principal name from the credentials. If neither is available, nor if the principal entity can be found, it throws a NotAuthorizedException.

    • resolvePrincipalRoles

      protected Set<String> resolvePrincipalRoles(PolarisCredential credentials, org.apache.polaris.core.entity.PrincipalEntity principal)
      Resolves the roles for the given principal based on the provided credentials.

      This method checks the credentials for requested roles and loads the principal's grants to determine which roles are currently active for the principal.

      The returned set of roles will include only those roles that the principal has been granted and that match the requested roles from the credentials. If the credentials contain the pseudo-role PRINCIPAL_ROLE_ALL, it indicates that the principal is requesting all roles they have been granted in the system, and all such roles will be included in the returned set.

    • extractRequestedRoles

      protected Set<String> extractRequestedRoles(PolarisCredential credentials)
      Extracts the requested roles from the credentials.

      If the credentials contain the pseudo-role PRINCIPAL_ROLE_ALL, it indicates that the principal is requesting all roles they have been granted in the system.

      Otherwise, it filters the roles that start with the PRINCIPAL_ROLE_PREFIX and returns the set of roles without the prefix.

    • loadPrincipalGrants

      protected org.apache.polaris.core.persistence.dao.entity.LoadGrantsResult loadPrincipalGrants(org.apache.polaris.core.entity.PrincipalEntity principal)
      Loads the grants for the given principal.

      This method retrieves the grants that the principal has been granted in the system, which will be used to determine the active roles for the principal.