UnityAccessEvaluator¶
Evaluate Authorization Expression¶
evaluate returns whatever the given expression has been evaluated to for the given principal and the resource IDs.
evaluate creates a StandardEvaluationContext (Spring Expression Language) with Privileges root object.
evaluate registers the following functions in the StandardEvaluationContext:
| Function | Handler |
|---|---|
| authorize | authorizeHandle |
| authorizeAny | authorizeAnyHandle |
| authorizeAll | authorizeAllHandle |
evaluate sets the following variables in the StandardEvaluationContext:
| Variable | Value |
|---|---|
| deny | FALSE |
| permit | TRUE |
| defer | TRUE |
| principal | The given principal |
evaluate sets variables (in the StandardEvaluationContext) for every resource ID (in the given resourceIds).
evaluate requests this ExpressionParser to evaluate the expression (in the StandardEvaluationContext).
evaluate prints out the following DEBUG message to the logs:
evaluate is used when:
UnityAccessDecoratoris requested to check authorizationUnityAccessEvaluatoris requested to filterTemporaryModelVersionCredentialsServiceis requested to authorizeForOperationTemporaryTableCredentialsServiceis requested to authorizeForOperationTemporaryVolumeCredentialsServiceis requested to authorizeForOperation
Logging¶
Enable ALL logging level for io.unitycatalog.server.auth.decorator.UnityAccessEvaluator logger to see what happens inside.
Add the following line to etc/conf/server.log4j2.properties:
logger.UnityAccessEvaluator.name = io.unitycatalog.server.auth.decorator.UnityAccessEvaluator
logger.UnityAccessEvaluator.level = all
Refer to Logging.