On Mon, Jan 6, 2025 at 2:12 PM Eric Maynard <emayn...@apache.org> wrote:
> > why would Polaris restrict that in controlled environments > > To Michael's point, I think this kind of reasoning is a little dangerous. > We need to clearly define what Polaris will and won't support, rather than > adopting the mentality that anything is in scope so long as the admin > configures it. Of course, these definitions can change over time. My point was not that delegating the responsibility to the admin user allows Polaris to perform dangerous actions. My point is that if there are real use cases when users do want to deploy Polaris and have it vend credentials that the user provides to Polaris, I do not think it is justified to deny those requests without discussion. >From another angle, Polaris itself does not know the longevity of credentials it has been configured with. So "long term" vs. "short term" when applied to storage credentials that Polaris did not "make" is irrelevant to Polaris'. What is important is that Polaris safeguards the credentials it was given for its own access to storage. Those credentials should not be vended, I agree. Still, it is conceivable for Polaris to have more than one set of user-configurable credentials: one for its own use, the others for vending. Rotation could be supported for the vended set of credentials. Cheers, Dmitri.
