Hey folks Some of you already know that I posted an initial PR to get federated principals/roles added. One thing that came out of the feedback was a spec change to make it clear when federated identities can be used in the APIs. Notably, federated principals cannot be created or updated, but can be returned in get/list calls, whereas federated roles *can* be created by the API. The latter is useful/necessary in order to be able to assign privileges to those roles without relying on the JIT creation on login.
Please check out the spec change here and let me know what you think - https://github.com/apache/polaris/pull/1353/files#diff-52444bc79608edfae86ed0b46d171f7ef63c20090860d877e4e135168311a986 Mike On Tue, Dec 17, 2024 at 5:15 PM Dmitri Bourlatchkov <dmitri.bourlatch...@dremio.com.invalid> wrote: > Hi Mike, > > I left some comments in the doc, but overall it looks good to me :) > > I still think there are some hidden dependencies on Persistence. For > example, whether and how we can have composite keys for persisted federated > entities... but I guess we can work that out later. > > Also, I think it is important for the Authorizer API to avoid assuming that > all principals are persisted. Specific authorizer implementations > (including the default one) can certainly expect persisted principals, but > the API should require that for the sake of flexibility of possible AuthN/Z > extensions. WDYT? > > Cheers, > Dmitri. > > On Thu, Nov 14, 2024 at 7:43 PM Michael Collado <collado.m...@gmail.com> > wrote: > > > Hey folks > > > > As discussed during the community sync, I've put together some thoughts > on > > how we'd add support for federated identities in Polaris. I copied over > > some of what I had in the issue at > > https://github.com/apache/polaris/issues/441 and put it into the doc > here: > > > > > > > https://docs.google.com/document/d/15_3ZiRB6Lhzw0nxij341QUdxEIyFGTrI9_18bFIyJVo/edit?tab=t.0 > > . > > > > Please take a look when you get some time and let me know what you think. > > Given that our next community sync is scheduled for the Thanksgiving > > holiday in the US, it might be useful to schedule a meeting specifically > > for this. I can schedule that sync if needed. > > > > Mike > > >
