Hi everyone! I've drafted a small proposal here: https://docs.google.com/document/d/1uIJUp1BeAGm_mSO8OBjIZmeL5zY8dLzuYRP4Ah1U7X0/edit?usp=sharing
In summary, this proposes adding a new resetCredentials functionality to Polaris to allow service_admin to be able to reset any principal's credentials. This is really useful for a number of different credential loss scenarios, eg. when someone leaves the company, an employee goes on temporary leave, forgotten passwords etc. Of course, we hope that users have no single point of failure for their critical workloads, but these kinds of issues often don't become apparent until credential loss actually occurs, at which point remediation can become difficult in Polaris. Having a root user with the ability to reset credentials is a decently common concept and I think it would add value. Currently, the only workaround is to create a new principal and reassign all of their principal roles. However, addressing the risks is also important. This proposal introduces a path for service_admins to basically be able to assume any principal within Polaris, which is a major security vulnerability if a principal with service_admin access ever did become compromised. However, this risk is already present because a service_admin can create principals and assign principal roles to assume the same level of privileges desired, it just can't actually impersonate as any other principal. It looks like there is existing appetite to add something like this to Polaris: https://github.com/apache/polaris/issues/624 I'm curious to hear what the community thinks we can do to address this and whether introducing these risks is worth having functionality like this. Thanks for reading, Sehaj
