Thanks, Mansehaj! Very nice proposal! I added some comments to the doc.
I think in general it is a valuable feature, but as you mentioned in the doc there may be historical reasons why it was not implemented initially. I hope people more knowledgeable in this area can comment on that. Cheers, Dmitri. On Thu, Apr 17, 2025 at 2:59 PM Mansehaj Singh <mansehaj.si...@snowflake.com.invalid> wrote: > Hi everyone! > > I've drafted a small proposal here: > > https://docs.google.com/document/d/1uIJUp1BeAGm_mSO8OBjIZmeL5zY8dLzuYRP4Ah1U7X0/edit?usp=sharing > > > In summary, this proposes adding a new resetCredentials functionality to > Polaris to allow service_admin to be able to reset any principal's > credentials. This is really useful for a number of different credential > loss scenarios, eg. when someone leaves the company, an employee goes on > temporary leave, forgotten passwords etc. Of course, we hope that users > have no single point of failure for their critical workloads, but these > kinds of issues often don't become apparent until credential loss actually > occurs, at which point remediation can become difficult in Polaris. Having > a root user with the ability to reset credentials is a decently common > concept and I think it would add value. Currently, the only workaround is > to create a new principal and reassign all of their principal roles. > > However, addressing the risks is also important. This proposal introduces a > path for service_admins to basically be able to assume any principal within > Polaris, which is a major security vulnerability if a principal with > service_admin access ever did become compromised. However, this risk is > already present because a service_admin can create principals and assign > principal roles to assume the same level of privileges desired, it just > can't actually impersonate as any other principal. > > It looks like there is existing appetite to add something like this to > Polaris: https://github.com/apache/polaris/issues/624 > > I'm curious to hear what the community thinks we can do to address this and > whether introducing these risks is worth having functionality like this. > > Thanks for reading, > Sehaj >
