Thanks Micheal for working on this. The spec looks good to me! Yufei
On Thu, Apr 17, 2025 at 10:44 AM Eric Maynard <eric.w.mayn...@gmail.com> wrote: > +1 on the spec change > > On Wed, Apr 16, 2025 at 3:44 PM Michael Collado <collado.m...@gmail.com> > wrote: > > > Hey folks > > > > Some of you already know that I posted an initial PR to get federated > > principals/roles added. One thing that came out of the feedback was a > spec > > change to make it clear when federated identities can be used in the > APIs. > > Notably, federated principals cannot be created or updated, but can be > > returned in get/list calls, whereas federated roles *can* be created by > the > > API. The latter is useful/necessary in order to be able to assign > > privileges to those roles without relying on the JIT creation on login. > > > > Please check out the spec change here and let me know what you think - > > > > > https://github.com/apache/polaris/pull/1353/files#diff-52444bc79608edfae86ed0b46d171f7ef63c20090860d877e4e135168311a986 > > > > Mike > > > > On Tue, Dec 17, 2024 at 5:15 PM Dmitri Bourlatchkov > > <dmitri.bourlatch...@dremio.com.invalid> wrote: > > > > > Hi Mike, > > > > > > I left some comments in the doc, but overall it looks good to me :) > > > > > > I still think there are some hidden dependencies on Persistence. For > > > example, whether and how we can have composite keys for persisted > > federated > > > entities... but I guess we can work that out later. > > > > > > Also, I think it is important for the Authorizer API to avoid assuming > > that > > > all principals are persisted. Specific authorizer implementations > > > (including the default one) can certainly expect persisted principals, > > but > > > the API should require that for the sake of flexibility of possible > > AuthN/Z > > > extensions. WDYT? > > > > > > Cheers, > > > Dmitri. > > > > > > On Thu, Nov 14, 2024 at 7:43 PM Michael Collado < > collado.m...@gmail.com> > > > wrote: > > > > > > > Hey folks > > > > > > > > As discussed during the community sync, I've put together some > thoughts > > > on > > > > how we'd add support for federated identities in Polaris. I copied > over > > > > some of what I had in the issue at > > > > https://github.com/apache/polaris/issues/441 and put it into the doc > > > here: > > > > > > > > > > > > > > > > > > https://docs.google.com/document/d/15_3ZiRB6Lhzw0nxij341QUdxEIyFGTrI9_18bFIyJVo/edit?tab=t.0 > > > > . > > > > > > > > Please take a look when you get some time and let me know what you > > think. > > > > Given that our next community sync is scheduled for the Thanksgiving > > > > holiday in the US, it might be useful to schedule a meeting > > specifically > > > > for this. I can schedule that sync if needed. > > > > > > > > Mike > > > > > > > > > >
