>From what I understand, there is not a historical reason for this not having been implemented. It was discussed, but never prioritized.
The doc looks great Mansehaj, thanks for putting this together. On Thu, Apr 17, 2025 at 3:14 PM Dmitri Bourlatchkov <di...@apache.org> wrote: > Thanks, Mansehaj! > > Very nice proposal! I added some comments to the doc. > > I think in general it is a valuable feature, but as you mentioned in the > doc there may be historical reasons why it was not implemented initially. I > hope people more knowledgeable in this area can comment on that. > > Cheers, > Dmitri. > > On Thu, Apr 17, 2025 at 2:59 PM Mansehaj Singh > <mansehaj.si...@snowflake.com.invalid> wrote: > > > Hi everyone! > > > > I've drafted a small proposal here: > > > > > https://docs.google.com/document/d/1uIJUp1BeAGm_mSO8OBjIZmeL5zY8dLzuYRP4Ah1U7X0/edit?usp=sharing > > > > > > In summary, this proposes adding a new resetCredentials functionality to > > Polaris to allow service_admin to be able to reset any principal's > > credentials. This is really useful for a number of different credential > > loss scenarios, eg. when someone leaves the company, an employee goes on > > temporary leave, forgotten passwords etc. Of course, we hope that users > > have no single point of failure for their critical workloads, but these > > kinds of issues often don't become apparent until credential loss > actually > > occurs, at which point remediation can become difficult in Polaris. > Having > > a root user with the ability to reset credentials is a decently common > > concept and I think it would add value. Currently, the only workaround is > > to create a new principal and reassign all of their principal roles. > > > > However, addressing the risks is also important. This proposal > introduces a > > path for service_admins to basically be able to assume any principal > within > > Polaris, which is a major security vulnerability if a principal with > > service_admin access ever did become compromised. However, this risk is > > already present because a service_admin can create principals and assign > > principal roles to assume the same level of privileges desired, it just > > can't actually impersonate as any other principal. > > > > It looks like there is existing appetite to add something like this to > > Polaris: https://github.com/apache/polaris/issues/624 > > > > I'm curious to hear what the community thinks we can do to address this > and > > whether introducing these risks is worth having functionality like this. > > > > Thanks for reading, > > Sehaj > > >
