GitHub user RB-ETArch added a comment to the discussion: Is STS Token 
Passthrough Supported in Polaris Federated Catalogs?

@flyrain 

In our setup users only talk to the central catalog and RBAC is enforced only 
in the central catalog. the central catalog talks to BU child catalogs using a 
service principal with read/write privileges. 

**Question**:  If a client requests a read operation, will the central (or BU) 
catalog mint a session policy that is read‑only on the table prefix (e.g., 
GetObject/ListBucket with a prefix condition) even though the federation 
service principal has admin rights, or does the inline policy reflect the 
service principal’s full privileges instead? My understanding is that the 
inline session policy in vended credentials is based on user operation (after 
RBAC validation).

GitHub link: 
https://github.com/apache/polaris/discussions/4929#discussioncomment-17479216

----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]

Reply via email to