eric-maynard opened a new pull request, #438: URL: https://github.com/apache/polaris/pull/438
# Description Currently, the entire `PolarisPrincipalSecrets` gets passed into the metastore for persistence. For EclipseLink, this means it gets translated into a `ModelPrincipalSecrets` which then gets written to the DB. Unfortunately, this means the plaintext client secrets are being persisted. These are then later used to check if provided secrets are valid. This PR proposes that we persist a _salted hash_ of these secrets, and that we no longer persist the plaintext secrets. Fixes #219 ## Type of change Please delete options that are not relevant. - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] Documentation update - [x] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] This change requires a documentation update # How Has This Been Tested? 1. I confirmed that new principals do not persist plaintext secrets: <img width="450" alt="Screenshot 2024-11-07 at 2 55 01 PM" src="https://github.com/user-attachments/assets/07fa4d84-0f49-4486-9d02-a3abf9ae2cc8";> I am able to create new principals and use them without persisted plaintext secrets. 2. When I roll back to a previous version of Polaris, new principals are again created with a plaintext secret: <img width="450" alt="Screenshot 2024-11-07 at 2 57 34 PM" src="https://github.com/user-attachments/assets/e2cd4234-c56b-49bd-b918-74001acf3ad8";> Coming back to the new (this PR) version, I am able to authenticate principals using both the new + old formats. 3. Finally, when I `rotate-credentials` the principal created with an old version of Polaris, which still has plaintext credentials, the hash gets added: <img width="450" alt="Screenshot 2024-11-07 at 3 01 29 PM" src="https://github.com/user-attachments/assets/623268ba-f4c5-4254-b102-e205e2073870";> Note that the persisted secret doesn't go away, but it shouldn't be used anymore. # Checklist: Please delete options that are not relevant. - [x] I have performed a self-review of my code - [x] I have commented my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] If adding new functionality, I have discussed my implementation with the community using the linked GitHub issue -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
