collado-mike commented on PR #461: URL: https://github.com/apache/polaris/pull/461#issuecomment-2529935071
My thoughts here are complex. On the one hand, I agree that we should never print credentials to the _service_ log. On the other hand, users need a way of bootstrapping their Polaris service and storing their secrets. This is one reason why we made the `bootstrap` command a separate command from the `server` command. Bootstrapping is always an explicit action taken by the user - presumably in an environment that is distinct from the actual runtime of the service (e.g., on a user desktop or in a terraform command or something). Thus, the output of the `bootstrap` command shouldn't be stored in the user's production log store. My hope for the `PolarisSecretsManager` is to use it to front a real secrets manager, like Vault or K8s or something. That being the case, randomly generated secrets would be the norm, so I don't think we should print secrets by default just because they were randomly generated. But if the user passes a flag `--printSecrets` or something, then the user can explicitly tell the command that they need the secrets to be printed so they can write them down on a sticky note or whatever (I'm kidding). I don't think the user should _need_ a separate secrets store, like Vault or whatever, in order to be able to use Polaris at all. If the RDBMS persistence impl is enough for them to store hashed secrets and they can manage their principal secrets in some other way, we should support that. So for the user who has no separate secrets store and only stores hashes of the secret in Postgres, how do we get the user their secrets? Either we can require the user to pass in secrets as an argument to bootstrapping or we can randomly generate secrets and print them out for the user. It seems that we _can_ support randomly generated credentials when we _do_ have a separate secrets store, but I don't really like the idea of the secrets manager having to declare that its secrets are retrievable by the end user. So if we require the user to pass in the secrets as an argument, then I think we should _always_ require the secrets as an argument. And if we don't always take the secrets as an argument, then we need to pass randomly generated secrets back to the user in some way - printing seems obvious. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
