[I] Root user cannot rotate principal credentials [polaris]

Wed, 08 Jan 2025 03:50:47 -0800 


Gerrit-K opened a new issue, #624:
URL: https://github.com/apache/polaris/issues/624

   ### Describe the bug
   
   When trying to rotate a principal's credentials via the root user, an HTTP 
error with code 403 is returned:
   ```
   {"error":{"message":"Principal 'root' with activated PrincipalRoles '[]' and 
activated grants via '[service_admin]' is not authorized for op 
ROTATE_CREDENTIALS","type":"ForbiddenException","code":403}}
   ```
   
   ### To Reproduce
   
   1. Deploy locally via `docker compose up --build`
   2. Note down the root principal credentials and store them in a shell 
variable, e.g.
       ```shell
       CLIENT_ID=f69f1990657205d9
       CLIENT_SECRET=e89026b4e87d60b7bd6ea75adb16e6f8
       ```
   3. Get an access token for the root principal
       ```shell
       TOKEN="$(curl --request POST 
"http://localhost:8181/api/catalog/v1/oauth/tokens?grant_type=client_credentials&scope=PRINCIPAL_ROLE%3AALL&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}";
 \
       --header 'content-type: application/x-www-form-urlencoded' \
       | jq -r .access_token)"
       ```
   4. Create a new principal
       ```shell
       curl --request POST http://localhost:8181/api/management/v1/principals \
       --header "Authorization: Bearer $TOKEN" \
       --header "Content-Type: application/json" \
       -d '{"name": "test"}')"
       ```
   5. Try to rotate the credentials of the new principal using the same token 
as it was created with
       ```shell
       curl --request POST 
http://localhost:8181/api/management/v1/principals/test/rotate \
       --header "Authorization: Bearer $TOKEN"
       ```
   
   
   ### Actual Behavior
   
   The service returns a 403 response
   ```
   {"error":{"message":"Principal 'root' with activated PrincipalRoles '[]' and 
activated grants via '[service_admin]' is not authorized for op 
ROTATE_CREDENTIALS","type":"ForbiddenException","code":403}}
   ```
   
   ### Expected Behavior
   
   The principal credentials should successfully be rotated
   
   ### Additional context
   
   _No response_
   
   ### System information
   
   _No response_


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to