mansehajsingh opened a new pull request, #8: URL: https://github.com/apache/polaris-tools/pull/8
This PR uses the Apache Iceberg OAuth2 utilities to enable a wider array of authentication flows to the tool. Many of the options have been standardized to the same options that Iceberg OAuth2 properties use. Here are a few examples: 1. For client_credentials flow, the only thing that changes is that the cli will use the property `credential` which is formatted `<client_id>:<client_secret>` as opposed to separate properties. These will now be refreshed periodically. ``` java -jar cli/build/libs/polaris-synchronizer-cli.jar \ create-omnipotent-principal \ --polaris-api-connection-properties base-url=http://localhost:8181/ \ --polaris-api-connection-properties oauth2-server-uri=http://localhost:8181/api/catalog/v1/oauth/tokens \ --polaris-api-connection-properties credential=<client_id>:<client_secret> \ --polaris-api-connection-properties scope=PRINCIPAL_ROLE:ALL ``` 2. For regular bearer token authentication, instead of `bearer-token` the tool will now use `token`. This initializes a session that does not refresh: ``` java -jar cli/build/libs/polaris-synchronizer-cli.jar \ create-omnipotent-principal \ --polaris-api-connection-properties base-url=http://localhost:8181/ \ --polaris-api-connection-properties token=<bearer_token> \ --polaris-api-connection-properties scope=PRINCIPAL_ROLE:ALL ``` 3. Polaris supports exchanging an access token for another access token. For this flow, you can now provide a `<subject_token_type>=<subject_token>` property pair to use for token exchange. Natively within Polaris we only support `urn:ietf:params:oauth:token-type:access_token` as the subject token type, but all the token types are supported in this PR in case external OAuth is used. As well, in Polaris you need to send the token in the `Authorization` header as well to call the token exchange endpoint, so you need to specify the `token` property as well to provide an actor token to the token exchange request. The actor token type will default to actor token type `urn:ietf:params:oauth:token-type:access_token`. ``` java -jar cli/build/libs/polaris-synchronizer-cli.jar \ create-omnipotent-principal \ --polaris-api-connection-properties base-url=http://localhost:8181/ \ --polaris-api-connection-properties oauth2-server-uri=http://localhost:8181/api/catalog/v1/oauth/tokens \ --polaris-api-connection-properties token=<bearer_token>\ --polaris-api-connection-properties urn:ietf:params:oauth:token-type:access_token=<bearer_token> \ --polaris-api-connection-properties scope=PRINCIPAL_ROLE:ALL ``` 4. Snowflake Open Catalog keypair authentication is natively supported with the client_credentials flow. As we can see in [the documentation](https://other-docs.snowflake.com/en/LIMITEDACCESS/opencatalog/key-pair-auth), we just need to provide the generated JWT to the `client_secret` field, like so (notice the empty client id): ``` java -jar cli/build/libs/polaris-synchronizer-cli.jar \ create-omnipotent-principal \ --polaris-api-connection-properties base-url=http://localhost:8181/ \ --polaris-api-connection-properties oauth2-server-uri=http://localhost:8181/api/catalog/v1/oauth/tokens \ --polaris-api-connection-properties credential=:<JWT_BEARER> \ --polaris-api-connection-properties scope=PRINCIPAL_ROLE:ALL ``` 5. External OAuth. Here is an example of how Snowflake Open Catalog does external OAuth support: https://other-docs.snowflake.com/en/LIMITEDACCESS/opencatalog/external-oauth. This is also supported by these additions. Now we just need to specify the `oauth2-server-uri` of the external oauth server, and we can specify the optional OAuth parameters like `audience` through the CLI as well: ``` java -jar cli/build/libs/polaris-synchronizer-cli.jar \ create-omnipotent-principal \ --polaris-api-connection-properties base-url=https://<your_org_name>-<your_open_catalog_account_name>.snowflakecomputing.com/polaris \ --polaris-api-connection-properties oauth2-server-uri=https://<Auth0_domain>/oauth/token \ --polaris-api-connection-properties credential=<client_id>:<client_secret> \ --polaris-api-connection-properties scope=PRINCIPAL_ROLE:ALL \ --polaris-api-connection-properties audience=https://<your_org_name>-<your_open_catalog_account_name>.snowflakecomputing.com \ ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
