dimas-b commented on code in PR #1397:
URL: https://github.com/apache/polaris/pull/1397#discussion_r2060335924
##########
service/common/src/main/java/org/apache/polaris/service/auth/DefaultActiveRolesProvider.java:
##########
@@ -82,7 +82,9 @@ protected List<PrincipalRoleEntity> loadActivePrincipalRoles(
principal.getId());
throw new NotAuthorizedException("Unable to authenticate");
}
- boolean allRoles =
tokenRoles.contains(BasePolarisAuthenticator.PRINCIPAL_ROLE_ALL);
+
+ // FIXME how to distinguish allRoles from no roles at all?
Review Comment:
I always thought assuming all roles by default was normal in Polaris. I do
not see any enforced restrictions for roles in Polaris-owned tokens. So roles
in Polaris tokens always looked like a self-imposed restriction to me.
External tokens would have roles / scopes injected by the IdP, I assume.
@collado-mike : WDYT?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
