dimas-b commented on code in PR #2104:
URL: https://github.com/apache/polaris/pull/2104#discussion_r2210522612
##########
helm/polaris/values.yaml:
##########
@@ -596,7 +600,63 @@ authentication:
# -- Optional: configuration specific to symmetric key secret.
symmetricKey:
# -- Key name inside the secret for the symmetric key
- secretKey: symmetric.pem
+ secretKey: symmetric.key
+ # -- Authentication configuration overrides per realm.
+ realmOverrides: {}
+ # my-realm:
+ # type: external
+ # authenticator:
+ # type: custom
+
+# -- Polaris OIDC configuration. Only relevant when at least one realm is
configured for external
+# (or mixed) authentication. The currently supported configuration is for a
single, default OIDC tenant.
+# For more complex scenarios, including OIDC multi-tenancy, you will need to
provide the relevant
+# configuration using the `advancedConfig` section.
+oidc:
+ # -- The authentication server URL. Must be provided if at least one realm
is configured for external
+ # authentication.
+ authServeUrl: ~ # https://auth.example.com/realms/polaris
+ # -- The client to use when authenticating with the authentication server.
+ client:
+ # -- The client ID to use when authenticating with the authentication
server.
+ id: polaris
+ # -- The secret to pull the client secret from.
Review Comment:
nit: the OIDC secret is optional, right?
##########
helm/polaris/values.yaml:
##########
@@ -560,15 +560,19 @@ storage:
# -- Polaris authentication configuration.
authentication:
- # -- The type of authentication to use. Two built-in types are supported:
default and test;
- # test is not recommended for production.
+ # -- The type of authentication to use. Three built-in types are supported:
internal, external, and mixed.
+ type: internal
+ # -- The `Authenticator` implementation to use. Only one built-in type is
supported: default.
authenticator:
type: default
- # -- The type of token service to use. Two built-in types are supported:
default and test;
- # test is not recommended for production.
+ # -- The `ActiveRolesProvider` implementation to use. Only one built-in type
is supported: default.
+ activeRolesProvider:
+ type: default
+ # -- The token service (`IcebergRestOAuth2ApiService`) implementation to
use. Two built-in types are supported: default and disabled.
+ # The disabled type is always used when `authentication.type` is set to
external.
tokenService:
type: default
- # -- The type of token broker to use. Two built-in types are supported:
rsa-key-pair and symmetric-key.
+ # -- The `TokenBroker` implementation to use. Two built-in types are
supported: rsa-key-pair and symmetric-key.
Review Comment:
nit: `TokenBroker` is _not_ applicable to the "external" auth type, right?
Should we support disabling it?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
