[I] bootstrap command always creates a principal with name "root" | external IDP configuration with dynamic principals results in a chicken and egg problem [polaris]

[via GitHub]

creepysta opened a new issue, #2238:
URL: https://github.com/apache/polaris/issues/2238

   ### Describe the bug
   
   I'm trying to configure polaris 1.0.0 to work with external Identity 
Provider following - https://github.com/apache/polaris/pull/1397
   
   Looks like when bootstrap, `java -jar 
runtime/admin/build/quarkus-app/quarkus-run.jar bootstrap -r POLARIS -c 
POLARIS,<some-id>,blah` the <some-id> is ignored and a hardcoded "root" 
principal is created in the `polaris_schema.entity`. 
   Which when decoding a JWT, the <some-id> in the "sub" doesn't match since 
its a unique id and not "root" 
   
   So, it feels like, there's no way to configure a dynamic principal id as 
root in polaris with External IDP.
   
   ### To Reproduce
   
   `config/application.properties` - 
   ```.properties
   polaris.bootstrap.credentials=POLARIS,1234,blah
   
   # persistence
   polaris.persistence.type=relational-jdbc
   quarkus.datasource.db-kind=postgresql
   quarkus.datasource.username=postgres
   quarkus.datasource.password=
   quarkus.datasource.jdbc.url=jdbc:postgresql://127.0.0.1:5432/postgres
   
   # authn, authz
   quarkus.oidc.tenant-enabled=true
   quarkus.oidc.discovery-enabled=true
   quarkus.oidc.auth-server-url=<https://external-idp.com>
   polaris.authentication.type=external
   polaris.oidc.principal-mapper.name-claim-path=sub
   
   polaris.oidc.principal-roles-mapper.filter=^(admin-grp).*
   polaris.oidc.principal-roles-mapper.mappings[0].regex=\\badmin-grp\\b
   
polaris.oidc.principal-roles-mapper.mappings[0].replacement=PRINCIPAL_ROLE:ALL
   ```
   
   jwt - 
   ```json
   {
     "iss": "<https://external-idp.com>",
     "aud": "polaris",
     "exp": 1754045079,
     "iat": 1754016279,
     "sub": "1234",
     "groups": [
       "admin-grp",
     ],
     "email": "al...@work.com"
   }
   ```
   
   
   ### Actual Behavior
   
   
   error - 
   ```
   Failed to resolve principal from 
credentials=OidcPrincipalAuthInfo[getPrincipalId=null, getPrincipalName=1234, 
getPrincipalRoles=[PRINCIPAL_ROLE:ALL]]
   ```
   
   ### Expected Behavior
   
   Ideally it should be able to resolve with name lookup, if bootstrap created 
a principal with name `<some-id>` instead of "root"
   
   ### Additional context
   
   _No response_
   
   ### System information
   
   polaris tag - apache-polaris-1.0.0-incubating


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org