adutra commented on PR #2244: URL: https://github.com/apache/polaris/pull/2244#issuecomment-3158216183
> One thing to note: The `create_catalog.sh` script doesn't work except for the first realm, because it's hardcoded to hit the deprecated iceberg token endpoint. Switching the URL to Keycloak's, and dropping the scope argument, looks like it'll work. With this PR, you can now pass your own token to the script. > It does lead to an interesting train of thought. If we can expect that the deprecated iceberg `catalog/v1/oauth/tokens` endpoint will eventually be removed, what will be best practice? We will all have to use the `external` authentication type, which means complete dependence on an external system to use even the bootstrap admin user. [..] I feel like I got pretty far off topic here. Is there a more appropriate forum? Wow, there is a lot in there, thanks for sharing your thoughts. I would recommend reading this (old) document first for getting an idea of where the problems are, especially the sections about SCIM support and persisting federated entities: https://docs.google.com/document/d/15_3ZiRB6Lhzw0nxij341QUdxEIyFGTrI9_18bFIyJVo/edit?tab=t.0#heading=h.cu1a1acu4lc5 As you can see, all of this is still TBD and for various reasons, the work there has stalled. I am preparing a PR to simplify roles validation and extract a few interfaces from concrete classe; this would facilitate the introduction of fully-federated principals and principal roles. But the issue with persisting vs not persisting such entities is still up for debate. \cc @dimas-b @collado-mike @dennishuo -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
