tokoko opened a new issue, #2373:
URL: https://github.com/apache/polaris/issues/2373
### Describe the bug
I have set up keycloak as an external auth backend (with mixed auth type). I
managed get authentication working and validated that principals are being
pulled correctly. I also configured oidc user to contain necessary roles in jwt
that polaris seems to pick up correctly (roles are listed as
activatedPrincipalRoles in debug/error messages). The problem is that grants
under those principal roles aren't respected despite them being listed as
activated. I'm getting the following error when trying to list namespaces in a
catalog:
```
b'{"error":{"message":"Principal \'noroot\' with activated PrincipalRoles
\'[admin]\' and activated grants via \'[]\' is not authorized for op
LIST_NAMESPACES",...
```
If I then manually add the same principal role `admin` to principal `noroot`
inside polaris as well (a PUT call on `/principals/noroot/principal-roles`
endpoint) the same operation is allowed, so this seems to be oidc-related.
### To Reproduce
1. configure auth type as mixed. I'll list some of the configurations that
I'm using below.
2. create user `noroot` and principal role `admin` inside polaris.
3. create user `noroot` and role `admin` in keycloak, add noroot to admin.
4. create catalog role `catalog_admin` with `CATALOG_MANAGE_CONTENT` grant.
5. assign `catalog_admin` to `admin`.
6. try to list namespaces with a token obtained from keycloak
(`/api/catalog/v1/polariscatalog/namespaces`)
### Actual Behavior
Not Authorized error when user is assigned to role admin only in keycloak.
Authorized if principal role is assigned to the principal in polaris.
### Expected Behavior
Principal roles pulled from jwt tokens should have the same effect as
internal role assignments.
### Additional context
```
polaris.authentication.type: mixed
polaris.oidc.principal-mapper.id-claim-path: principal_id
polaris.oidc.principal-mapper.name-claim-path: principal_name
quarkus.oidc.roles.role-claim-path: polaris_names
polaris.oidc.principal-roles-mapper.mappings[0].regex: (.+)
polaris.oidc.principal-roles-mapper.mappings[0].replacement:
PRINCIPAL_ROLE:$1
quarkus.oidc.tenant-enabled: true
quarkus.oidc.auth-server-url: http://***.:9080/realms/myrealm
quarkus.oidc.client-id: my-client
```
### System information
Polaris image used was built from main 2 weeks ago.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
