Re: [PR] Feature: Expose resetCredentials via a new reset api to allow root user to reset credentials for an existing principal with custom values [polaris]

Tue, 19 Aug 2025 13:09:39 -0700 


fivetran-arunsuri commented on code in PR #2197:
URL: https://github.com/apache/polaris/pull/2197#discussion_r2286221384


##########
persistence/relational-jdbc/src/main/java/org/apache/polaris/persistence/relational/jdbc/JdbcBasePersistenceImpl.java:
##########
@@ -773,6 +773,73 @@ public PolarisPrincipalSecrets generateNewPrincipalSecrets(
     return principalSecrets;
   }
 
+  @Nullable
+  @Override
+  public PolarisPrincipalSecrets resetPrincipalSecrets(
+      @Nonnull PolarisCallContext callCtx,
+      @Nonnull String clientId,
+      long principalId,
+      String customClientId,
+      String customClientSecret,
+      boolean customReset) {
+    PolarisPrincipalSecrets principalSecrets = loadPrincipalSecrets(callCtx, 
clientId);
+
+    // should be found
+    callCtx
+        .getDiagServices()
+        .checkNotNull(
+            principalSecrets,
+            "cannot_find_secrets",
+            "client_id={} principalId={}",
+            clientId,
+            principalId);
+
+    // ensure principal id is matching
+    callCtx
+        .getDiagServices()
+        .check(
+            principalId == principalSecrets.getPrincipalId(),
+            "principal_id_mismatch",
+            "expectedId={} id={}",
+            principalId,
+            principalSecrets.getPrincipalId());
+
+    if (customReset) {
+      principalSecrets =
+          new PolarisPrincipalSecrets(
+              principalSecrets.getPrincipalId(), customClientId, 
customClientSecret, null);
+    } else {
+      principalSecrets.rotateSecrets(principalSecrets.getMainSecretHash());

Review Comment:
   We have implemented the logic based 2 things:
   1. Custom Credential Reset:
   When a user provides a custom clientId and clientSecret, the system fully 
resets the principal credentials with the new values with validation. This 
behaves similarly to a registerPrincipal flow.
   
   2. Random Credential Generation (No Custom Input):
   When no custom credentials are provided, the system generates random 
credentials while retaining the existing clientId. This ensures backward 
compatibility and resolves [Polaris issue 
#624](https://github.com/apache/polaris/issues/624)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@polaris.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to