Re: [I] External principal roles are ignored [polaris]

Mon, 27 Oct 2025 00:42:17 -0700 


duc-dn commented on issue #2373:
URL: https://github.com/apache/polaris/issues/2373#issuecomment-3449898216

   Thanks @adutra
   I synchronized my external principals and principal roles with Polaris
   This jwt from keycloak
   ```
   {
     "exp": 1761540380,
     "iat": 1761536780,
     "jti": "trrtcc:7c918b1c-f65b-fc64-60b5-adf2bffe0ab5",
     "iss": "http://keycloak:8080/realms/iceberg";,
     "sub": "91bd4585-d925-47d4-8204-8571e0e5c84b",
     "typ": "Bearer",
     "azp": "client1",
     "acr": "1",
     "allowed-origins": [
       "http://localhost*";
     ],
     "scope": "profile email",
     "email_verified": false,
     "clientHost": "172.24.0.1",
     "principal_name": "root",
     "preferred_username": "service-account-client1",
     "principal_roles": [
       "service_admin",
       "catalog_admin"
     ],
     "clientAddress": "172.24.0.1",
     "principal_id": 0,
     "client_id": "client1"
   }
   ```
   You can see that the iss field in the JWT matches the server-uri value in 
the OAuth2 configuration in Trino.
   - Besides, I also created catalog roles and grants for those principal roles
   
   <img width="623" height="561" alt="Image" 
src="https://github.com/user-attachments/assets/dd08f00a-f2f2-4b09-a5be-8c0365620ffc";
 />
   
   <img width="676" height="603" alt="Image" 
src="https://github.com/user-attachments/assets/5ef2627b-aadf-42bf-aabf-ecdd4f89acfe";
 />
   
   <img width="756" height="621" alt="Image" 
src="https://github.com/user-attachments/assets/6a87f397-b00d-4453-a147-ea3072ae60c2";
 />
   
   <img width="1401" height="241" alt="Image" 
src="https://github.com/user-attachments/assets/bc3d33be-9668-4257-85a7-9dba92cfa3bc";
 />
   
   - I checked the logs in Keycloak and didn’t see any errors, but when I 
checked in Polaris, I got a 401 error.
   Trino called to Polaris with ream-internal.
   <img width="1916" height="119" alt="Image" 
src="https://github.com/user-attachments/assets/642971d4-1291-4868-b09e-8b3bd49d53a9";
 />
   
   - I also tried to replace 
iceberg.rest-catalog.oauth2.scope=PRINCIPAL_ROLE:catalog_admin to 
iceberg.rest-catalog.oauth2.scope=PRINCIPAL_ROLE:serivce_admin but not working


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to