binarycat0 commented on issue #3059: URL: https://github.com/apache/polaris/issues/3059#issuecomment-3547139899
Hello! I shared only my experience, and it might be someone also could experience the same. I do not exclude that I poorly read the documentation. But what I see the current version of the documentation does not say that principal_id is not required and even recommended ignoring to use. https://polaris.apache.org/in-dev/unreleased/managing-security/external-idp/ ``` Principal Mapping ... polaris.oidc.principal-mapper.type=default polaris.oidc.principal-mapper.id-claim-path=polaris/principal_id polaris.oidc.principal-mapper.name-claim-path=polaris/principal_name ``` Then you see the next in the examples section ``` { "polaris": { "roles": ["PRINCIPAL_ROLE:ALL"], "principal_name": "root", "principal_id": 1 } } ``` And you started to think that principal_id is mandatory to use. So the scenario can be next: - you create a pricipal - API returns you an object with the following fields -> `{name, client_id, ...}` - you assume that client_id is a type and it's a principal_id (**it's not**) - you put this data into you External IDP (e.g keycloak) - authN doesn't work - the only way is to set `principal_id=0` to activate resolving by name So, I'm trying to say that it's probably better to correct/enhance the documentation and highlight that principal_id resolving is recommended to avoid in case of using External IDP providers. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
