adnanhemani commented on code in PR #3236:
URL: https://github.com/apache/polaris/pull/3236#discussion_r2604753504
##########
runtime/service/src/main/java/org/apache/polaris/service/auth/DefaultAuthenticator.java:
##########
@@ -94,7 +95,9 @@ public PolarisPrincipal authenticate(PolarisCredential
credentials) {
PrincipalEntity principalEntity = resolvePrincipalEntity(credentials);
Set<String> principalRoles = resolvePrincipalRoles(credentials,
principalEntity);
- PolarisPrincipal polarisPrincipal = PolarisPrincipal.of(principalEntity,
principalRoles);
+ PolarisPrincipal polarisPrincipal =
+ PolarisPrincipal.of(
+ principalEntity, principalRoles,
Optional.ofNullable(credentials.getToken()));
LOGGER.debug("Resolved principal: {}", polarisPrincipal);
Review Comment:
Per my understanding, this would mean that we will write the user's token
into the debug logs...
This would be pretty bad. I would consider making the change in
PolarisPrincipal to ensure that the token is not serialized when calling
`principal.toString()` a must-have requirement to approve this PR.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
