[PR] Include user-defined attributes when building PolarisPrincipal from Pā€¦ [polaris]

Mon, 11 May 2026 14:08:42 -0700 


iprithv opened a new pull request, #4405:
URL: https://github.com/apache/polaris/pull/4405

   ## Description
   
   Fixes #4291
   
   `PolarisPrincipal.of(PrincipalEntity, ā€¦)` forwards only the entity's 
*internal* properties (e.g. `client_id`) and silently drops the *user-defined* 
properties supplied at principal creation. As a result, downstream consumers 
that read `PolarisPrincipal.getProperties()` never see user attributes like 
`region=northamerica` or `department=finance`, and policies written against 
them never match.
   
   Affected paths:
   - `DefaultAuthenticator` - constructs the `PolarisPrincipal` during 
authentication.
   - `AuthenticatingAugmentor` - copies the principal's properties into 
`QuarkusSecurityIdentity` attributes.
   - External authorizers - **OPA** (`OpaPolarisAuthorizer`) and **Ranger** 
(`RangerUtils.getUserAttributes`) consume these as user attributes for ABAC 
policy evaluation. The existing OPA test suite already builds principals like 
`PolarisPrincipal.of("eve", Map.of("department","finance"), 
Set.of("auditor"))`, demonstrating the intended contract that the production 
path can't honor today.
   
   ## **Reproduction confirmed both ways:**
   
   On `main` (fix reverted):
   ```
   PolarisPrincipalTest > ofPrincipalEntityExposesUserDefinedProperties()       
                   FAILED
   PolarisPrincipalTest > 
ofPrincipalEntityWithTokenExposesUserDefinedProperties()                 FAILED
   DefaultAuthenticatorTest > 
testUserDefinedPropertiesArePreservedOnAuthenticatedPrincipal()      FAILED
   ```
   
   On this branch:
   ```
   ./gradlew :polaris-core:check                                                
BUILD SUCCESSFUL
   ./gradlew :polaris-runtime-service:test --tests "...service.auth.*"          
BUILD SUCCESSFUL
   ./gradlew :polaris-runtime-service:spotlessCheck :checkstyleMain 
:checkstyleTest   BUILD SUCCESSFUL
   ```
   
   ## Checklist
   - [x] šŸ›”ļø Don't disclose security issues! (contact [email protected])
   - [x] šŸ”— Clearly explained why the changes are needed, or linked related 
issues: Fixes #4291
   - [x] šŸ§Ŗ Added/updated tests with good coverage, or manually tested (and 
explained how)
   - [x] šŸ’” Added comments for complex logic
   - [x] šŸ§¾ Updated `CHANGELOG.md` (if needed)
   - [ ] šŸ“š Updated documentation in `site/content/in-dev/unreleased` (if 
needed) ā€” N/A, internal behavior fix; no user-facing config or doc surface 
affected.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to