Replies: 3 comments 7 replies
-
|
@dennishuo @XJDKC : WDYT? |
Beta Was this translation helpful? Give feedback.
-
|
@RB-ETArch : Regardless of the answer to your exact question, if your use case benefits from passing the vended credential through, it can certainly be implemented in Polaris with the help of feature flags. Given that credential vending is a critical topic security-wise, I'd suggest opening a |
Beta Was this translation helpful? Give feedback.
-
|
Hi @RB-ETArch, what you described is the expected behavior. Passing through vended credentials across catalog federation is not considered safe. One of the main reasons is that federation between catalogs is typically performed using a service principal. As a result, the vended credentials returned by the remote catalog could unintentionally carry administrative privileges. To safely support credential passthrough, the original user or principal would first need to be propagated to the remote catalog so that both catalogs recognize the same identity. However, that alone is not sufficient. Even if both catalogs identify the same principal, they may not enforce the same permissions. For example, a user may have write permission in Catalog A but only read permission in Catalog B. In that case, blindly passing through the remote catalog's vended credentials could grant privileges that are inconsistent with the authorization decisions made by the central catalog. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I am evaluating catalog federation behavior in a data lakehouse setup using Apache Iceberg with Apache Polaris.
Architecture:
Expected flow (based on my understanding):
Actual behavior observed:
Question:
Is this the expected behavior for Polaris catalog federation (i.e., central catalog always re-issues STS tokens), or is this a bug / misconfiguration?
Beta Was this translation helpful? Give feedback.
All reactions