collado-mike commented on code in PR #1353:
URL: https://github.com/apache/polaris/pull/1353#discussion_r2047870731
##########
service/common/src/main/java/org/apache/polaris/service/admin/PolarisAdminService.java:
##########
@@ -771,6 +771,9 @@ public PrincipalWithCredentials
createPrincipal(PolarisEntity entity) {
PolarisAuthorizableOperation op =
PolarisAuthorizableOperation.CREATE_PRINCIPAL;
authorizeBasicRootOperationOrThrow(op);
+ if (PolarisEntity.isFederated(entity)) {
Review Comment:
The presence of a specific property is the only way that the admin API can
tell if an entity is managed by an IdP. Principal Roles, federated or not, must
be present in the service in order to be granted privileges. That means they
have to be persisted, so the persistence API is going to return them as
entities. We have to be able to introspect those entities to know when it is or
isn't ok to grant access to those roles. This was outlined in the design doc at
https://docs.google.com/document/d/15_3ZiRB6Lhzw0nxij341QUdxEIyFGTrI9_18bFIyJVo/edit?tab=t.0#heading=h.w9dvdtp5mw5p
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
