collado-mike commented on PR #3409: URL: https://github.com/apache/polaris/pull/3409#issuecomment-3904782198
> my understanding is that this feature is generally usable only in situations when the admin owns Polaris deployment (otherwise it is not possible to configure per-name credentials at all, and the system falls back to current behaviour). > > Additionally, the new behaviour is controlled by a feature flag, which is off by default. So existing users are not affected even when they upgrade to this code. My concern isn't for existing users. It's for people who try to use the feature and accidentally or maliciously take advantage of this fallback. E.g., if an admin configures a credential called `limited` but accidentally fat-fingers `likited`, a catalog admin can create a catalog that tries to load the `limited` credentials and accidentally falls back to the default (possibly less restricted) credentials unknowingly. This silent failure leaves the admins completely unaware that there's an error in the configuration and, in the worst case, allows someone access to credentials they could use maliciously. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
