Skip to content

Include principal name in Polaris tokens #2389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Include principal name in Polaris tokens #2389

wants to merge 1 commit into from

Conversation

adutra
Copy link
Contributor

@adutra adutra commented Aug 19, 2025
edited
Loading

Summary of changes:

  • Instead of including the principal id twice in the token, the principal name is now used as the subject claim. While the default authenticator doesn't need the principal name and works with just the principal id, not having the "real" principal name available could be a problem for other authenticator implementations.

  • DecodedToken has been refactored and renamed to InternalPolarisCredential. It is also now a package-private component as it is an implementation detail of Polaris internal auth mechanism.

  • TokenBroker.verify() now returns PolarisCredential.

@adutra
Include principal name in Polaris tokens
d3a0eee 
Summary of changes:

- Instead of including the principal id twice in the token, the principal name is now used as the subject claim. While the default authenticator doesn't need the principal name and works with just the principal id, not having the "real" principal name available could be a problem for other authenticator implementations.

- `DecodedToken` has been refactored and renamed to `InternalPolarisCredential`. It is also now a package-private component.

- `TokenBroker.verify()` now returns PolarisCredential.
@github-project-automation github-project-automation bot moved this to PRs In Progress in Basic Kanban Board Aug 19, 2025
@adutra adutra requested a review from collado-mike August 19, 2025 13:22
singhpk234
singhpk234 reviewed Aug 19, 2025
View reviewed changes
runtime/service/src/main/java/org/apache/polaris/service/auth/InternalPolarisCredential.java
* @see JWTBroker
*/
@PolarisImmutable
abstract class InternalPolarisCredential implements PolarisCredential {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[optional : may be another name ?] isn't it still a decoded bearer token ? maybe its just me but i find it a little bit hard to disassociate with the client crendentials flow semantics, which typically requires client secret

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not opposed to other names.

My rationale is: this component represents credentials extracted from an internal polaris token, hence the name I picked.

Let's wait for more feedback from other reviewers and I'll change the name accordingly.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would PolarisToken work for you?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(or InternalPolarisToken)

Copy link
Contributor

@singhpk234 singhpk234 Aug 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

InternalPolarisToken

works for me ! This comment is totally optional to address, agree for waiting for more peoplr to weigh in :) !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@singhpk234 singhpk234 singhpk234 left review comments

@collado-mike collado-mike Awaiting requested review from collado-mike

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@adutra @singhpk234