Hi Selva, It is likely a bug. The logic [1] was introduced in PR 2307[2], before that, getProperties() did not exist. I think using principalEntity.getPropertiesAsMap() makes more sense in [1].
1. https://github-personal/flyrain/polaris/blob/4d90f53f2d360e622f0d6e3006dedcec497b1d38/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisPrincipal.java#L46 2. https://github.com/apache/polaris/pull/2307 Yufei On Thu, Apr 23, 2026 at 6:10 PM Selvamohan Neethiraj <[email protected]> wrote: > > Following up on my earlier email, I was able to trace the issue and am now > trying to understand the reasoning behind the current implementation. > > When a PolarisPrincipal (org.apache.polaris.core.auth.PolarisPrincipal) is > created from a PrincipalEntity > (org.apache.polaris.core.entity.PrincipalEntity), it appears to copy only > the internal properties using getInternalPropertiesAsMap(). This preserves > attributes such as clientId, but drops user-defined attributes. > > Based on this behavior, it seems that using > principalEntity.getPropertiesAsMap() instead of > principalEntity.getInternalPropertiesAsMap() would retain both internal and > user-defined attributes. > > Is there a specific reason why user-defined attributes are intentionally > excluded when creating a PolarisPrincipal object? > > Regards, > Selva- > > > On Apr 23, 2026, at 1:34 PM, Selvamohan Neethiraj <[email protected]> > wrote: > > > > Hi, > > > > I am using the REST API /api/management/v1/principals to create a new > principal with user attributes (for example: region=northamerica). The API > call completes successfully, and the response correctly includes the > specified user attributes. > > > > However, when I use the returned client-id and client-secret to obtain > an OAuth token from /api/catalog/v1/oauth/tokens, and then use that token > to perform other API operations (such as listing catalogs via > /api/management/v1/catalogs), the server-side Polaris principal does not > appear to include the user attributes. > > > > Specifically, the user attributes defined during principal creation do > not seem to be available during subsequent API calls authenticated using > the generated OAuth token. > > > > Could you please confirm: > > > > 1. Whether this is the expected behavior, or > > 2. If there is an additional step required to propagate or include > principal attributes when generating or using OAuth tokens, or > > 3. If this might be a bug. > > > > Thanks in advance for your guidance. > > > > Best regards, > > Selva > >
