Hi Yufei, Thank you for confirming that this is likely a bug and for pointing to the relevant logic and PR reference.
I have created Issue #4291 to track this: https://github.com/apache/polaris/issues/4291 I have also submitted a proposed fix along with test coverage in PR #4292: https://github.com/apache/polaris/pull/4292 Could you please review the PR and share your feedback? Thanks again for your guidance. Regards, Selva- > On Apr 24, 2026, at 7:44 PM, Yufei Gu <[email protected]> wrote: > > Hi Selva, > > It is likely a bug. The logic [1] was introduced in PR 2307[2], before > that, getProperties() did not exist. I think using > principalEntity.getPropertiesAsMap() makes more sense in [1]. > > 1. > https://github-personal/flyrain/polaris/blob/4d90f53f2d360e622f0d6e3006dedcec497b1d38/polaris-core/src/main/java/org/apache/polaris/core/auth/PolarisPrincipal.java#L46 > 2. https://github.com/apache/polaris/pull/2307 > > > Yufei > > > On Thu, Apr 23, 2026 at 6:10 PM Selvamohan Neethiraj <[email protected]> > wrote: > >> >> Following up on my earlier email, I was able to trace the issue and am now >> trying to understand the reasoning behind the current implementation. >> >> When a PolarisPrincipal (org.apache.polaris.core.auth.PolarisPrincipal) is >> created from a PrincipalEntity >> (org.apache.polaris.core.entity.PrincipalEntity), it appears to copy only >> the internal properties using getInternalPropertiesAsMap(). This preserves >> attributes such as clientId, but drops user-defined attributes. >> >> Based on this behavior, it seems that using >> principalEntity.getPropertiesAsMap() instead of >> principalEntity.getInternalPropertiesAsMap() would retain both internal and >> user-defined attributes. >> >> Is there a specific reason why user-defined attributes are intentionally >> excluded when creating a PolarisPrincipal object? >> >> Regards, >> Selva- >> >>> On Apr 23, 2026, at 1:34 PM, Selvamohan Neethiraj <[email protected]> >> wrote: >>> >>> Hi, >>> >>> I am using the REST API /api/management/v1/principals to create a new >> principal with user attributes (for example: region=northamerica). The API >> call completes successfully, and the response correctly includes the >> specified user attributes. >>> >>> However, when I use the returned client-id and client-secret to obtain >> an OAuth token from /api/catalog/v1/oauth/tokens, and then use that token >> to perform other API operations (such as listing catalogs via >> /api/management/v1/catalogs), the server-side Polaris principal does not >> appear to include the user attributes. >>> >>> Specifically, the user attributes defined during principal creation do >> not seem to be available during subsequent API calls authenticated using >> the generated OAuth token. >>> >>> Could you please confirm: >>> >>> 1. Whether this is the expected behavior, or >>> 2. If there is an additional step required to propagate or include >> principal attributes when generating or using OAuth tokens, or >>> 3. If this might be a bug. >>> >>> Thanks in advance for your guidance. >>> >>> Best regards, >>> Selva >> >>
