tokoko commented on PR #3170: URL: https://github.com/apache/polaris/pull/3170#issuecomment-3608238917
To be honest I'm very confused about the implementation in the PR as well. Not sure about other s3-compatible systems, but in the case of minio, (if I'm reading this correctly...) this option will only work if all catalog users have the ability to assume the role that's configured centrally on the catalog level and which also needs to have read/write privileges on all catalog locations. I fail to see how this can be useful to anyone. why would anyone hand out assume role privileges on what's basically a superuser? If the problem that the PR is trying to solve is simply to support those systems that only support `AssumeRoleWithWebIdentity`, the more straightforward solution would be to enable the catalog to acquire required web identity instead of acquiring it from a user. The same way that the standard `AssumeRole` option relies on AWS environment variables to authenticate the call, the new `AssumeRoleWithWebIdentity` solution should read necessary oauth configs and have an internal background process that obtains and refreshes a token needed to authenticate AssumeRoleWithWebIdentity calls. I'm not sure why we would complicate this with some sort of token pass-through mechanism. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
