This plan SGTM! Thanks for working on this, Alex! Cheers, Dmitri.
On Mon, Apr 14, 2025 at 4:52 PM Alex Dutra <alex.du...@dremio.com.invalid> wrote: > Hi all, > > A recently-reported bug [1] uncovered some serious issues with the JAX-RS > authentication filters. Fixing this bug requires replacing the incriminated > filters with proper Quarkus Security mechanisms. > > In parallel to that, support for external identity providers has been > requested many times, see [2], [3] and [4]. We know however that this > feature can only be delivered by implementing similar mechanisms. > > There might be an opportunity here to kill two birds with one stone. I > would like therefore to make the following proposal: > > 1. In a first PR, *replace the current authentication filters* by > Quarkus Security. This PR should be transparent to users and should not > change the current behavior of Polaris, nor its configuration options. > 2. In a second PR, *implement support for external identity providers*. > This shall be done by implementing a new HttpAuthenticationMechanism > that will pick the right authentication mechanism (internal token > broker vs > external IdP) based on the runtime configuration. > > If you agree with this proposal, I'm happy to start working on the first > PR. > > Thanks, > > Alex > > [1]: https://github.com/apache/polaris/issues/1345 > [2]: https://github.com/apache/polaris/issues/336 > [3]: https://github.com/apache/polaris/issues/976 > [4]: https://github.com/apache/polaris/issues/1327 >
