+1 The plan is sound!
On 14.04.25 23:15, Dmitri Bourlatchkov wrote:
This plan SGTM! Thanks for working on this, Alex! Cheers, Dmitri. On Mon, Apr 14, 2025 at 4:52 PM Alex Dutra <alex.du...@dremio.com.invalid> wrote:Hi all, A recently-reported bug [1] uncovered some serious issues with the JAX-RS authentication filters. Fixing this bug requires replacing the incriminated filters with proper Quarkus Security mechanisms. In parallel to that, support for external identity providers has been requested many times, see [2], [3] and [4]. We know however that this feature can only be delivered by implementing similar mechanisms. There might be an opportunity here to kill two birds with one stone. I would like therefore to make the following proposal: 1. In a first PR, *replace the current authentication filters* by Quarkus Security. This PR should be transparent to users and should not change the current behavior of Polaris, nor its configuration options. 2. In a second PR, *implement support for external identity providers*. This shall be done by implementing a new HttpAuthenticationMechanism that will pick the right authentication mechanism (internal token broker vs external IdP) based on the runtime configuration. If you agree with this proposal, I'm happy to start working on the first PR. Thanks, Alex [1]: https://github.com/apache/polaris/issues/1345 [2]: https://github.com/apache/polaris/issues/336 [3]: https://github.com/apache/polaris/issues/976 [4]: https://github.com/apache/polaris/issues/1327
-- Robert Stupp @snazy
