+1 to documenting "IMPLICIT" both in YAML comments (briefly, in PR 1925) and in Polaris docs (from the end user's perspective).
Thanks, Dmitri. On Fri, Jul 4, 2025 at 6:37 AM Robert Stupp <sn...@snazy.de> wrote: > AFAIU `IMPLICIT` means that Polaris does not explicitly configure any > auth related settings, but implementations still leverage external > sources (system-properties and environment and files and > container-configuration endpoints and what not). > > That's generally fine for me. > > I'd just like to highlight that this fact should be explicitly > documented, mentioning that these "external sources" affect all realms > and users have to consider this when using multiple catalog or realms. > It might not be obvious to everyone. > > > On 7/3/25 00:28, Pooja Nilangekar wrote: > > Thanks Dimtri and Eric, for now I will update the PR with IMPLICIT. If > others send out suggestions later, I could change it. If not, we can > proceed with IMPLICIT. > > > > Thanks, > > Pooja > > > > On 2025/07/02 22:21:50 Eric Maynard wrote: > >> Yeah I think IMPLICIT seems reasonable -- we could start with that and > then > >> expand to NONE if the need arises. > >> > >> On Wed, Jul 2, 2025 at 2:34 PM Dmitri Bourlatchkov <di...@apache.org> > wrote: > >> > >>> I'd be fine with supporting both NONE and IMPLICIT. > >>> > >>> I'd expect NONE to be executed as strictly no authentication in > requests to > >>> external catalogs, though, even if the connector (inside Polaris) > allows > >>> defaulting to environment or files, etc. > >>> > >>> If IMPLICIT is specified and the Polaris Server cannot reasonably > leverage > >>> any pre-configured (at deployment time) auth mechanisms, then requests > >>> should be denied on the Polaris side. > >>> > >>> As an example, IMPLICIT with AWS SDK is always allowed because the SDK > has > >>> well-known file-based configuration / profiling mechanisms. > >>> > >>> I do not know enough about Hadoop, though. > >>> > >>> WDYT? > >>> > >>> Cheers, > >>> Dmitri. > >>> > >>> On Wed, Jul 2, 2025 at 5:24 PM Eric Maynard <eric.w.mayn...@gmail.com> > >>> wrote: > >>> > >>>> Yeah, maybe NONE is misleading and so UNMANAGED or IMPLICIT could be > >>>> better. In some cases it's conceivable that there really is no "auth" > as > >>>> such -- like with HADOOP -- and so I wonder if IMPLICIT over-promises > a > >>>> bit? > >>>> > >>>> --EM > >>>> > >>>> On Wed, Jul 2, 2025 at 1:10 PM Dmitri Bourlatchkov <di...@apache.org> > >>>> wrote: > >>>> > >>>>> How about using the enum name IMPLICIT in this case? > >>>>> > >>>>> YAML comments will briefly mention runtime env. implications. > >>>> Documentation > >>>>> will (later) explain how it works in detail. > >>>>> > >>>>> From my POV, "NONE" means strictly no auth. > >>>>> > >>>>> Cheers, > >>>>> Dmitri. > >>>>> > >>>>> > >>>>> > >>>>> On Wed, Jul 2, 2025 at 4:04 PM Eric Maynard < > eric.w.mayn...@gmail.com> > >>>>> wrote: > >>>>> > >>>>>>> When the new NONE (or any proposed alternative name) is used as the > >>>>>> authentication type in an External Catalog, what kind of auth flow > >>> will > >>>>>> actually happen in runtime? > >>>>>> > >>>>>> This question really gets to the core of what we are discussing. > From > >>>> my > >>>>>> perspective in implementing HADOOP, we can interpret NONE in two > >>> ways: > >>>>>> 1. Polaris does no auth whatsoever > >>>>>> 2. The EXTERNAL catalog connection config does not describe any kind > >>> of > >>>>>> auth > >>>>>> > >>>>>> My interpretation of NONE is (2). > >>>>>> > >>>>>> While it's true that Polaris doesn't explicitly do any kind of auth > >>> for > >>>>>> Hadoop and relies on the fact that new Configuration() happens to > >>> load > >>>>> from > >>>>>> some env vars, I do not believe that it's really accurate to say we > >>> are > >>>>> in > >>>>>> situation (1). Polaris may still be doing some auth, even if it's > not > >>>>>> obvious from a quick pass over the code. > >>>>>> > >>>>>> Rather, NONE indicates that the ConnectionConfigInfo itself does not > >>>>>> contain any authentication credentials or mechanism. Consider > another > >>>>>> example -- if the auth type is configured as OAUTH, that doesn't > mean > >>>>> that > >>>>>> the remote catalog isn't additionally using mTLS. It just means that > >>>> the > >>>>>> ConnectionConfigInfo attached to the EXTERNAL catalog in Polaris > >>>> contains > >>>>>> OAUTH-related information. > >>>>>> > >>>>>> --EM > >>>>>> > -- > Robert Stupp > @snazy > >
