Testing every possible ARN rather manually is quite an effort, both for the quite special cn and us-gov ones and also for appliance/vendor specific ones. While certain Polaris installations may have a need to forbid those, other user-scenarios have legit reasons to allow them. I'm not sure whether the Polaris project should enforce anything there.
On Sat, Nov 8, 2025 at 1:25 AM Eric Maynard <[email protected]> wrote: > > Originally there was no way to specify region/endpoint on a catalog, so > these regions had to be disabled for the reason given in #1056. I’m > guessing nobody has tested aws-cn and so nobody has enabled it. If you can > test it and it works, I’m definitely in favor of enabling it. > > —EM > > > On Fri, Nov 7, 2025 at 6:57 PM Dmitri Bourlatchkov <[email protected]> wrote: > > > Hi All, > > > > PR [3005] expanded the RegEx rule for Role ARN parameter validation. > > > > However, I see [1] that aws-cn ARNs are blocked by an explicit code check. > > This blocking appears to be present since day 1 of the Apache Polaris > > codebase [2], when aws-us-gov was also blocked. The blocking of aws-us-gov > > ended with [1056]. > > > > Does anyone have any rationale on why Polaris should block aws-cn ARNs? > > > > [1] > > > > https://github.com/apache/polaris/blob/main/polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsStorageConfigurationInfo.java#L165 > > > > [2] > > > > https://github.com/apache/polaris/blob/f3d9141c9708940523aa8d206a0bb32465398a7f/polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsStorageConfigurationInfo.java#L91 > > > > [1056] https://github.com/apache/polaris/pull/1056 > > [3005] https://github.com/apache/polaris/pull/3005 > > > > Thanks, > > Dmitri. > >
