The credential vending fundamentally relies on authZ. Once we clarify how authZ should work for a federated catalog, credential vending should naturally be based on it. I see two possible approaches: 1. Polaris remains in charge of authZ for the federated catalog. In this case, credential vending would align with the privileges enforced in Polaris. We will need storage configs to be there in Polaris in this case. 2. AuthZ is delegated to the remote catalog. In that scenario, we would likely need an external PDP that is consistent with the remote catalog’s authZ model, and vended credentials might pass through from the remote catalog. This adds more responsibility to the system admins. All services should be setup correctly, so that the access control can be done appropriately.
I believe the key question to resolve first is where authZ lives. Once that is settled, the credential vending behavior becomes much clearer. Yufei On Fri, Feb 13, 2026 at 9:32 AM Prashant Singh <[email protected]> wrote: > I believe we would need to identify the federation for such a catalog for > such things to happen ? > Like how does user A in Polaris maps to eq user in External catalog ? > secondly if we define additional grants on Polaris and how do we > additional downscope > > It's a question i am trying to wrap head too for a long time, love to know > all of your takes > > Best, > Prashant Singh > > > On Fri, Feb 13, 2026 at 6:57 AM Alexandre Dutra <[email protected]> wrote: > > > Hi all, > > > > I'm forwarding to the ML a question raised by a user [1] regarding > > Polaris's behavior when contacting an external (federated) REST > > catalog. > > > > The core question is: does Polaris forward access delegation headers > > to the remote catalog? > > > > Based on my understanding, *it does not*. My current belief is that > > credentials vended for a federated catalog are still minted locally by > > Polaris. > > > > This leads to a more fundamental question I've been pondering: why is > > the federated catalog not responsible for minting its own credentials > > in this scenario? > > > > I'd appreciate any insight from those who have more knowledge on this > area. > > > > Thanks, > > Alex > > > > [1]: https://github.com/apache/polaris/issues/3710 > > >
