GitHub user RB-ETArch added a comment to the discussion: Is STS Token Passthrough Supported in Polaris Federated Catalogs?
@flyrain In our setup users only talk to the central catalog and RBAC is enforced only in the central catalog. the central catalog talks to BU child catalogs using a service principal with read/write privileges. **Question**: If a client requests a read operation, will the central (or BU) catalog mint a session policy that is read‑only on the table prefix (e.g., GetObject/ListBucket with a prefix condition) even though the federation service principal has admin rights, or does the inline policy reflect the service principal’s full privileges instead? My understanding is that the inline session policy in vended credentials is based on user operation (after RBAC validation). GitHub link: https://github.com/apache/polaris/discussions/4929#discussioncomment-17479216 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
