Hi Dmitri,

Thanks for reopening the PR.

I've resolved the conflicts

Thanks again!
Prithvi

On Wed, Jul 8, 2026 at 1:24 AM Dmitri Bourlatchkov <[email protected]> wrote:

> Hi Prithvi,
>
> Thanks for continuing to work on this!
>
> I've re-opened [4406]. Please resolve conflicts.
>
> [4406] https://github.com/apache/polaris/pull/4406
>
> Thanks,
> Dmitri,
>
> On Tue, Jul 7, 2026 at 5:01 AM Prithvi S <[email protected]>
> wrote:
>
> > Hi,
> >
> > I appreciate the feedback Dmitri, Robert, and Sung Yun.
> >
> > I've updated the PR to log the missing privilege details server-side and
> > keep the client-facing 403 message generic. That should address the
> concern
> > about leaking authZ info to untrusted clients. Operators can still
> > correlate errors using the existing X-Request-ID.
> >
> > One thing, the PR was auto-closed by GitHub at some point and I don't
> have
> > permissions to reopen it. If someone with access could reopen it, that
> > would be great. The updated commit is already pushed to the same branch.
> >
> > Thanks!
> > Prithvi
> >
> > On Sat, Jun 27, 2026 at 4:41 AM Sung Yun <[email protected]> wrote:
> >
> > > Hi Prithvi, thanks for driving this.
> > >
> > > One thing that might simplify this: Polaris already stamps every
> request
> > > with a requestId (RequestIdFilter) and returns it to the client as the
> > > X-Request-ID response header and it's on every server log line via the
> > > logging MDC (https://polaris.apache.org/in-dev/unreleased/telemetry/).
> > So
> > > an operator can already correlate a client-side 403 to the server logs
> > > today, which means the detailed "missing X on entity Y" text could live
> > in
> > > a server-side log rather than the client response.
> > >
> > > To Robert's point about not relying solely on a client-supplied value:
> > > X-Request-ID can be client-supplied. For deployments that turn on
> > > OpenTelemetry, the server-generated traceId is probably an alternate
> and
> > > more robust server generated correlation key (also already in the MDC).
> > We
> > > could perhaps surface that as an additional X-Trace-ID header for those
> > > setups?
> > >
> > > Sung
> > >
> > > On 2026/06/26 09:02:59 Robert Stupp wrote:
> > > > Hi all,
> > > >
> > > > Our security threat model [1] sets a strong default for generic
> > > "forbidden"
> > > > error messages to clients, stating that client-visible errors must
> not
> > > > disclose secrets or unauthorized metadata, including names and
> > > > relationships of principals, roles, catalogs, namespaces, tables,
> > views,
> > > > and policies, unless that disclosure is explicitly documented and
> > > accepted.
> > > >
> > > > However, emitting more details to an operator/admin-facing sink might
> > be
> > > > acceptable.
> > > >
> > > > There is a standard for this kind of problem: RFC 9457 [2].
> > > Unfortunately,
> > > > the `application/problem+json` response fields do not fit Iceberg's
> > > > `ErrorModel` error response payload type directly, but RFC 9457 could
> > > still
> > > > be used as inspiration.
> > > >
> > > > I'd be generally careful about changing Iceberg error messages,
> because
> > > > many of them are effectively part of the API contract.
> > > >
> > > > You'll likely need to correlate the client-facing error with the
> > > > operator/admin-facing problem details. That's not impossible, but I
> > > > wouldn't rely solely on a client-supplied value in this case.
> > > >
> > > > Robert
> > > >
> > > > [1]
> > > >
> > >
> >
> https://github.com/apache/polaris/blob/02bd8f1f99a9f3d4f87d8db88cf7317fcac76c36/SECURITY-THREAT-MODEL.md
> > > > [2] https://www.rfc-editor.org/info/rfc9457/
> > > >
> > > >
> > > > On Fri, Jun 26, 2026 at 2:07 AM Dmitri Bourlatchkov <
> [email protected]>
> > > > wrote:
> > > >
> > > > > Hi All,
> > > > >
> > > > > I'm replying with the same suggestion I made in GH just to revive
> > > > > this thread.
> > > > >
> > > > > My preference is towards NOT exposing details about the authZ
> denial
> > > to the
> > > > > client, but returns a random ID which could be correlated (by a
> > Polaris
> > > > > Admin) to the full details in a log message.
> > > > >
> > > > > WDYT?
> > > > >
> > > > > Cheers,
> > > > > Dmitri.
> > > > >
> > > > > On Sun, Jun 14, 2026 at 2:50 PM Prithvi S <
> > [email protected]
> > > >
> > > > > wrote:
> > > > >
> > > > > > Hi all,
> > > > > >
> > > > > > I'm opening this discussion as suggested by @dimas-b in the
> review
> > > of PR
> > > > > > #4406 (https://github.com/apache/polaris/pull/4406), which
> touches
> > > > > > authorization behavior.
> > > > > >
> > > > > > Background:
> > > > > > Today, `PolarisAuthorizerImpl.authorizeOrThrow` produces a
> generic
> > > denial
> > > > > > message:
> > > > > >
> > > > > >   Principal 'alice' with activated PrincipalRoles '[reader]' and
> > > > > activated
> > > > > > grants via '[]' is not authorized for op CREATE_TABLE_DIRECT
> > > > > >
> > > > > > This gives operators no indication of *which* privilege is
> missing
> > > or on
> > > > > > *which* entity, forcing them to grep the codebase to figure out
> the
> > > right
> > > > > > grant to add.
> > > > > >
> > > > > > What PR #4406 does:
> > > > > > It enriches the 403 message to include the missing privilege and
> > > target
> > > > > > entity, e.g.:
> > > > > >
> > > > > >   ...is not authorized for op CREATE_TABLE_DIRECT; missing
> > > TABLE_CREATE
> > > > > on
> > > > > > NAMESPACE 'ns1'
> > > > > >
> > > > > > The legacy prefix is preserved verbatim so existing log scrapers
> > > continue
> > > > > > to work. This is a diagnostic-only change — authorization
> decisions
> > > > > > (allow/deny) are unchanged.
> > > > > >
> > > > > > Concern raised:
> > > > > > @dimas-b and @flyrain raised a valid security concern: returning
> > > AuthZ
> > > > > > details in the client-facing 403 response could expose
> information
> > > that a
> > > > > > malicious client might use to probe the permission model.
> > > > > >
> > > > > > The alternative suggested was to log the missing privilege
> details
> > > > > > server-side and surface only a correlation/trace ID in the client
> > > > > response,
> > > > > > allowing Polaris admins to correlate the client error to the
> server
> > > log
> > > > > > without leaking grant structure to untrusted clients.
> > > > > >
> > > > > > questions I have:
> > > > > > 1. Is the security concern significant enough to block enriching
> > the
> > > > > > client-facing 403 message, or does the operator convenience
> justify
> > > it
> > > > > > (e.g., given that the privilege/entity names are not secret in
> most
> > > > > > deployments)?
> > > > > > 2. Should we pursue the log + correlation-ID approach instead? If
> > > so, is
> > > > > > there an existing logging/tracing infrastructure in Polaris we
> > should
> > > > > hook
> > > > > > into?
> > > > > > 3. Are there precedents in other Iceberg catalog implementations
> > for
> > > how
> > > > > > AuthZ denial details are surfaced?
> > > > > >
> > > > > > Happy to update the PR in whichever direction the community
> > prefers.
> > > > > >
> > > > > > Regards,
> > > > > > Prithvi S
> > > > > >
> > > > >
> > > >
> > >
> >
>

Reply via email to