Some external catalogs do not enforce any kind of directory structure for tables, allowing for table locations to overlap. Some admins may mistakenly believe that vended credentials and table-level RBAC will save them from loose configurations and uncontrolled table locations. Thus, they may be encouraged to grant overly permissive privileges to the role used to generate the session token returned by the loadTable command without realizing that a user in the source catalog could create a table that intentionally overlaps with one or more tables in the catalog. If that user is granted read access to the table in Polaris, the user could take advantage of the generated session token to read tables they didn't have access to.
This PR adds a configuration flag to disable credential vending for all EXTERNAL catalogs with a catalog-level override so that admins can support credential vending, provided they are aware of the security implications.
Right now, the default value for the flag does not change the current default behavior. We should consider changing the default so that users must explicitly allow credential vending for these cases.
Fixes # (issue)
Type of change
Please delete options that are not relevant.
[X] Bug fix (non-breaking change which fixes an issue)
[ ] Documentation update
[ ] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[ ] This change requires a documentation update
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
[X] PolarisRestCatalogIntegrationTest
Test Configuration:
Hardware:
Toolchain:
SDK:
Checklist:
Please delete options that are not relevant.
[X] I have performed a self-review of my code
[X] I have commented my code, particularly in hard-to-understand areas
[ ] I have made corresponding changes to the documentation
[ ] My changes generate no new warnings
[ ] If adding new functionality, I have discussed my implementation with the community using the linked GitHub issue
Description
Some external catalogs do not enforce any kind of directory structure for tables, allowing for table locations to overlap. Some admins may mistakenly believe that vended credentials and table-level RBAC will save them from loose configurations and uncontrolled table locations. Thus, they may be encouraged to grant overly permissive privileges to the role used to generate the session token returned by the
loadTablecommand without realizing that a user in the source catalog could create a table that intentionally overlaps with one or more tables in the catalog. If that user is granted read access to the table in Polaris, the user could take advantage of the generated session token to read tables they didn't have access to.This PR adds a configuration flag to disable credential vending for all EXTERNAL catalogs with a catalog-level override so that admins can support credential vending, provided they are aware of the security implications.
Right now, the default value for the flag does not change the current default behavior. We should consider changing the default so that users must explicitly allow credential vending for these cases.
Fixes # (issue)
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Test Configuration:
Checklist:
Please delete options that are not relevant.